首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
WordPress wp-trackback.php漏洞分析
来源:http://superhei.blogbus.com 作者:Superhei 发布时间:2007-01-16  

WordPress wp-trackback.php漏洞分析
文/Superhei 2007/1/9
1.Stefan Esser大牛2007/01/05发布的WordPress Trackback Charset Decoding SQL Injection Vulnerability [1]

Code:wp-trackback.php

$tb_url = $_POST['url'];
$title = $_POST['title'];
$excerpt = $_POST['excerpt'];
$blog_name = $_POST['blog_name'];
$charset = $_POST['charset'];
.......
if ( function_exists('mb_convert_encoding') ) { // For international trackbacks
$title = mb_convert_encoding($title, get_settings('blog_charset'), $charset);
$excerpt = mb_convert_encoding($excerpt, get_settings('blog_charset'), $charset);
$blog_name = mb_convert_encoding($blog_name, get_settings('blog_charset'), $charset);
}
.......
$dupe = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_author_url = '$comment_author_url'");

变量$charset编码post--->mb_convert_encoding()转换为get_settings('blog_charset') [utf-8]---->select

se大牛的exp[2] 是用的uf7编码:'==>+-ACc- 饶过gpc,然后通过mb_convert_encoding转化为utf-8 '<==+-ACc-

其实这个就是编码引起的2次攻击[3]饶过gpc引起的SqlInj。

官方发布的补丁:2.0.6 wp-trackback.php

// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
$title = stripslashes($_POST['title']);
$excerpt = stripslashes($_POST['excerpt']);
$blog_name = stripslashes($_POST['blog_name']);
.........
// Now that mb_convert_encoding() has been given a swing, we need to escape these three
$title = $wpdb->escape($title);
$excerpt = $wpdb->escape($excerpt);
$blog_name = $wpdb->escape($blog_name);

变量经过stripslashes()--->mb_convert_encoding()--->escape()--->select

我们看看escape() :wp-includes\wp-db.php

function escape($string) {
return addslashes( $string ); // Disable rest for now, causing problems
if( !$this->dbh || version_compare( phpversion(), '4.3.0' ) == '-1' )
return mysql_escape_string( $string );
else
return mysql_real_escape_string( $string, $this->dbh );
}

mysql_real_escape_string()在一定的条件下是可以绕过的:
The addslashes() Versus mysql_real_escape_string() Debate http://shiflett.org/archive/184
村雨牛牛在xcon也说过,但是mysql支持gbk的情况还是比较少的。有兴趣的可以自己测试下 :)

2.rgod于2007/01/08发布的WordPress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index / sql injection exploit [4]

Code:wp-settings.php

function unregister_GLOBALS() {
if ( !ini_get('register_globals') )
return;

if ( isset($_REQUEST['GLOBALS']) )
die('GLOBALS overwrite attempt detected');

// Variables that shouldn't be unset
$noUnset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES', 'table_prefix');

$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
foreach ( $input as $k => $v )
if ( !in_array($k, $noUnset) && isset($GLOBALS[$k]) )
unset($GLOBALS[$k]);
}

unregister_GLOBALS();

这里unset了$_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, $_SESSION 等提交的变量。

Code:wp-trackback.php

if ( !intval( $tb_id ) ) //注意这个
trackback_response(1, 'I really need an ID for this to work.');

.................

if ( !empty($tb_url) && !empty($title) && !empty($tb_url) ) {
header('Content-Type: text/xml; charset=' . get_option('blog_charset') );

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id");
......

$tb_id没有’ 通过unset后存在end_Hash_Del_Key_Or_Index漏洞,导致注射。在分析时候提交:tb_id='&1740009377=1&496546471=1
返回:I really need an ID for this to work 原来是在 :
if ( !intval( $tb_id ) ) //这里拦住了。
trackback_response(1, 'I really need an ID for this to work.');

提交tb_id=1'&1740009377=1&496546471=1 成功触发,这里引发了一比较有意思的问题 :
<?
//test.php
print intval($_REQUEST["id"]);
?>
提交test.php?id=a1 得到 0,提交test.php?id=12a 得到 12。
可以看出 intval是根据第1个字符来判断的,这样如果是像wp这样的判断:if ( !intval( $_ ) ) 还是有安全隐患的。

参考:
[1]:http://www.hardened-php.net/advisory_022007.141.html
[2]:http://www.milw0rm.com/exploits/3095
[3]:http://superhei.blogbus.com/files/1157120596.ppt
[4]:http://retrogod.altervista.org/wordpress_206_zhdkoi_sql.html



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·新浪UC ActiveX多个远程栈溢出漏
·阿里巴巴淘宝旺旺ActiveX远程栈
·ICQ Toolbar 1.3 for IE多个安全
·[xfocus-SD-070118]多个操作系统
·Wu-ftpd S/key验证缓冲区溢出漏
·Backdoor.Win32.IRCBot.st 蠕虫
·Php5 GPC绕过缺陷
·Microsoft MSN Messenger远程信
·IE mhtml redirection漏洞利用方
·Microsoft Outlook Mailto参数引
·ipb search.php 漏洞分析及思考
·Microsoft Windows Media Servic
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved