Homepage:
https://wordpress.org/plugins/wa-form-builder/
Descrição:
Acesso a qualquer usuário.
$_POST[ ‘wa_forms_Id’ ] não possui filtro. WAFormBuilder_ui_output() é acessível para qualquer usuário.
File / Code:
Path: /wp-content/plugins/wa-form-builder/main.php
Line: 779
global $wpdb;
echo 'SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id'];
$form_attr = $wpdb->get_row('SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id']);
$user_fields .= '<table width="100%" cellpadding="3" cellspacing="1" style="background:#e7e7e7; color:#666;">';
foreach($_POST as $key=>$val)
{
if(
$key!='action' &&
$key!='current_page' &&
$key!='ajaxurl' &&
$key!='page_id' &&
$key!='wa_forms_Id' &&
$key!='submit'
)
{
$user_fields .= '<tr>';
$user_fields .= ' <td bgcolor="#f2f2f2" width="20%">'.IZC_Functions::unformat_name(str_replace('dynamic_forms','',$key)).'</td>
<td bgcolor="#FFFFFF" >'.IZC_Functions::unformat_name($val).'</td>';
$user_fields .= '</tr>';
$insert = $wpdb->insert($wpdb->prefix.'wap_wa_form_meta',
array(
'wa_form_builder_Id'=>$_REQUEST['wa_forms_Id'],
'meta_key'=>$key,
'meta_value'=>$val,
'time_added' => mktime()
)
);
}
}
Proof of Concept:
1 – A url do alvo tem que ter o formulário. Então procure formulário no sistema.
2 – Send Post for:
Result:
target => http://target/2016/11/21/PostWithformOfPlugin/
post or get=>
Timeline:
- 28/11/2016 – Discovered
- 28/11/2016 – Vendor not found