PhpBB <3.0.10 attachment physical path Leakage

Last Update:2018-05-11 Source: Internet

Author: User

Tags file url

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

There are still many sites in the current location, including some well-known sites. Their servers still have the NginxFastCGI vulnerability. Recently, I studied some problems encountered by an editor, I went to the official forum to ask a question and tried to test it. I found this vulnerability exists on the server, so I wanted to test it again. I needed a point that could be uploaded and then applied

There are still many sites in the current location, including some well-known sites. Their servers still have the Nginx FastCGI vulnerability. Recently, I studied some problems encountered by an editor, I went to the official forum to ask a question and tried to test it. I found this vulnerability exists on the server, so I wanted to test it again. I needed a point that could be uploaded and then applied

There are still many sites in the current location, including some well-known sites. Their servers still have the Nginx FastCGI vulnerability. Recently, I studied some problems encountered by an editor, I went to the official forum to ask a question. After testing it, I found that the server also has this vulnerability. So I wanted to test it again. I needed a point that could be uploaded, then I applied for an invitation code for the Forum, registered to post a question, and squatted for a while. Later, I forgot this question → _ →!

The editor was updated two days ago. Today, I went to the Forum to reply to the postmaster's post and found that I could upload attachments. So I uploaded an image and got the address similar to this:

Http: // VICTIM/bb/download/file. php? Id = 1

Such an address is completely unusable. After reading the phpbb program used in the Forum program, I searched a circle of articles without breaking the physical path, so I downloaded the latest source code from the official website (phpBB 3.0.10) for analysis. The address is http://www.phpbb.com/downloads.

The first goal is to lock the file. php and read the URL structure of the attachment file:

PHP

// Forum program path + upload directory + file name $ phpbb_root_path. $ config ['upload _ path']. '/'. $ attachment ['physical _ filename']

1 2	// Forum program path + upload directory + file name $ Phpbb_root_path. $ config ['upload _ path']. '/'. $ attachment ['physical _ filename']

Finally, I found that the physical address is the files directory under the program, but the file name is a hash value, so I could not get the File URL accurately, so I continued to look at the source code and found a thumbnail function:

PHP

// Determine whether the thumbnail exists. if yes, a thumbnail file name is given. The thumbnail file name is prefixed with "thumb _" if ($ thumbnail) {$ attachment ['physical _ filename'] = 'thumb _'. $ attachment ['physical _ filename'];}

// Determine whether a thumbnail exists. If yes, a thumbnail file name is given, and the thumbnail file name is prefixed with "thumb _"

If ($ thumbnail)

{

$ Attachment ['physical _ filename'] = 'thumb _ '. $ attachment ['physical _ filename'];

}

I tested the upload locally and found that no thumbnail is generated by default. That is to say, the thumbnail function is not enabled by default:

PHP

// The default request thumbnail parameter value is false $ thumbnail = request_var ('T', false );

1 2	// The default request thumbnail parameter value is false. $ Thumbnail = request_var ('T', false );

Therefore, I add a t parameter to the address and set the value to true to forcibly read the thumbnail. An error is displayed in the result.

PHP

If (! $ Attachment) {send_status_line (404, 'not found'); trigger_error ('error _ NO_ATTACHMENT ');}

If (! $ Attachment)

{

Send_status_line (404, 'not found ');

Trigger_error ('error _ NO_ATTACHMENT ');

}

Request:

Http: // VICTIM/bb/download/file. php? Id = 1 & t = true

Page output:

The selected attachment does not exist anymore.

The file./../files/thumb_2_9d6d524bd7abcf38b8fa6bba7caa65fb does not exist.

We can see that the results are quite promising. Therefore, we tested on the Forum and successfully obtained the real URL of the previously uploaded file, and successfully intruded into the file by exploiting the Server Vulnerability.

Original article address: the physical path of the phpBB <3.0.10 attachment is leaked. Thank you for sharing it with the original author.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More