phpyun any file deleted resulting in injection+getshell-a vulnerability warning-the black bar safety net

2014-01-17T00:00:00
ID MYHACK58:62201441860
Type myhack58
Reporter phithon
Modified 2014-01-17T00:00:00

Description

Could have been just sent in the Law of the passenger interior, but today saw the official has been fixed, so nothing to hide, just issued. Hope you all learned knowledge, but also want a great God let me write this code, would have been hard to force, require no Agency.

phpyun cloud talent system a Central large-scale cms, Google can search a lot of results. By an arbitrary file deletion vulnerability can be deleted universal anti-inject file, then you can feel free to inject. Also be Remove to install the locks, re-installation getshell it.

! 011.jpg

0x01 mining Intro Today in the clouds to see on one of the latest vulnerabilities, phpyun arbitrary file deletion vulnerability. Heart about about it, like before the audit through the cms, but also fairly large for a cms, it seems like the time to find an arbitrary file is deleted, but later because you want to test what try to put this to forget. So now, I want to re-audit a fan, it is for everyone to talk about the audit with some experience. First, an overview of the site's source code, 发现网站使用了通用防注入文件/data/db.safety.php so site all the parameters without any filtering. If we can think method to the Universal anti-injected file is deleted while the site can be any of the I note. Because the site source code is very big, I can't go in accordance with the developer's idea to read through the program. So I used a don't know count fuzz method, violence, the search of the entire Station containing certain sensitive words of the code. For example I used here is“seay source code audit system”, which contains one feature-automatic auditing. The principle that is the entire Station matches the regular expression, matching a number that may contain a vulnerability in the code.

Auto-audit is completed you can generate a report that we can in a report, search for“delete”keyword, you can look at to search out a lot may contain arbitrary file deletion vulnerability of the program:

! 001.jpg

Some students asked, that there are a lot it, 9 5 A don't a a go to see?

So this time you need to test your experience and luck. I generally will take a look at this the directory of the file, if the file in the/admin directory under 9 0% Description This file is the backend for an operation of the file, which I will not go see. Even if the presence of vulnerabilities require administrator permissions, it will be very tasteless. I will first note some of what ajax, index or the like of the file, again go to see. class. php or. func. php like file. This will see the usual write the code to write the many, the experience of abundance is not rich.

0x02 find the critical points

I found find me to open a file:\member\model\index.php find the following function:

| 0 1 | functioninfo_action(){ ---|---

0 2 | if($_POST["submitBtn"]){ ---|---

0 3 | $_POST=$this->post_trim($_POST); ---|---

0 4 | if($_POST["name"]==""){ ---|---

0 5 | $this->obj->ACT_msg("index. php? C=info","name can not be empty!"); ---|---

0 6 | } ---|---

0 7 | if($_POST["city"]==""){ ---|---

0 8 | $this->obj->ACT_msg("index. php? C=info","domicile cannot be empty!"); ---|---

0 9 | } ---|---

1 0 | if($this->config['user_idcard']=="1") ---|---

1 1 | { ---|---

1 2 | if($_POST["idcard"]==""){ ---|---

1 3 | $this->obj->ACT_msg("index. php? C=info","card number can't be empty!"); ---|---

1 4 | } ---|---

1 5 | } ---|---

1 6 | if($_POST["cityid"]==""){ ---|---

1 7 | $this->obj->ACT_msg("index. php? C=info","current address can not be empty!"); ---|---

1 8 | } ---|---

1 9 | if($_POST["address"]==""){ ---|---

2 0 | $this->obj->ACT_msg("index. php? C=info","detailed address cannot be empty!"); ---|---

2 1 | } ---|---

2 2 | unset($_POST["submitBtn"]); ---|---

2 3 | $this->obj->delfiledir("../upload/tel/".$ this->uid); ---|---

2 4 | $where["uid"]=$this->uid; ---|---

2 5 | $nid=$this->obj->update_once("resume",$_POST,$where); ---|---

2 6 | $nid?$ this->obj->ACT_msg("index. php? C=info","update success"):$this->obj->ACT_msg("index. php? C=info","update failed"); ---|---

2 7 | } ---|---

2 8 | $this->public_action(); ---|---

2 9 | $row=$this->obj->DB_select_once("resume","uid='".$ this->uid."'"); ---|---

3 0 | $this->yunset("row",$row); ---|---

3 1 | $this->city_cache(); ---|---

3 2 | $this->yunset("js_def",5); ---|---

3 3 | $this->user_tpl('info'); ---|---

3 4 | } ---|---

[1] [2] [3] [4] [5] next