Xiuno BBS 2.0 background getshell vulnerabilities-vulnerability warning-the black bar safety net

2013-05-02T00:00:00
ID MYHACK58:62201338568
Type myhack58
Reporter 佚名
Modified 2013-05-02T00:00:00

Description

Author: ztz@Dis9Team

0×0 vulnerability overview

  1. The system configuration is not stored in the database, but stored in the conf. php;
  2. Use the array method to store;
  3. Have escape: ‘ => \’ ;
  4. The ‘\’without escaping;
  5. Insert the\’will be escaped as\\’php\ \ \represents one\, and single quotes is to escape the escape, and therefore can be closed in front of the array;
  6. The vulnerability is in the background in the management of multiple occurrences, including lights Heron plugin settings also appear.
  7. 0×1 code analysis

In admin/control/conf_control. class. php on_base method:

public function on_base() { global $conf; $timezones = array( '+0' => '+0 ', '+1' => '+1 ', '+2' => '+2 ', '+3' => '+3 ', '+4' => '+4 ', '+5' => '+5 ', '+6' => '+6 ', '+7' => '+7 ', '+8' => '+8 time', '+9' => '+9 ', '+1 0' => '+1 0 ', '+1 1' => '+1 1 ', '+1 2' => '+1 2 ', '+1 3' => '+1 3 ', '+1 4' => '+1 4 ', '+1 5' => '+1 5 ', '+1 6' => '+1 6 ', '+1 7' => '+1 7 ', '+1 8' => '+1 8 ', '+1 9' => '+1 9 ', '+2 0' => '+2 0 ', '+2 1' => '+2 1 ', '+2 2' => '+2 2 ', '+2 3' => '+2 3 ', );

$input = array(); $bbs = include BBS_PATH.'conf/conf.php'; $error = $post = array();

//Get the user to submit the provided information if($this->form_submit()) { $post['app_name'] = core::gpc('app_name', 'P'); $post['urlrewrite'] = intval(core::gpc('urlrewrite', 'P')); $post['timeoffset'] = core::gpc('timeoffset', 'P'); $post['upload_url'] = core::gpc('upload_url', 'P'); $post['static_url'] = core::gpc('static_url', 'P'); $post['credits_policy_post'] = intval(core::gpc('credits_policy_post', 'P')); $post['credits_policy_reply'] = intval(core::gpc('credits_policy_reply', 'P')); $post['golds_policy_reply'] = intval(core::gpc('golds_policy_reply', 'P')); $post['credits_policy_thread'] = intval(core::gpc('credits_policy_thread', 'P')); $post['credits_policy_digest_1'] = intval(core::gpc('credits_policy_digest_1', 'P')); $post['credits_policy_digest_2'] = intval(core::gpc('credits_policy_digest_2', 'P')); $post['credits_policy_digest_3'] = intval(core::gpc('credits_policy_digest_3', 'P')); $post['golds_policy_post'] = intval(core::gpc('golds_policy_post', 'P')); $post['golds_policy_thread'] = intval(core::gpc('golds_policy_thread', 'P')); $post['golds_policy_digest_1'] = intval(core::gpc('golds_policy_digest_1', 'P')); $post['golds_policy_digest_2'] = intval(core::gpc('golds_policy_digest_2', 'P')); $post['golds_policy_digest_3'] = intval(core::gpc('golds_policy_digest_3', 'P')); $post['cache_pid'] = intval(core::gpc('cache_pid', 'P')); $post['cache_tid'] = intval(core::gpc('cache_tid', 'P')); $post['app_brief'] = core::gpc('app_brief', 'P'); $post['app_starttime'] = core::gpc('app_starttime', 'P'); $post['tmp_path'] = core::gpc('tmp_path', 'P'); $post['click_server'] = core::gpc('click_server', 'P'); $post['reg_on'] = intval(core::gpc('reg_on', 'P')); $post['reg_email_on'] = intval(core::gpc('reg_email_on', 'P')); $post['reg_init_golds'] = intval(core::gpc('reg_init_golds', 'P')); $post['resetpw_on'] = intval(core::gpc('resetpw_on', 'P')); $post['app_copyright'] = core::gpc('app_copyright', 'P'); $post['seo_title'] = core::gpc('seo_title', 'P'); $post['seo_keywords'] = core::gpc('seo_keywords', 'P'); $post['seo_description'] = core::gpc('seo_description', 'P'); $post['threadlist_hotviews'] = intval(core::gpc('threadlist_hotviews', 'P')); $post['search_type'] = core::gpc('search_type', 'P'); $post['sphinx_host'] = core::gpc('sphinx_host', 'P'); $post['sphinx_port'] = core::gpc('sphinx_port', 'P'); $post['sphinx_datasrc'] = core::gpc('sphinx_datasrc', 'P'); $post['sphinx_deltasrc'] = core::gpc('sphinx_deltasrc', 'P'); $post['china_icp'] = core::gpc('china_icp', 'P'); $post['footer_js'] = core::gpc('footer_js', 'P'); $post['site_pv'] = intval(core::gpc('site_pv', 'P')); $post['site_runlevel'] = intval(core::gpc('site_runlevel', 'P'));

[1] [2] [3] next