[漏洞修复]4-22 修复博客SQL注入一枚

  • A+
所属分类:Mr.Wu
摘要

偶然发现博客居然存在SQL注入漏洞?当时就懵逼了,这么久才发现。。。在博主随笔处,利用了wp自带的wp_ajax钩子,过滤不严,导致POST提交查询文章内容时,s_id存在sql注入漏洞。

偶然发现博客居然存在SQL注入漏洞?当时就懵逼了,这么久才发现。。。

漏洞发现

在博主随笔处,利用了wp自带的wp_ajax钩子,过滤不严,导致POST提交查询文章内容时,s_id存在sql注入漏洞。

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.xiaoxiaowu.me
Connection: close
Content-Length: 26
Accept: */*
Origin: https://www.xiaoxiaowu.me
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://www.xiaoxiaowu.me/sy
Accept-Language: zh-CN,zh;q=0.9
Cookie:

action=shuoshuo&s_id=1467

[漏洞修复]4-22 修复博客SQL注入一枚

漏洞代码

//ajax shuoshuo function shuoshuo(){ echo popularPosts($num);     die(); } add_action('wp_ajax_shuoshuo', 'shuoshuo'); add_action('wp_ajax_nopriv_shuoshuo', 'shuoshuo');  function popularPosts($num) {         global $wpdb;         $s_id = $_POST['s_id'];       $sql="SELECT ID,post_title,post_content FROM wp_posts WHERE post_type='shuoshuo' and post_status = 'publish' and ID = $s_id order by ID desc";        $myrows = $wpdb->get_results($sql);       foreach ($myrows as $b) {       echo $b->post_content;//这是文章内容       //echo $b->ID." ";//这是文章ID      // echo $b->post_title." ";//这是文章标题 }} 

可以看到,在$sql那段,$s_id直接就被调用了,没有做任何的过滤处理,最终导致了SQL注入漏洞。

漏洞修复

$s_id加上单引号即可解决问题。

//ajax shuoshuo function shuoshuo(){ echo popularPosts($num);     die(); } add_action('wp_ajax_shuoshuo', 'shuoshuo'); add_action('wp_ajax_nopriv_shuoshuo', 'shuoshuo');  function popularPosts($num) {         global $wpdb;         $s_id = $_POST['s_id'];       $sql="SELECT ID,post_title,post_content FROM wp_posts WHERE post_type='shuoshuo' and post_status = 'publish' and ID = '$s_id' order by ID desc";        $myrows = $wpdb->get_results($sql);       foreach ($myrows as $b) {       echo $b->post_content;//这是文章内容       //echo $b->ID." ";//这是文章ID      // echo $b->post_title." ";//这是文章标题 }} 

[漏洞修复]4-22 修复博客SQL注入一枚
可以看到,已经无法注入了。

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: