PHPDISK 4.0 Sql injection 0day&analysis-vulnerability warning-the black bar safety net

2010-01-16T00:00:00
ID MYHACK58:62201025950
Type myhack58
Reporter 佚名
Modified 2010-01-16T00:00:00

Description

Text/My5t3ry

Just bored out the sleeve PHPDISK read the code, find the sql injection vulnerability more, here take a look: the

我们 看 到 /includes/commons.inc.php 6 8-7 2-line, there are sections of the code are as follows:

  1. if (@get_magic_quotes_gpc()) {

  2. $_GET = stripslashes_array($_GET);

  3. $_POST = stripslashes_array($_POST);

  4. $_COOKIE = stripslashes_array($_COOKIE);

  5. }

Copy the code

Wherein the determination of the GPC if gpc=on then call stripslashes_array function, we then see stripslashes_array function

  1. function stripslashes_array(&$array) {

  2. if(is_array($array)){

  3. foreach($array as $k => $v) {

  4. $array[$k] = stripslashes_array($v);

  5. }

  6. }elseif(is_string($array)){

  7. $array = stripslashes($array);

  8. }

  9. return $array;

1 0. }

Copy the code

If gpc=on, this function will turn the escaped characters to restore it! In other words can be ignored in gpc, 继续看到/extract.php 2 4-5 0 line of code:

  1. switch($action){

  2. case 'file_extract':

    1. if($p_formhash != formhash()){
  3. exit($lang['system_error']);

  4. }

  5. $extract_code = trim(gpc('extract_code','P',")); //look

    1. $rs2 = $db->fetch_one_array("select * from {$tpf}extracts where extract_code='$extract_code'"); //$extract_code into the sql query

1 0. if($rs2){

1 1. if($rs2['extract_locked']){

1 2. $error = true;

1 3. $sysmsg[] = $lang['extract_code_locked'];

1 4. }else{

1 5. $db->query("update {$tpf}extracts set extract_count=extract_count+1 where extract_id='".$ rs2['extract_id']."'");

1 6. if($rs2['extract_type']==1){

1 7. if($timestamp > $rs2['extract_time']){

1 8. $error = true;

1 9. $sysmsg[] = $lang['extract_exceed_time_limit'];

2 0. }

2 1. }else{

2 2. if($rs2['extract_total'] && ($rs2['extract_count'] > $rs2['extract_total'])){

2 3. $error = true;

2 4. $sysmsg[] = $lang['extract_exceed_count_limit'];

2 5. }

2 6. }

2 7. }

Copy the code

Wherein this code$extract_code = trim(gpc('extract_code','P',")); calling a gpc function, we follow up with this function:

  1. function gpc($name,$w = 'GPC',$default = "){

  2. $i = 0;

  3. for($i = 0; $i < strlen($w); $i++) {

  4. if($w[$i] == 'G' && isset($_GET[$name])) return $_GET[$name];

  5. if($w[$i] == 'P' && isset($_POST[$name])) return $_POST[$name];

  6. if($w[$i] == 'C' && isset($_COOKIE[$name])) return $_COOKIE[$name];

  7. }

  8. return $default;

  9. }

Copy the code

This function does not filter the what, the following test, I will go directly to the official demo site to test.

First register a user=>log=>Upload a file

Then in the extracted code management there is set an extraction code, and then return to the home of the“file extraction”, fill in the extraction code when adding a single quotation marks, a direct proof is wrong, as shown in Figure 1, Figure 2:

! PHPDISK 4.0 Sql injection 0day analysis - Minghacker - Minghackers listen to the rain court

Figure 1

! PHPDISK 4.0 Sql injection 0day analysis - Minghacker - Minghackers listen to the rain court

Figure 2

Here only a blind, test the union did not succeed, if the cattle have what good method, please share!