Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200713760
HistoryJan 14, 2007 - 12:00 a.m.

WordPress wp-trackback. php vulnerability analysis-vulnerability warning-the black bar safety net

2007-01-1400:00:00
佚名
www.myhack58.com
28
JSON

WordPress wp-trackback. php vulnerability analysis
Text/Superhei 2007/1/9

  1. Stefan Esser, a large cattle 2 0 0 7/0 1/0 5 publish a WordPress Trackback Charset Decoding SQL Injection Vulnerability [1]

Code:wp-trackback.php

$tb_url = $_POST[‘url’];
$title = $_POST[‘title’];
$excerpt = $_POST[‘excerpt’];
$blog_name = $_POST[‘blog_name’];
$charset = $_POST[‘charset’];

if ( function_exists(‘mb_convert_encoding’) ) { // For international trackbacks
$title = mb_convert_encoding($title, get_settings(‘blog_charset’), $charset);
$excerpt = mb_convert_encoding($excerpt, get_settings(‘blog_charset’), $charset);
$blog_name = mb_convert_encoding($blog_name, get_settings(‘blog_charset’), $charset);
}

$dupe = $wpdb->get_results(“SELECT * FROM $wpdb->comments WHERE comment_post_ID = ‘$comment_post_ID’ AND comment_author_url = ‘$comment_author_url’”);

The variable$charset the encoding of the post—>mb_convert_encoding()to convert get_settings(‘blog_charset’) [utf-8]---->select

se bull exp[2] is used uf7 code:'==>±ACc - bypass gpc, and then through mb_convert_encoding converted to utf-8 '<==±ACc-

In fact, this is caused by encoding of 2 attack[3]Spare gpc caused SqlInj it.

The official release of the patch: 2.0.6 wp-trackback.php

// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
$title = stripslashes($_POST[‘title’]);
$excerpt = stripslashes($_POST[‘excerpt’]);
$blog_name = stripslashes($_POST[‘blog_name’]);

// Now that mb_convert_encoding() has been given a swing, we need to escape these three
$title = $wpdb->escape($title);
$excerpt = $wpdb->escape($excerpt);
$blog_name = $wpdb->escape($blog_name);

Variable through stripslashes()—>mb_convert_encoding()—>escape()—>select

We take a look at escape () to: wp-includes\wp-db.php

function escape($string) {
return addslashes( $string ); // Disable rest for now, causing problems
if( !$ this->dbh || version_compare( phpversion(), ‘4.3.0’ ) == ‘-1’ )
return mysql_escape_string( $string );
else
return mysql_real_escape_string( $string, $this->dbh );
}

mysql_real_escape_string()under certain conditions can be bypassed:
The addslashes() Versus mysql_real_escape_string() Debate http://shiflett.org/archive/184
Village rain beef in the xcon also said, however mysql supports gbk, the case is still relatively small. Interested can test yourself :)

  1. rgod in 2 0 0 7/0 1/0 8 Release of WordPress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index / sql injection exploit [4]

Code:wp-settings.php

function unregister_GLOBALS() {
if ( ! ini_get(‘register_globals’) )
return;

if ( isset($_REQUEST[‘GLOBALS’]) )
die(‘GLOBALS overwrite attempt detected’);

// Variables that shouldn’t be unset
$noUnset = array(‘GLOBALS’, ‘_GET’, ‘_POST’, ‘_COOKIE’, ‘_REQUEST’, ‘_SERVER’, ‘_ENV’, ‘_FILES’, ‘table_prefix’);

$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
foreach ( $input as $k => $v )
if ( ! in_array($k, $noUnset) && isset($GLOBALS[$k]) )
unset($GLOBALS[$k]);
}

unregister_GLOBALS();

Here unset the$_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, $_SESSION, etc. submitted variable.

Code:wp-trackback.php

if ( ! intval( $tb_id ) ) //Note This
trackback_response(1, ‘I really need an ID for this to work.’);

if ( ! empty($tb_url) && ! empty($title) && ! empty($tb_url) ) {
header(‘Content-Type: text/xml; charset=’ . get_option(‘blog_charset’) );

$pingstatus = $wpdb->get_var(“SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id”);

$tb_id no’ by the unset after the presence of end_Hash_Del_Key_Or_Index vulnerability, resulting in the injection. In the analysis of time to submit: tb_id='&1 7 4 0 0 0 9 3 7 7=1&4 9 6 5 4 6 4 7 1=1
Returns: I really need an ID for this to work the original is in:
if ( ! intval( $tb_id ) ) //here stopped by.
trackback_response(1, ‘I really need an ID for this to work.’);

Submitted tb_id=1’&1 7 4 0 0 0 9 3 7 7=1&4 9 6 5 4 6 4 7 1=1 successful trigger, here raises a more interesting question:
<?
//test.php
print intval($REQUEST[“id”]);
?& gt;
Submitted to the test. php? id=a1 to obtain 0, the submitted test. php? id=12a get 1 of 2.
As can be seen intval is based on the first 1 characters to judge, so if it is like the wp such a judge: if ( ! intval( $ ) ) or there are security risks.

Reference:
[1]: The http://www.hardened-php.net/advisory_022007.141.html
[2]: The http://www.milw0rm.com/exploits/30 9 5
[3] of: http://superhei.blogbus.com/files/1157120596.ppt
[4]: The http://retrogod.altervista.org/word...zhdkoi_sql.html

JSON