WordPress wp-trackback. php vulnerability analysis-vulnerability warning-the black bar safety net

2007-01-14T00:00:00
ID MYHACK58:62200713760
Type myhack58
Reporter 佚名
Modified 2007-01-14T00:00:00

Description

WordPress wp-trackback. php vulnerability analysis Text/Superhei 2007/1/9 1. Stefan Esser, a large cattle 2 0 0 7/0 1/0 5 publish a WordPress Trackback Charset Decoding SQL Injection Vulnerability [1]

Code:wp-trackback.php

$tb_url = $_POST['url']; $title = $_POST['title']; $excerpt = $_POST['excerpt']; $blog_name = $_POST['blog_name']; $charset = $_POST['charset']; ....... if ( function_exists('mb_convert_encoding') ) { // For international trackbacks $title = mb_convert_encoding($title, get_settings('blog_charset'), $charset); $excerpt = mb_convert_encoding($excerpt, get_settings('blog_charset'), $charset); $blog_name = mb_convert_encoding($blog_name, get_settings('blog_charset'), $charset); } ....... $dupe = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_author_url = '$comment_author_url'");

The variable$charset the encoding of the post--->mb_convert_encoding()to convert get_settings('blog_charset') [utf-8]---->select

se bull exp[2] is used uf7 code:'==>+-ACc - bypass gpc, and then through mb_convert_encoding converted to utf-8 '<==+-ACc-

In fact, this is caused by encoding of 2 attack[3]Spare gpc caused SqlInj it.

The official release of the patch: 2.0.6 wp-trackback.php

// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() $title = stripslashes($_POST['title']); $excerpt = stripslashes($_POST['excerpt']); $blog_name = stripslashes($_POST['blog_name']); ......... // Now that mb_convert_encoding() has been given a swing, we need to escape these three $title = $wpdb->escape($title); $excerpt = $wpdb->escape($excerpt); $blog_name = $wpdb->escape($blog_name);

Variable through stripslashes()--->mb_convert_encoding()--->escape()--->select

We take a look at escape () to: wp-includes\wp-db.php

function escape($string) { return addslashes( $string ); // Disable rest for now, causing problems if( !$ this->dbh || version_compare( phpversion(), '4.3.0' ) == '-1' ) return mysql_escape_string( $string ); else return mysql_real_escape_string( $string, $this->dbh ); }

mysql_real_escape_string()under certain conditions can be bypassed: The addslashes() Versus mysql_real_escape_string() Debate http://shiflett.org/archive/184 Village rain beef in the xcon also said, however mysql supports gbk, the case is still relatively small. Interested can test yourself :)

  1. rgod in 2 0 0 7/0 1/0 8 Release of WordPress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index / sql injection exploit [4]

Code:wp-settings.php

function unregister_GLOBALS() { if ( ! ini_get('register_globals') ) return;

if ( isset($_REQUEST['GLOBALS']) ) die('GLOBALS overwrite attempt detected');

// Variables that shouldn't be unset $noUnset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES', 'table_prefix');

$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array()); foreach ( $input as $k => $v ) if ( ! in_array($k, $noUnset) && isset($GLOBALS[$k]) ) unset($GLOBALS[$k]); }

unregister_GLOBALS();

Here unset the$_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, $_SESSION, etc. submitted variable.

Code:wp-trackback.php

if ( ! intval( $tb_id ) ) //Note This trackback_response(1, 'I really need an ID for this to work.');

.................

if ( ! empty($tb_url) && ! empty($title) && ! empty($tb_url) ) { header('Content-Type: text/xml; charset=' . get_option('blog_charset') );

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id"); ......

$tb_id no’ by the unset after the presence of end_Hash_Del_Key_Or_Index vulnerability, resulting in the injection. In the analysis of time to submit: tb_id='&1 7 4 0 0 0 9 3 7 7=1&4 9 6 5 4 6 4 7 1=1 Returns: I really need an ID for this to work the original is in: if ( ! intval( $tb_id ) ) //here stopped by. trackback_response(1, 'I really need an ID for this to work.');

Submitted tb_id=1'&1 7 4 0 0 0 9 3 7 7=1&4 9 6 5 4 6 4 7 1=1 successful trigger, here raises a more interesting question: <? //test.php print intval($REQUEST["id"]); ?& gt; Submitted to the test. php? id=a1 to obtain 0, the submitted test. php? id=12a get 1 of 2. As can be seen intval is based on the first 1 characters to judge, so if it is like the wp such a judge: if ( ! intval( $ ) ) or there are security risks.

Reference: [1]: The http://www.hardened-php.net/advisory_022007.141.html [2]: The http://www.milw0rm.com/exploits/30 9 5 [3] of: http://superhei.blogbus.com/files/1157120596.ppt [4]: The http://retrogod.altervista.org/word...zhdkoi_sql.html