my5t3ry 发布的文章

WordPress插件WP Statistics SQL注入漏洞分析

# 文章在7月16号首发threathunter社区,自己博客存个档。

​ WordPress是一个以PHP和MySQL为平台的自由开源的博客软件和内容管理系统。WordPress具有插件架构和模板系统。WP Statistics是一个功能非常强大的WordPress实时统计分析插件,根据WordPress.org的统计数据,超过30万站点使用了该插件。近日,WP Statistics发布了WP Statistics 12.0.8,主要修复了一个SQL注入漏洞,漏洞影响WP Statistics <= 12.0.7,本文简单分析该漏洞。

漏洞位于/includes/functions/functions.php中的wp_statistics_searchengine_query()

function wp_statistics_searchengine_query( $search_engine = 'all' ) {
    GLOBAL $WP_Statistics;

    // Get a complete list of search engines
    $searchengine_list = wp_statistics_searchengine_list();
    $search_query      = '';

    if ( $WP_Statistics->get_option( 'search_converted' ) ) {
        // Are we getting results for all search engines or a specific one?
        if ( strtolower( $search_engine ) == 'all' ) {
            // For all of them?  Ok, look through the search engine list and create a SQL query string to get them all from the database.
            foreach ( $searchengine_list as $key => $se ) {
                $search_query .= "`engine` = '{$key}' OR ";
            }

            // Trim off the last ' OR ' for the loop above.
            $search_query = substr( $search_query, 0, strlen( $search_query ) - 4 );
        } else {
            $search_query .= "`engine` = '{$search_engine}'";
        }
    } 
  ……代码略
    return $search_query;
}

- 阅读剩余部分 -

新的开始

删了开了几年的博客,几年来也没写下什么=。=
希望新的博客有一个新的开始。