boblog arbitrary variable overwrite vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201129582
Type myhack58
Reporter 佚名
Modified 2011-02-28T00:00:00



by Ryat[puretot] mail: puretot at gmail dot com team:

Find time 2008-10-02 Publication Date 2011-02-27 The vulnerabilities affect version 2.1.0 2.1.1 The state has been patched

Vulnerability code is as follows: // go.php $q_url=$_SERVER["REQUEST_URI"]; @list($relativePath, $rawURL)=@explode('/go.php/', $q_url); $rewritedURL=$rawURL; // from$_SERVER["REQUEST_URI"],can be arbitrarily submitted:) ... $RewriteRules[]="/component\/([^\/]+)\/?/"; // This regex restriction is not enough meticulous,can be very easily bypassed:) ... $RedirectTo[]="the page. php? pagealias=\\1";

$i=0; foreach ($RewriteRules as $rule) { if (preg_match($rule, $rewritedURL)) { $tmp_rewritedURL=preg_replace($rule, '<'.$ RedirectTo[$i].'& lt;', $rewritedURL, 1); <A href="mailto:$tmp_rewritedURL=@explode('<'">$tmp_rewritedURL=@explode('<', $tmp_rewritedURL); $rewritedURL=($tmp_rewritedURL[2]) ? false : $tmp_rewritedURL[1]; break; } $i+=1; }

if ($rewritedURL==$rawURL || !$ rewritedURL) { ... $parsedURL=parse_url ($rewritedURL); // Here the$parsedURL['query']is to use variables.:) parse_str($parsedURL['query']); // By this place can override any variable include(basename($parsedURL['path'])); // By the above cover,you can use here include a local file,but with a basename()function to handle:(

This vulnerability is not very complex,the key about use,here are the two use points,a cover,a use of a cover to contain,although the use of the basename()to limit,but you can use data://to execute the command. Just this manner of use is limited[PHP>5.2.0&allow_url_include=On]. But that's okay,there's a better way to take advantage

Look under global. php file: ... unregister_GLOBALS(); //When register_globals=On ... function unregister_GLOBALS() { //When register_globals = 'on' if (! ini_get('register_globals')) { //Already off return; } // Variables that shouldn't be unset $noUnset = array('_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES'); $input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array()); foreach ($input as $k => $v) { if ($k=='GLOBALS') { global $kgr; $kgr=0; kill_GLOBALS($input[$k]); //GLOBALS is recursive -,- } elseif (! in_array($k, $noUnset) && isset($GLOBALS[$k])) { $GLOBALS[$k]=NULL; } } } Here the cancellation of the global variables,but we can go. in php override variables and include files to bypass the unregister_GLOBALS()limit,the trigger variable is not initialized vulnerability,which will lead toxss, sql injection, command execution, and many other serious security issues:)

In fact there are other the use of ideas,will not say more,everybody tell me what to play to their imagination.:)

EXP or POC? Myself myself;P