Shulou(Shulou.com)05/31 Report--

I would like to share with you how to solve the problem of path crossing caused by improper use of regularities. I believe most people don't know much about it, so share this article for your reference. I hope you will learn a lot after reading this article. Let's take a look at it!

Forst Pattern

The title is called Foster mode, and the code is as follows

Vulnerability resolution:

The content of this review is an arbitrary file deletion vulnerability caused by lax regular expressions, which are caused by line 21, the pattern section of preg_replace, which does not filter directory path characters. [^ a-z. Mel _] indicates a match except for a character to z character,. All characters from the character to the _ character. As a result, attackers can still use dots and slashes to traverse paths and eventually delete arbitrary files, such as config.php files using payload: action = delete&data =.. / config.php.

Preg_replace: (PHP 4, PHP 5, PHP 7)

Function: function performs search and replacement of a regular expression

Definition: mixed preg_replace (mixed $pattern, mixed $replacement, mixed $subject [, int $limit =-1 [, int & $count]])

Search for the part of the subject that matches the pattern and replace it with replacement if the match succeeds.

# # instance Analysis

In this case analysis, we choose the WeEngine0.8 version. The vulnerability entry file is web/source/site/category.ctrl.php. We can see that the file_delete function is called on line 14 below, and this is a file deletion related operation. We can take a look at the specific definition of this function. The following figure shows the entry file code:

The function file_delete, which can be found in the framework/function/file.func.php file, is used to detect the existence of the file and, if so, delete the file. However, looking at the context, it is found that the program does not filter the file name $file variable, so the file name can have characters like.. /, which will lead to arbitrary file deletion vulnerabilities. The file_delete function code is as follows:

Now we're going back to see where the $file variable came from. In fact, the $file variable in the figure above corresponds to the value of $row ['icon'], which means that if we can control the value of $row [' icon'], we can delete any file. So let's see where the $row variable comes from. This variable is in the first picture we just analyzed (web/source/site/category.ctrl.php file), and the value is the element value in the variable $navs, as shown in the following code:

Looking further up, we can find the value of the $navs variable. You can see that the $navs variable is extracted from the site_nav table of the heavy database and contains two fields, icon and id. The specific code is as follows:

$navs = pdo_fetchall ("SELECT icon, id FROM" .tablename ('site_nav'). "WHERE id IN (SELECT nid FROM" .tablename (' site_category'). "WHERE id = {$id} OR parentid ='$id')", array (), 'id')

What we need to do now is to see if these two fields in the database can be controlled by the user. We moved on and found the following code:

The data in the site_nav table corresponds to the $nav variable. We continue to look up the $nav variable and find that the $nav ['icon'] variable comes from $_ GPC [' iconfile'] and can be controlled by the user (line 21 below). The $nav ['icon'] variable here is actually the parameter of the file_delete function we analyzed at the beginning of the article. The specific code is as follows:

Because the $nav ['icon'] variable can be controlled by the user, whether the program disinfects it or not, it is directly passed into the file_delete function, resulting in a file deletion vulnerability. At this point, we have analyzed the entire process of the vulnerability, and then take a look at how to attack.

# # vulnerability Verification

Visit url: http://xxx.xxx.xxx.xxx/WeEngine/web/index.php?c=account&a=display and click on the management official account:

Find the classification settings and click add article category. The corresponding url here is: http://xxx.xxx.xxx.xxx/WeEngine/web/index.php?c=site&a=category, which actually represents the category module of the site controller, that is, the corresponding category.ctrl.php file.

Select the corresponding content and enter if ($isnav) to judge:

Enter the path where you want to delete the file at the upload icon location

We set up a delete.txt file to test for arbitrary file deletion:

When we click delete, we will call the file_delete function and delete the picture name we inserted into the database:

Deleting any file of this type is a bit similar to secondary injection. When adding a category, insert the file name to be deleted into the database, and then click Delete category, the file name to be deleted will be removed from the database.

# # suggestions for repair

The vulnerability is that the $row ['icon'] parameter is not filtered, and the contents of the file name can be added to the directory hierarchy characters, resulting in arbitrary file deletion vulnerabilities, so we have to filter ".. /" and other directory hierarchy characters in the passed parameters to avoid directory traversal and delete files under other folders. In the fix, we can filter out the directory traversal characters in $row ['icon'] and introduce a custom function checkstr function. At the same time, $row ['icon'] is only the name of the file, not a path, so filtering characters does not affect the actual function. For this fix, we provide the following code:

Conclusion

After reading the above analysis, I do not know whether you have a more in-depth understanding of the path crossing problem. The CMS used in this article can be downloaded here (password: hgjm). Of course, if there is anything inappropriate in the article, I hope you will correct it. If you are interested in our project, please contact us by email at hongrisec@gmail.com. This is the end of Day6's analysis article. Finally, we have left a CTF topic for you to practice. The title is as follows:

/ / index.php// flag.php above are all the contents of this article entitled "how to solve the problem of path Crossing caused by improper use of rules". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.