Shulou(Shulou.com)05/31 Report--

This article mainly analyzes how to deeply understand the relevant knowledge points of the $_ REQUESTS array, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor and learn more about "how to understand the $_ REQUESTS array".

Day 16-Poem

The title is called poem, and the code is as follows:

Vulnerability resolution:

This topic contains two vulnerabilities, which can be used to inject malicious data into FTP connection resources and execute FTP commands. First, when you look at line 7 of the code, you can see that the program uses the cleanInput method to filter GET, POST, and COOKIE data, forcing them to convert to integer data. However, at line 8, a mode variable is passed in from the REQUEST way. We all know that the data in the superglobal array $_ REQUEST is a collection of $_ GET, $_ POST, and $_ COOKIE, and that the data is copied, not referenced. Let's first look at an example to test this point:

You can find that the REQUEST data is not affected by the filtering function at all. Back to this example, the program filter function in the example only operates on GET, POST, COOKIE data, and finally uses REQUEST data, which obviously has security risks. To learn more about $_ REQUEST, please go to the official website to learn. For the second vulnerability, in line 21 of the code, a weak comparison is used here. On this issue, we in the previous article is also very detailed, you can refer to: [red Sun Security] PHP-Audit-Labs solution Day1-4 (Day4).

As for the attack payload in this case, you can use:? mode=1%0a%0dDELETE%20test.file, which can achieve the effect of deleting FTP server files.

Case analysis

In this example analysis, we analyze the All In One WP Security & Firewall plug-in of WordPress. The plug-in has a reflective XSS vulnerability in version 4.1.4-4.1.9, and the cause of the vulnerability is the same as that in this case, which is also officially fixed in version 4.2.0. This time, we will use the 4.1.4 plug-in as a case study.

Download the plug-in zip package and upload the compressed package through the background plug-in management to install it. The file of the problem is wp-content\ plugins\ all-in-one-wp-security-and-firewall\ admin\ wp-security-dashboard-menu.php. In order to facilitate your understanding, I will extract the problem code and simplify it as follows:

We can clearly see that the problem lies in the render_tab3 method in line 25, where the tab variables obtained in REQUEST are directly concatenated and output. In fact, the filtered $tab variable has been fetched in line 20. Let's look at the get_current_tab method:

The call chain of the filter function is shown in line 1 below, and then the $tab variable is detected by the wp_check_invalid_utf8 method.

Vulnerability exploitation

Let's take a look at the attack payload (to http://website/wp-admin/admin.php?page=aiowpsec&tab=tab3 POST data tab= "> alert (1)):

You can see that the XSS attack was successfully triggered. Finally, we analyze the calling process of the code according to payload. First, our payload is passed into the wp-admin/admin.php file, and finally into the do_action ('toplevel_page_aiowpsec'); code on line 14.

In the wp-includes/plugin.php file, the program calls the do_action method of the WP_Hook class, which calls its own apply_filters method.

The apply_filters method then calls the handle_dashboard_menu_rendering method of the wp-content\ plugins\ all-in-one-wp-security-and-firewall\ admin\ wp-security-admin-init.php file and instantiates an AIOWPSecurity_Dashboard_Menu object.

Then comes the analysis at the beginning of the article, that is, the following picture:

The attack chain of the entire vulnerability is shown in the following figure:

There is also a little bit of knowledge to remind you that in the case $_ REQUEST ["tab"] ends up with the value of $_ POST ["tab"], not the value of the $_ GET ["tab"] variable. This is actually related to the corresponding value of request_order in php.ini. For example, in my environment, the request_order configuration is as follows:

The "GP" here represents GET and POST, in order from left to right. For example, if we transfer the tab variable in both GET and POST, the final value obtained with $_ REQUEST ['tab'] is the value of $_ POST [' tab']. For a more detailed description, see the definition of the PHP manual as follows:

Request_order stringThis directive describes the order in which PHP registers GET, POST and Cookie variables into the _ REQUEST array. Registration is done from left to right, newer values override older values.If this directive is not set, variables_order is used for $_ REQUEST contents.Note that the default distribution php.ini files does not contain the'C 'for cookies, due to security concerns. Repair suggestion

For the fix of this vulnerability, we only need to use the filtered $tab variable, and the variable is preferably encoded by the HTML entity before output, such as using the htmlentities function.

Conclusion

After reading the above analysis, I do not know whether you have a more in-depth understanding of the $_ REQUEST array. The CMS used in this article can be downloaded here (All In One WP Security & Firewall). Of course, if there is anything inappropriate in the article, I hope you will correct it. If you are interested in our project, please contact us by email at hongrisec@gmail.com. This is the end of Day16's analysis article. Finally, we have left a CTF topic for you to practice. The title is as follows:

/ / index.php// flag.php on "how to deeply understand the $_ REQUESTS array" is introduced here, more related content can search previous articles, hope to help you answer questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.