WordPress wp-trackback. php vulnerability analysis
Text/Superhei 2007/1/9
Code:wp-trackback.php
$tb_url = $_POST[‘url’];
$title = $_POST[‘title’];
$excerpt = $_POST[‘excerpt’];
$blog_name = $_POST[‘blog_name’];
$charset = $_POST[‘charset’];
…
if ( function_exists(‘mb_convert_encoding’) ) { // For international trackbacks
$title = mb_convert_encoding($title, get_settings(‘blog_charset’), $charset);
$excerpt = mb_convert_encoding($excerpt, get_settings(‘blog_charset’), $charset);
$blog_name = mb_convert_encoding($blog_name, get_settings(‘blog_charset’), $charset);
}
…
$dupe = $wpdb->get_results(“SELECT * FROM $wpdb->comments WHERE comment_post_ID = ‘$comment_post_ID’ AND comment_author_url = ‘$comment_author_url’”);
The variable$charset the encoding of the post—>mb_convert_encoding()to convert get_settings(‘blog_charset’) [utf-8]---->select
se bull exp[2] is used uf7 code:'==>±ACc - bypass gpc, and then through mb_convert_encoding converted to utf-8 '<==±ACc-
In fact, this is caused by encoding of 2 attack[3]Spare gpc caused SqlInj it.
The official release of the patch: 2.0.6 wp-trackback.php
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
$title = stripslashes($_POST[‘title’]);
$excerpt = stripslashes($_POST[‘excerpt’]);
$blog_name = stripslashes($_POST[‘blog_name’]);
…
// Now that mb_convert_encoding() has been given a swing, we need to escape these three
$title = $wpdb->escape($title);
$excerpt = $wpdb->escape($excerpt);
$blog_name = $wpdb->escape($blog_name);
Variable through stripslashes()—>mb_convert_encoding()—>escape()—>select
We take a look at escape () to: wp-includes\wp-db.php
function escape($string) {
return addslashes( $string ); // Disable rest for now, causing problems
if( !$ this->dbh || version_compare( phpversion(), ‘4.3.0’ ) == ‘-1’ )
return mysql_escape_string( $string );
else
return mysql_real_escape_string( $string, $this->dbh );
}
mysql_real_escape_string()under certain conditions can be bypassed:
The addslashes() Versus mysql_real_escape_string() Debate http://shiflett.org/archive/184
Village rain beef in the xcon also said, however mysql supports gbk, the case is still relatively small. Interested can test yourself :)
Code:wp-settings.php
function unregister_GLOBALS() {
if ( ! ini_get(‘register_globals’) )
return;
if ( isset($_REQUEST[‘GLOBALS’]) )
die(‘GLOBALS overwrite attempt detected’);
// Variables that shouldn’t be unset
$noUnset = array(‘GLOBALS’, ‘_GET’, ‘_POST’, ‘_COOKIE’, ‘_REQUEST’, ‘_SERVER’, ‘_ENV’, ‘_FILES’, ‘table_prefix’);
$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
foreach ( $input as $k => $v )
if ( ! in_array($k, $noUnset) && isset($GLOBALS[$k]) )
unset($GLOBALS[$k]);
}
unregister_GLOBALS();
Here unset the$_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, $_SESSION, etc. submitted variable.
Code:wp-trackback.php
if ( ! intval( $tb_id ) ) //Note This
trackback_response(1, ‘I really need an ID for this to work.’);
…
if ( ! empty($tb_url) && ! empty($title) && ! empty($tb_url) ) {
header(‘Content-Type: text/xml; charset=’ . get_option(‘blog_charset’) );
$pingstatus = $wpdb->get_var(“SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id”);
…
$tb_id no’ by the unset after the presence of end_Hash_Del_Key_Or_Index vulnerability, resulting in the injection. In the analysis of time to submit: tb_id='&1 7 4 0 0 0 9 3 7 7=1&4 9 6 5 4 6 4 7 1=1
Returns: I really need an ID for this to work the original is in:
if ( ! intval( $tb_id ) ) //here stopped by.
trackback_response(1, ‘I really need an ID for this to work.’);
Submitted tb_id=1’&1 7 4 0 0 0 9 3 7 7=1&4 9 6 5 4 6 4 7 1=1 successful trigger, here raises a more interesting question:
<?
//test.php
print intval($REQUEST[“id”]);
?& gt;
Submitted to the test. php? id=a1 to obtain 0, the submitted test. php? id=12a get 1 of 2.
As can be seen intval is based on the first 1 characters to judge, so if it is like the wp such a judge: if ( ! intval( $ ) ) or there are security risks.
Reference:
[1]: The http://www.hardened-php.net/advisory_022007.141.html
[2]: The http://www.milw0rm.com/exploits/30 9 5
[3] of: http://superhei.blogbus.com/files/1157120596.ppt
[4]: The http://retrogod.altervista.org/word...zhdkoi_sql.html