Open source, light weight Forum StartBBS check the installation improper handling can lead to heavy loading vulnerability-vulnerability warning-the black bar safety net

2014-01-03T00:00:00
ID MYHACK58:62201441642
Type myhack58
Reporter phith0n
Modified 2014-01-03T00:00:00

Description

Write directly in a word getshell it.

All tests are performed locally Oh, I'm determined to do a good child paper~it!

Whim read code. StartBBS interface is quite refreshing, the volume is small. Download down the installation.

After installation find the root directory of an install. lock, generally the cms in order to prevent re-installation will be in the directory to generate a similar file, the next time someone re-access the installation script, the script will detect if the directory with this file it prompts“please remove before installation”.

The original should be no problem. But we came to the install script/app/controllers/install. php, to see how it was processing:

class Install extends Install_Controller

{

function __construct ()

{

parent::__construct();

$this->load->library('myclass');

$file=FCPATH.'install. lock';

if (file_exists($file)){

$this->myclass->notice('alert("system installed");window. location. href="'. site_url().'";');

}

}

See here I just laugh. The constructor checks whether there is a install. lock, and then use javascript's way of telling the user“system installed”, and then jump. But this script simply has no end., this class of functions can be run, not because the returns to a window. location. href'll stop running. (this->myclass->notice()does not stop the running of the code

Then, on to the next turn, you can see the install function:

public function step($step)

{

$data['step']=$step;

if($step==1 || $step==2){

$data['permission'] = $this->_checkFileRight();

$this->load->view('install',$data);

}

if($step==3){

$this->_install_do();

}

}

function _install_do()

{

$data['step']=3;

if($_POST){

$dbhost = $this->input->post('dbhost');

$dbport = $this->input->post('dbport');

$dbname = $this->input->post('dbname');

$dbuser = $this->input->post('dbuser');

$dbpwd = $this->input->post('dbpwd')?$ this->input->post('dbpwd'):";

$dbprefix = $this->input->post('dbprefix');

$userid = $this->input->post('admin');

$pwd = md5($this->input->post('pwd'));

$email = $this->input->post('email');

$sub_folder = '/'.$ this->input->post('base_url').'/';

$conn = mysql_connect($dbhost.':'.$ dbport,$dbuser,$dbpwd);

if (!$ conn) {

die('cannot connect to database server, please check username and password are correct');

}

if($this->input->post('creatdb')){

if(!@ mysql_query('CREATE DATABASE IF NOT EXISTS '.$ dbname)){

die('the database specified('.$ dbname.') The system attempts to create a fails, please go through the other way to build the database');

}

}

if(! mysql_select_db($dbname,$conn)){

die($dbname.' The database does not exist, please create or check the data name.');

}

$sql = file_get_contents(FCPATH.'app/config/startbbs. sql');

$sql = str_replace("sb_",$dbprefix,$sql);

$explode = explode(";",$sql);

$data['msg1']="CREATE TABLE".$ dbname." Successful, please wait......& lt;br/>";

foreach ($explode as $key=>$value){

if(! empty($value)){

if(trim($value)){

mysql_query($value.";");

}

}

[1] [2] [3] next