There are still many sites in the current location, including some well-known sites. Their servers still have the NginxFastCGI vulnerability. Recently, I studied some problems encountered by an editor, I went to the official forum to ask a question and tried to test it. I found this vulnerability exists on the server, so I wanted to test it again. I needed a point that could be uploaded and then applied
There are still many sites in the current location, including some well-known sites. Their servers still have the Nginx FastCGI vulnerability. Recently, I studied some problems encountered by an editor, I went to the official forum to ask a question and tried to test it. I found this vulnerability exists on the server, so I wanted to test it again. I needed a point that could be uploaded and then applied
There are still many sites in the current location, including some well-known sites. Their servers still have the Nginx FastCGI vulnerability. Recently, I studied some problems encountered by an editor, I went to the official forum to ask a question. After testing it, I found that the server also has this vulnerability. So I wanted to test it again. I needed a point that could be uploaded, then I applied for an invitation code for the Forum, registered to post a question, and squatted for a while. Later, I forgot this question → _ →!
The editor was updated two days ago. Today, I went to the Forum to reply to the postmaster's post and found that I could upload attachments. So I uploaded an image and got the address similar to this:
Http: // VICTIM/bb/download/file. php? Id = 1
Such an address is completely unusable. After reading the phpbb program used in the Forum program, I searched a circle of articles without breaking the physical path, so I downloaded the latest source code from the official website (phpBB 3.0.10) for analysis. The address is http://www.phpbb.com/downloads.
The first goal is to lock the file. php and read the URL structure of the attachment file:
PHP
// Forum program path + upload directory + file name $ phpbb_root_path. $ config ['upload _ path']. '/'. $ attachment ['physical _ filename']
1 2 |
// Forum program path + upload directory + file name $ Phpbb_root_path. $ config ['upload _ path']. '/'. $ attachment ['physical _ filename'] |
Finally, I found that the physical address is the files directory under the program, but the file name is a hash value, so I could not get the File URL accurately, so I continued to look at the source code and found a thumbnail function:
PHP
// Determine whether the thumbnail exists. if yes, a thumbnail file name is given. The thumbnail file name is prefixed with "thumb _" if ($ thumbnail) {$ attachment ['physical _ filename'] = 'thumb _'. $ attachment ['physical _ filename'];}
1 2 3 4 5 |
// Determine whether a thumbnail exists. If yes, a thumbnail file name is given, and the thumbnail file name is prefixed with "thumb _" If ($ thumbnail) { $ Attachment ['physical _ filename'] = 'thumb _ '. $ attachment ['physical _ filename']; } |
I tested the upload locally and found that no thumbnail is generated by default. That is to say, the thumbnail function is not enabled by default:
PHP
// The default request thumbnail parameter value is false $ thumbnail = request_var ('T', false );
1 2 |
// The default request thumbnail parameter value is false. $ Thumbnail = request_var ('T', false ); |
Therefore, I add a t parameter to the address and set the value to true to forcibly read the thumbnail. An error is displayed in the result.
PHP
If (! $ Attachment) {send_status_line (404, 'not found'); trigger_error ('error _ NO_ATTACHMENT ');}
1 2 3 4 5 |
If (! $ Attachment) { Send_status_line (404, 'not found '); Trigger_error ('error _ NO_ATTACHMENT '); } |
Request:
Http: // VICTIM/bb/download/file. php? Id = 1 & t = true
Page output:
The selected attachment does not exist anymore.
The file./../files/thumb_2_9d6d524bd7abcf38b8fa6bba7caa65fb does not exist.
We can see that the results are quite promising. Therefore, we tested on the Forum and successfully obtained the real URL of the previously uploaded file, and successfully intruded into the file by exploiting the Server Vulnerability.
Original article address: the physical path of the phpBB <3.0.10 attachment is leaked. Thank you for sharing it with the original author.