Lxblog blog system variables cover the resulting injection+Getshell attached to the use of the exp-bug warning-the black bar safety net

2013-04-09T00:00:00
ID MYHACK58:62201338207
Type myhack58
Reporter 佚名
Modified 2013-04-09T00:00:00

Description

Nonsense: lxblog is www. phpwind. net development of multi-blog system, now seems to have stopped updating! Statement: We only do the technical research, please do not illegally used, together with consequences with himself, independent of it!

Text:

Key file:/mod/ajax_mod.php

if (! empty($POST)) { $_POST = Char_cv($_POST); if ($db_charset != 'utf-8') { require_once(R_P.'mod/charset_mod.php'); foreach ($_POST as $key => $value) { ${'utf8'.$ key} = $value; ${$key} = convert_charset('utf-8',$db_charset,$value); } } else { foreach ($POST as $key => $value) { ${'utf8'.$ key} = ${$key} = $value; //variable overrides.}}}

Variable coverage lead to injection vulnerabilities

Focus file:/ajax.php

if ($action=='vote') { !$ winduid && exit('not_login');//variable overrides bypass (int)$votenum < 1 && exit('erro_voteid');//variables override to bypass the $voteitem = array(); $query = $db->query("SELECT id,voteduid FROM pw_voteitem WHERE vid='$vid'");//vulnerability to, enter the query()function while ($rt = $db->fetch_array($query)) { strpos(",$rt[voteduid],",",$winduid,")!== false && exit('have_voted'); $voteitem[$rt['id']] = $rt['voteduid']; }

漏洞 文件 :/mod/db_mysql.php

function query($SQL,$method="){//override variable $GLOBALS['PW'] is formed by injection $GLOBALS['PW']!=' pw_' && $SQL = str_replace(' pw_',' '.$ GLOBALS['PW'],$SQL); $query = ($method=='U_B' && function_exists('mysql_unbuffered_query')) ? @mysql_unbuffered_query($SQL) : @mysql_query($SQL); $this->query_num++; !$ query && $this->halt('Query Error:' . $SQL); return $query; }

exp: !

Variables cover the lead back getshell

Focus file:/ajaxadmin.php

..... require_once(R_P.'admin/admincp.php'); require_once(R_P.'mod/ajax_mod.php');//variables to cover..... } elseif ($action=='upload') { if ($job == 'add') { InitGP(array('uid','mode'),'G');//$uid=1. phtml. $db_uploadmaxsize = $GET['db_uploadmaxsize'];//db_uploadmaxsize=1 0 0 0 0 $db_uploadfiletype = $_GET['db_uploadfiletype'];//db_uploadfiletype=aaa $db_attachnum = $_GET['db_attachnum'];//db_attachnum=1 require_once(R_P.'mod/upload_mod.php'); $uploaddb = UploadSQL($uid,0,0,",$mode);//enter Upload,$mode= foreach ($uploaddb as $value) { $aid = $value['aid']; $name = $value['name']; $size = $value['size']; $desc = $value['desc']; $url = "$attachpath/$value[attachurl]"; break; } echo "<script language=\"JavaScript1. 2\">parent. UploadFileResponse('$mode','$aid','$size','$desc','$name','$url');</script>";exit;}...... function UploadSQL($uid,$itemid,$cid=0,$atype = null,$mode = null){ global $db,$attachdb,$timestamp,$atc_content; $uploaddb = ! empty($_FILES) ? UploadFile($uid,$mode) : array();//entering uploadfile function...... function UploadFile($uid,$mode = null){ global $_GROUP,$db,$admin_uid,$db_attachnum,$db_uploadmaxsize,$db_uploadfiletype,$timestamp,$db_attachdir,$attachpath,$attachdir,$db_thumbifopen,$db_thumbwh; $filedb = $attachdb = $descdb = array(); foreach ($_FILES as $key => $value) { $i = (int)substr($key,1 1); if (! empty($mode) && $i != $mode) continue; $tmp_name = is_array($value) ? $value['tmp_name'] : ${$key}; $descdb[$key] = Char_cv($_POST['atc_desc'.$ i]); $tagdb[$key] = Char_cv($_POST['atc_tags'.$ i]); $i > 0 && $i <= $db_attachnum && if_uploaded_file($tmp_name) && $filedb[$key] = $value; } unset($_FILES); foreach ($filedb as $key => $value) { $i = (int)substr($key,1 1); if (is_array($value)) { $atc_attachment = $value['tmp_name']; $atc_attachment_name = $value['name']; $atc_attachment_size = $value['size']; } else { $atc_attachment = ${$key}; $atc_attachment_name = ${$key.' _name'}; $atc_attachment_size = ${$key.' _size'}; } $atc_attachment_size > $db_uploadmaxsize && Uploadmsg('upload_size_error',$i); @extract($db->get_one("SELECT SUM(size) AS tsizes FROM pw_upload WHERE uid='$admin_uid'")); $_GROUP['uploadsize'] && $tsizes >= $_GROUP['uploadsize'] && Uploadmsg('upload_size_limit',$i); $extdb = explode(' ',via strtolower($db_uploadfiletype)); $attach_ext = via strtolower(substr(strrchr($atc_attachment_name,'.'), 1)); (!$ attach_ext || ! N_InArray($attach_ext,$extdb)) && Uploadmsg('upload_type_error',$i); $attach_ext = preg_replace("/(php|asp|jsp|cgi|fcgi|exe|pl|phtml|dll|asa|com|scr|inf)/i","scp\1",$attach_ext); $randvar = substr(md5($timestamp+$i),1 0,1 5); $fileurl = "{$uid}_{$randvar}";//upload link if ($attachdir == R_P.$ attachpath) { $savedir=";......

[1] [2] Next