Home > Cloud Computing > Cloud Security

Security risks arising from the Empire universal interface

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

This is an empire Download System.
Ps (directly write shell without any account or password)

 
Text: Xidu


 

Because many websites have to integrate discuz and other forums for download ....

The Empire has 10 thousand million interfaces,
 

This interface will not be deleted by many people, resulting in a great security risk, resulting in direct getshell. The following analyzes the code

When we submit, the address is submitted to index. php? Install = 1 & setup = SetConfig

Www.2cto.com

If ($ _ GET ['install'] = 1) {@ include (".. /class/connect. php "); @ include (".. /class/db_ SQL .php "); @ include (".. /class/functions. php "); $ link = db_connect (); $ empire = new mysqlquery (); if ($ setup =" SetConfig ") {SetUserCOMConfig ($ _ POST );} elseif ($ setup = "alter") {InstallUserCOM ();} elseif ($ setup = "update") {UpdateUserCOM ();} else {}

He started calling a SetUserCOMConfig function here, and we will continue to trace it.

15 rows in data/fun. php

We can see this function

Function SetUserCOMConfig ($ add ){
$ Filetext = ReadFiletext ('data/user. php ');
If (empty ($ filetext ))
{
InstallShowMsg ('file/update/data/user. php is lost and installation fails .');
}
$ Vr = explode (",", ReturnRepUserVar ());
$ Count = count ($ vr );
For ($ I = 0; $ I <$ count; $ I ++)
{
$ Filetext = str_replace ("[! @ -- ". $ Vr [$ I]." -- @!] ", $ Add [$ vr [$ I], $ filetext );
}
// Write the configuration file
$ Fp = @ fopen ("../class/user. php", "w ");
If (! $ Fp)
{
InstallShowMsg ('/class/user. php file permission is not set to 0777, the installation is not successful .');
}
@ Fputs ($ fp, $ filetext );
@ Fclose ($ fp );

... // Omitted

Here he will $ filetext = str_replace ("[! @ -- ". $ Vr [$ I]." -- @!] ", $ Add [$ vr [$ I], $ filetext );

He cut the passed variables and assigned them to $ filetext.

See the following

// Write the configuration file
$ Fp = @ fopen ("../class/user. php", "w ");
If (! $ Fp)
{
InstallShowMsg ('/class/user. php file permission is not set to 0777, the installation is not successful .');
}
@ Fputs ($ fp, $ filetext );

Open a class/user. php file and write $ filetext

The transcript does not indicate the author's, rotten jj

Let's take a look at the Write result. Just enter one
 
Then he writes it to class/user. php, So 0-day is generated.

 


So let's write $ {@ phpinfo ()} to try it out.

 
The transcript does not indicate the author's, rotten jj

Access the following class/user. php file.
Mjj does not reply
Day

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
byod security risks ftp security risks shared hosting security risks mpls security risks p2p security risks universal security solutions owasp top 10 application security risks
Related Article
How does personal cloud security guarantee data security?
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More