{"id":6801,"date":"2010-01-10T11:12:22","date_gmt":"2010-01-10T03:12:22","guid":{"rendered":"https:\/\/aqzt.com\/6801.html"},"modified":"2010-01-10T11:12:22","modified_gmt":"2010-01-10T03:12:22","slug":"phpwind-%e5%87%ba%e7%8e%b0%e4%b8%a5%e9%87%8d%e5%ae%89%e5%85%a8%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/aqzt.com\/6801.html","title":{"rendered":"Phpwind \u51fa\u73b0\u4e25\u91cd\u5b89\u5168\u6f0f\u6d1e"},"content":{"rendered":"<p><a href=\"https:\/\/www.oschina.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">\u6587\u7ae0\u8f6c\u8f7d\u5f00\u6e90\u4e2d\u56fd<\/a><\/p>\n<p>\u8fd1\u65e5\uff0c\u56fd\u5185\u77e5\u540d\u7684\u793e\u533aPHPWIND\u53c8\u73b0\u4e25\u91cd\u6f0f\u6d1e\uff0c\u7a0b\u5e8f\u4e2d\u6709\u90e8\u5206\u53d8\u91cf\u6ca1\u6709\u8fc7\u6ee4\u5bfc\u81f4\u4efb\u610f\u5305\u542b\u672c\u5730\u6587\u4ef6,\u4ece\u800c\u53ef\u4ee5\u6267\u884c\u4efb\u610fPHP\u547d\u4ee4\uff0c\u5b98\u65b9\u9488\u5bf9\u8fd9\u4e2a\u6f0f\u6d1e \u5df2\u7ecf\u505a\u51fa\u4e86\u4fee\u8865\u3002<\/p>\n<p>phpwind 7.5 Multiple Include Vulnerabilities  <\/p>\n<p>author: 80vul<br \/>team:http:\/\/www.80vul.com<\/p>\n<p>\u4e00.api\/class_base.php\u672c\u5730\u5305\u542b\u6f0f\u6d1e<\/p>\n<p>1.\u63cf\u53d9<\/p>\n<p> api\/class_base.php\u6587\u4ef6\u91cccallback\u51fd\u6570\u91cc$mode\u53d8\u91cf\u6ca1\u6709\u8fc7\u6ee4\u5bfc\u81f4\u4efb\u610f\u5305\u542b\u672c\u5730\u6587\u4ef6,<br \/>\u4ece\u800c\u53ef\u4ee5\u6267\u884c\u4efb\u610fPHP\u547d\u4ee4.<\/p>\n<p>2. \u5177\u4f53\u5206\u6790<\/p>\n<p>api\/class_base.php\u6587\u4ef6\u91cc:<\/p>\n<p> function callback($mode, $method, $params) {<br \/> if (!isset($this-&gt;classdb[$mode])) {<br \/> if (!file_exists(R_P.&#8217;api\/class_&#8217; . $mode . &#8216;.php&#8217;)) {<br \/> return new ErrorMsg(API_MODE_NOT_EXISTS, &#8220;Class($mode) Not Exists&#8221;);<br \/> }<br \/> require_once(R_P.&#8217;api\/class_&#8217; . $mode . &#8216;.php&#8217;); \/\/\u8fd9\u91cc<br \/> $this-&gt;classdb[$mode] = new $mode($this);<br \/> }<br \/> if (!method_exists($this-&gt;classdb[$mode], $method)) {<br \/> return new ErrorMsg(API_METHOD_NOT_EXISTS, &#8220;Method($method of $mode) Not Exists&#8221;);<br \/> }<br \/> !is_array($params) &amp;&amp; $params = array();<br \/> return @call_user_func_array(array(&amp;$this-&gt;classdb[$mode], $method), $params);<br \/> }<\/p>\n<p>\u6211\u4eec\u7ee7\u7eed\u8ddf\u4e00\u4e0b\u5177\u4f53\u53d8\u91cf\u4f20\u9012\u7684\u8fc7\u7a0b. \u4e0a\u9762\u7684\u51fd\u6570\u5728run()\u91cc\u6709\u8c03\u7528:<\/p>\n<p> function run($request) {<br \/> $request = $this-&gt;strips($request); <br \/> if (isset($request[&#8216;type&#8217;]) &amp;&amp; $request[&#8216;type&#8217;] == &#8216;uc&#8217;) {<br \/> $this-&gt;type\t\t= &#8216;uc&#8217;;<br \/> $this-&gt;apikey\t= $GLOBALS[&#8216;uc_key&#8217;];\/\/\u6ce8\u610f\u8fd9\u4e2a\u53d8\u91cf\u4e5f\u662f\u8be5\u6f0f\u6d1e\u7684\u5173\u952e<br \/> } else {<br \/> $this-&gt;type\t\t= &#8216;app&#8217;;<br \/> $this-&gt;apikey\t= $GLOBALS[&#8216;db_siteownerid&#8217;];<br \/> $this-&gt;siteappkey = $GLOBALS[&#8216;db_siteappkey&#8217;];<br \/> }<br \/> \/***<br \/> if ($this-&gt;type == &#8216;app&#8217; &amp;&amp; !$GLOBALS[&#8216;o_appifopen&#8217;]) {<br \/> return new ErrorMsg(API_CLOSED, &#8216;App Closed&#8217;);<br \/> }<br \/> ***\/<br \/> ksort($request);<br \/> reset($request);<br \/> $arg = &#8221;;<br \/> foreach ($request as $key =&gt; $value) {<br \/> if ($value &amp;&amp; $key != &#8216;sig&#8217;) {<br \/> $arg .= &#8220;$key=$value&amp;&#8221;;<br \/> }<br \/> }<br \/> if (md5($arg . $this-&gt;apikey) != $request[&#8216;sig&#8217;]) { <br \/>\/\/\u6ce8\u610f\u8fd9\u4e2a\u5224\u65ad,\u9700\u8981\u7ed5\u8fc7\u5b83.\u4e0a\u9762\u7684\u4ee3\u7801\u53ef\u4ee5\u770b\u7684\u51fa\u6765<br \/>\/\/$this-&gt;apikey\t= $GLOBALS[&#8216;uc_key&#8217;],\u548c$request[&#8216;sig&#8217;]\u6211\u4eec<br \/>\/\/\u90fd\u53ef\u4ee5\u63a7\u5236,\u90a3\u4e48\u5f88\u5bb9\u6613\u7ed5\u8fc7\u5b83<br \/> return new ErrorMsg(API_SIGN_ERROR, &#8216;Error Sign&#8217;);<br \/> }<br \/> $mode\t= $request[&#8216;mode&#8217;]; \/\/\u53d6$mode \u6ca1\u6709\u8fc7\u6ee4\u76f4\u63a5\u8fdb\u5165\u4e0b\u9762\u7684callback()<br \/> $method\t= $request[&#8216;method&#8217;];<br \/> $params = isset($request[&#8216;params&#8217;]) ? unserialize($request[&#8216;params&#8217;]) : array();<br \/> if (isset($params[&#8216;appthreads&#8217;])) {<br \/> if (PHP_VERSION &lt; 5.2) {<br \/> require_once(R_P.&#8217;api\/class_json.php&#8217;);<br \/> $json = new Services_JSON(true);<br \/> $params[&#8216;appthreads&#8217;] = $json-&gt;decode(@gzuncompress($params[&#8216;appthreads&#8217;]));<br \/> } else {<br \/> $params[&#8216;appthreads&#8217;] = json_decode(@gzuncompress($params[&#8216;appthreads&#8217;]),true);<br \/> }<br \/> }<br \/> if ($params &amp;&amp; isset($request[&#8216;charset&#8217;])) {<br \/> $params = pwConvert($params, $this-&gt;charset, $request[&#8216;charset&#8217;]);<br \/> }<br \/> return $this-&gt;callback($mode, $method, $params); \/\/\u8c03\u7528callback ()<br \/> }<\/p>\n<p>\u6211\u4eec\u7ee7\u7eed\u770b\u770brun()\u51fd\u6570\u7684\u8c03\u7528:<\/p>\n<p>\u5728pw_api.php\u6587\u4ef6\u91cc:<\/p>\n<p>$api = new api_client();<br \/>$response = $api-&gt;run($_POST + $_GET);\/\/\u76f4\u63a5run\u4e86$_POST , $_GET\u63d0\u4ea4\u7684\u53d8\u91cf.<\/p>\n<p>\u4e0a\u9762\u7684\u5206\u6790\u662f\u9006\u884c\u5206\u6790\u4e86\u6574\u4e2a\u6f0f\u6d1e\u53d8\u91cf\u63d0\u4ea4\u7684\u8fc7\u7a0b,<br \/>\u5176\u5b9e\u6211\u4eec\u8fd9\u4e2a\u6f0f\u6d1e\u8fd8\u5305\u542b\u4e00\u6b21\u7f16\u7801\u4e0e\u89e3\u7801\u7684\u95ee:require_once(R_P.&#8217;api\/class_&#8217; . $mode . &#8216;.php&#8217;);<br \/>\u8fd9\u4e2a\u9700\u8981\u7ed5\u8fc7\u9b54\u672f\u5f15\u53f7\u624d\u53ef\u4ee5<br \/>\u5305\u542b\u5bb9\u6613\u6587\u4ef6.\u6211\u4eec\u6ce8\u610f\u770brun()\u7684\u7b2c\u4e00\u53e5\t<\/p>\n<p>$request = $this-&gt;strips($request); <\/p>\n<p>strips()\u7684\u4ee3\u7801:<\/p>\n<p> function strips($param) {<br \/> if (is_array($param)) {<br \/> foreach ($param as $key =&gt; $value) {<br \/> $param[$key] = $this-&gt;strips($value);<br \/> }<br \/> } else {<br \/> $param = stripslashes($param); <br \/>\/\/\u53d8\u91cf\u76f4\u63a5\u4f7f\u7528\u4e86stripslashes,\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u7ed5\u8fc7\u9b54\u672f\u5f15\u53f7\u4e86 \ud83d\ude42<br \/> }<br \/> return $param;<br \/> }<\/p>\n<p>3.POC\/EXP<\/p>\n<p> \u7f3a<\/p>\n<p>4.FIX<\/p>\n<p>\u7531\u4e8e\u6f0f\u6d1e\u4fe1\u606f\u7684\u5916\u6cc4,\u5b98\u65b9\u9488\u5bf9\u8fd9\u4e2a\u6f0f\u6d1e\u5df2\u7ecf\u505a\u51fa\u4e86\u4fee\u8865:<\/p>\n<p>http:\/\/www.phpwind.net\/read-htm-tid-914851.html<\/p>\n<p>\u5177\u4f53\u4ee3\u7801:<\/p>\n<p>require_once Pcv(R_P.&#8217;api\/class_&#8217; . $mode . &#8216;.php&#8217;);<\/p>\n<p>function Pcv($filename,$ifcheck=1){<br \/> $tmpname = strtolower($filename);<br \/> $tmparray = array(&#8216; http:\/\/&#8217;,&#8221;\\0&#8243;); \/\/\u8fc7\u6ee4\u4e86http:\/\/ \\0 \u610f\u601d\u662f\u4e0d\u8ba9\u8fdc\u7a0b \u4e0d\u8ba9\u622a\u65ad<br \/> $ifcheck &amp;&amp; $tmparray[] = &#8216;..&#8217;;    \/\/\u8fc7\u6ee4\u4e86.. \u610f\u601d\u662f\u4e0d\u8ba9\u8f6c\u8df3\u76ee\u5f55<br \/> if (str_replace($tmparray,&#8221;,$tmpname)!=$tmpname) {<br \/> exit(&#8216;Forbidden&#8217;);<br \/> }<br \/> return $filename;<br \/>} <\/p>\n<p>\u4ecePcv()\u53ef\u4ee5\u770b\u51fa\u6765phpwind\u7684\u8865\u4e01\u98ce\u683c\u662f\u5f88\u7325\u7410\u7684,\u5355\u4ece\u8fd9\u4e2apcv\u6765\u770b<br \/> \u8fd8\u6709\u5f88\u591a\u7684\u903b\u8f91\u95ee\u9898,\u6bd4\u5982http:\/\/\u8fd9\u4e2a\u8fc7\u6ee4\u5f88\u641e\u7b11,\u4eba\u5bb6\u5c31\u4e0d\u53ef\u4ee5\u7528ftp:\/\/? &#8230;<\/p>\n<p>\u4e8c.apps\/share\/index.php\u8fdc\u7a0b\u5305\u542b\u6f0f\u6d1e<\/p>\n<p>1.\u63cf\u53d9<\/p>\n<p>apps\/share\/index.php \u91cc$route\u548c$basePath\u53d8\u91cf\u6ca1\u6709\u521d\u59cb\u5316,<br \/>\u5bfc\u81f4\u8fdc\u7a0b\u5305\u542b\u6216\u8005\u672c\u5730\u5305\u542bphp\u6587\u4ef6,\u5bfc\u81f4\u6267\u884c\u4efb\u610fphp\u4ee3\u7801<\/p>\n<p>2.\u5177\u4f53\u5206\u6790<\/p>\n<p>&lt;?php<br \/>if ($route == &#8220;share&#8221;) {<br \/> require_once $basePath . &#8216;\/action\/m_share.php&#8217;;<br \/>} elseif ($route == &#8220;sharelink&#8221;) {<br \/> require_once $basePath . &#8216;\/action\/m_sharelink.php&#8217;;<br \/>}<br \/>?&gt;<\/p>\n<p>\u8fd9\u4e2a\u6f0f\u6d1e\u597d\u8c61\u4e0d\u592a\u9700\u8981\u5206\u6790!!!! \u6211\u5efa\u8bae\u5199\u8fd9\u4e2a\u4ee3\u7801\u7684\u4eba\u5e94\u8be5\u6263\u9664\u5e74\u7ec8\u5956&#8230;<\/p>\n<p>3.POC\/EXP<\/p>\n<p> \u7f3a<\/p>\n<p>4.FIX<\/p>\n<p>\u5df2\u7ecf\u5728\u8fd9\u4e2a\u8865\u4e01\u7684\u540c\u65f6&#8217;\u4fee\u8865&#8217;\u4e86<br \/>http:\/\/www.phpwind.net\/read-htm-tid-914851.html<\/p>\n<p>&lt;?php<br \/>!function_exists(&#8216;readover&#8217;) &amp;&amp; exit(&#8216;Forbidden&#8217;);<br \/>if ($route == &#8220;share&#8221;) {<br \/> require_once $basePath . &#8216;\/action\/m_share.php&#8217;;<br \/>} elseif ($route == &#8220;sharelink&#8221;) {<br \/> require_once $basePath . &#8216;\/action\/m_sharelink.php&#8217;;<br \/>}<br \/>?&gt;<\/p>\n<p>\u4e09.apps\/groups\/index.php\u8fdc\u7a0b\u5305\u542b\u6f0f\u6d1e<\/p>\n<p>1.\u63cf\u53d9<\/p>\n<p>apps\/groups\/index.php \u91cc$route\u548c$basePath\u53d8\u91cf\u6ca1\u6709\u521d\u59cb\u5316,<br \/>\u5bfc\u81f4\u8fdc\u7a0b\u5305\u542b\u6216\u8005\u672c\u5730\u5305\u542bphp\u6587\u4ef6,\u5bfc\u81f4\u6267\u884c\u4efb\u610fphp\u4ee3\u7801<\/p>\n<p>2.\u5177\u4f53\u5206\u6790<\/p>\n<p>&lt;?php<br \/>if ($route == &#8220;groups&#8221;) {<br \/>require_once $basePath . &#8216;\/action\/m_groups.php&#8217;;<br \/>} elseif ($route == &#8220;group&#8221;) {<br \/>require_once $basePath . &#8216;\/action\/m_group.php&#8217;;<br \/>} elseif ($route == &#8220;galbum&#8221;) {<br \/>require_once $basePath . &#8216;\/action\/m_galbum.php&#8217;;<br \/>}<\/p>\n<p>\u8fd9\u4e2a\u6f0f\u6d1e\u597d\u8c61\u4e0d\u592a\u9700\u8981\u5206\u6790!!!! \u6211\u5efa\u8bae\u5199\u8fd9\u4e2a\u4ee3\u7801\u7684\u4eba\u5e94\u8be5\u6263\u9664\u5e74\u7ec8\u5956&#8230;<\/p>\n<p>3.POC\/EXP<\/p>\n<p> \u7f3a<\/p>\n<p>4.FIX<\/p>\n<p>\u5df2\u7ecf\u5728\u8fd9\u4e2a\u8865\u4e01\u7684\u540c\u65f6&#8217;\u4fee\u8865&#8217;\u4e86<br \/>http:\/\/www.phpwind.net\/read-htm-tid-914851.html<\/p>\n<p>&lt;?php<br \/>!function_exists(&#8216;readover&#8217;) &amp;&amp; exit(&#8216;Forbidden&#8217;);<br \/>if ($route == &#8220;groups&#8221;) {<br \/>require_once $basePath . &#8216;\/action\/m_groups.php&#8217;;<br \/>} elseif ($route == &#8220;group&#8221;) {<br \/>require_once $basePath . &#8216;\/action\/m_group.php&#8217;;<br \/>} elseif ($route == &#8220;galbum&#8221;) {<br \/>require_once $basePath . &#8216;\/action\/m_galbum.php&#8217;;<br \/>}<br \/>?&gt;<\/p>\n<p>\u5b98\u65b9\u8865\u4e01\uff1a<a href=\"http:\/\/www.phpwind.net\/read-htm-tid-914851.html\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.phpwind.net\/read-htm-tid-914851.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6587\u7ae0\u8f6c\u8f7d\u5f00\u6e90\u4e2d\u56fd \u8fd1\u65e5\uff0c\u56fd\u5185\u77e5\u540d\u7684\u793e\u533aPHPWIND\u53c8\u73b0\u4e25\u91cd\u6f0f\u6d1e\uff0c\u7a0b\u5e8f\u4e2d\u6709\u90e8\u5206\u53d8\u91cf\u6ca1\u6709\u8fc7\u6ee4\u5bfc\u81f4\u4efb\u610f\u5305\u542b\u672c\u5730\u6587\u4ef6,\u4ece\u800c\u53ef\u4ee5\u6267\u884c\u4efb\u610fPHP\u547d\u4ee4\uff0c\u5b98\u65b9\u9488\u5bf9\u8fd9\u4e2a\u6f0f\u6d1e \u5df2\u7ecf\u505a\u51fa\u4e86\u4fee\u8865\u3002 phpwind 7.5 Multiple Include Vulnerabilities author: 80vulteam:http:\/\/www.80vul.com \u4e00.api\/class_base.php\u672c\u5730\u5305\u542b\u6f0f\u6d1e 1.\u63cf\u53d9 api\/class_base.php\u6587\u4ef6\u91cccallback\u51fd\u6570\u91cc$mode\u53d8\u91cf\u6ca1\u6709\u8fc7\u6ee4\u5bfc\u81f4\u4efb\u610f\u5305\u542b\u672c\u5730\u6587\u4ef6,\u4ece\u800c<\/p>\n","protected":false},"author":1,"featured_media":6522,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"footnotes":""},"categories":[27],"tags":[292,14,23,11,289],"collection":[],"_links":{"self":[{"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/posts\/6801"}],"collection":[{"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/comments?post=6801"}],"version-history":[{"count":0,"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/posts\/6801\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/media\/6522"}],"wp:attachment":[{"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/media?parent=6801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/categories?post=6801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/tags?post=6801"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/aqzt.com\/wp-json\/wp\/v2\/collection?post=6801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}