Arbitrary File Deletion caused by Phpyun design defects can cause reinstallation of getshell or injection.

Arbitrary File Deletion caused by Phpyun design defects can cause reinstallation of getshell or injection.

Design defects can cause deletion of arbitrary files and lock, which can be directly reinstalled to achieve getshell.
Or you can delete an object.
It can also cause damage to SQL statements.

 

The latest version is still available on the official website.



In model/ajax. class. php


 

function delupload_action(){if(!$this->uid && !$this->username && $_COOKIE["usertype"]!=2){echo 0;die;}else{$dir=$_POST[str][0];$isuser = $this->obj->DB_select_once("company_show","`picurl`='$dir'");if($isuser['uid']==$this->uid){echo @unlink(".".$dir);}else{echo 0;die;}}}

0x01 statement execution


 

$dir=$_POST[str][0];$isuser = $this->obj->DB_select_once("company_show","`picurl`='$dir'");

Here we can see that $ dir. If we submit a string at this time, [0] will be truncated.

The first character is truncated. Because phpyun converts 'Escape to \ 'globally (single quotes will be materialized)

If the first character is truncated, it is.


 

The Escape Character is introduced successfully. If two parameters are controllable, they can be '\', uesr () # 'injection similar to this

However, there is only one parameter here, So If escape characters can be introduced, injection cannot only destroy the next statement.



_________________________________________________________________________



0x02 any file deletion lock can cause Getshell



First, let's look at his judgment.
 

$dir=$_POST[str][0];$isuser = $this->obj->DB_select_once("company_show","`picurl`='$dir'");if($isuser['uid']==$this->uid){echo @unlink(".".$dir);}else{echo 0;die;}}

This statement indicates that $ isuser ['uid'] = $ this-> uid must be released by you.



Before you can perform the delete operation.



However, if DB_select_once ("company_show", "'picurl' = '$ dir '"); if the query result is null and $ this-> uid is empty, the query result is passed.


 

if(!$this->uid && !$this->username && $_COOKIE["usertype"]!=2){echo 0;die;

Here, we use the & option to exit only when these three conditions are not met.



Here, we do not log on to members, and the first two are all true.



But $ _ COOKIE ["usertype"]! = 2 if this is false, the die will not be executed.



In addition, cookies are user controllable.



To test.


 

 

We can see that when COOKIE usertype is 2, it will not exit.



$ This-> uid is blank (0) because we have not logged on)



If $ isuser = $ this-> obj-> DB_select_once ("company_show", "'picurl' = '$ dir'") at this time '");



$ Dir does not exist in this table (the file we want to delete will not exist in this table)



Then $ isuser ['uid'] is empty. (NULL)


 

if($isuser['uid']==$this->uid){echo @unlink(".".$dir);

At this time, the unlink can be executed through this judgment.

Then $ dir is controllable.



Can I delete any file?



Here we will delete data/phpyun. lock to achieve reinstallation



This is because unlink (".". $ dir) defined a. So add a/directly.

The root directory structure directory is deleted.
 

1 is returned and deleted successfully.



The lock can be reinstalled after it is deleted.


 

It is not escaped here.


 

The code is successfully executed when you access the homepage.



_________________________________________________________________________



0x03 what if I don't want to reinstall someone else's system but want to inject it?



In member/model/com. class. php


 

function product_action(){$this->public_action();$delid=$_GET['delid'];if($delid){if(is_array($delid)){$ids=$this->pylode(',',$delid);$layer_type=1;}else{$ids=$delid;$layer_type=0;}$row=$this->obj->DB_select_all("company_product","`id` in (".$ids.") and `uid`='".$this->uid."'","`pic`");

$ Delid = $ _ GET ['delid']; if it is not an array, It is not filtered and directly brought into the query.



And there are no single quotes



Delete data/db. safety. php and include \ webscan360 \ 360safe \ 360webscan. php



You can inject it.




 

 

Both of them return 1, indicating that the deletion is successful,



You can inject it.


 

OK. No interception is triggered because the interception file is deleted.
Solution:

Modify the logic.

Change & to |? I just don't think much about it. You can think about it yourself.