PHPWind 7.5 Multiple Include Vulnerabilities

[PHPWind 7.5 Multiple Include Vulnerabilities ȫ]
phpwind 7.5 Multiple Include Vulnerabilities 

author: 80vul
team:http://www.80vul.com


һ.api/class_base.phpذ©

1.

api/class_base.phpļcallback$modeûй˵ļ,ӶִPHP.

2. 

api/class_base.phpļ:

function callback($mode, $method, $params) {
if (!isset($this->classdb[$mode])) {
if (!file_exists(R_P.''api/class_'' . $mode . ''.php'')) {
return new ErrorMsg(API_MODE_NOT_EXISTS, "Class($mode) Not Exists");
}
require_once(R_P.''api/class_'' . $mode . ''.php''); //
$this->classdb[$mode] = new $mode($this);
}
if (!method_exists($this->classdb[$mode], $method)) {
return new ErrorMsg(API_METHOD_NOT_EXISTS, "Method($method of $mode) Not Exists");
}
!is_array($params) &&$params = array();
return @call_user_func_array(array(&$this->classdb[$mode], $method), $params);
}

ǳһ¾͵Ĺ. ĺrun()е:

function run($request) {
$request = $this->strips($request); 
if (isset($request[''type'']) &&$request[''type''] == ''uc'') {
$this->type = ''uc'';
$this->apikey = $GLOBALS[''uc_key''];//עҲǸ©Ҫ
} else {
$this->type = ''app'';
$this->apikey = $GLOBALS[''db_siteownerid''];
           $this->siteappkey = $GLOBALS[''db_siteappkey''];
}
/***
if ($this->type == ''app'' &&!$GLOBALS[''o_appifopen'']) {
return new ErrorMsg(API_CLOSED, ''App Closed'');
}
***/
ksort($request);
reset($request);
$arg = '''';
foreach ($request as $key => $value) {
if ($value &&$key != ''sig'') {
$arg .= "$key=$value&";
}
}
if (md5($arg . $this->apikey) != $request[''sig'']) { //עж,Ҫƹ.ĴԿĳ$this->apikey = $GLOBALS[''uc_key''],$request[''sig'']
                                                   //Բٿ,ôƹ
return new ErrorMsg(API_SIGN_ERROR, ''Error Sign'');
}
$mode = $request[''mode'']; //ȡ$mode ûйֱӽcallback()
$method = $request[''method''];
$params = isset($request[''params'']) ? unserialize($request[''params'']) : array();
       if (isset($params[''appthreads''])) {
           if (PHP_VERSION <5.2) {
               require_once(R_P.''api/class_json.php'');
               $json = new Services_JSON(true);
               $params[''appthreads''] = $json->decode(@gzuncompress($params[''appthreads'']));
           } else {
               $params[''appthreads''] = json_decode(@gzuncompress($params[''appthreads'']),true);
           }
       }
if ($params &&isset($request[''charset''])) {
$params = pwConvert($params, $this->charset, $request[''charset'']);
}
return $this->callback($mode, $method, $params); //callback ()
}

ǳrun()ĵ:

pw_api.phpļ:

$api = new api_client();
$response = $api->run($_POST + $_GET);//ֱrun$_POST , $_GETύı.

ķз©ύĹ,ʵ©һα:require_once(R_P.''api/class_'' . $mode . ''.php'');ҪƹħŲſ
ļ.עؿrun()ĵһ 
$request = $this->strips($request); 
strips()Ĵ:

function strips($param) {
if (is_array($param)) {
foreach ($param as $key => $value) {
$param[$key] = $this->strips($value);
}
} else {
$param = stripslashes($param); //ֱʹstripslashes,ôǿֱƹħ :)
}
return $param;
}

3.POC/EXP

ȱ

4.FIX

©Ϣй,ٷ©Ѿ޲:

http://www.phpwind.net/read-htm-tid-914851.html

:

require_once Pcv(R_P.''api/class_'' . $mode . ''.php'');

function Pcv($filename,$ifcheck=1){
$tmpname = strtolower($filename);
$tmparray = array('' http://'',"\0"); //http:// \0 ˼ǲԶ ýض
$ifcheck &&$tmparray[] = ''..'';    //.. ˼ǲתĿ¼
if (str_replace($tmparray,'''',$tmpname)!=$tmpname) {
exit(''Forbidden'');
}
return $filename;
} 
Pcv()ԿphpwindĲǺ,pcv кܶ߼,http://˺ܸЦ,˼ҾͲftp://? ...

.apps/share/index.phpԶ̰©

1.

apps/share/index.php $route$basePathûгʼ,Զ̰߱ذphpļ,ִphp

2.

<?php
if ($route == "share") {
require_once $basePath . ''/action/m_share.php'';
} elseif ($route == "sharelink") {
require_once $basePath . ''/action/m_sharelink.php'';
}
?>

©̫Ҫ!!!! ҽдӦÿ۳ս...

3.POC/EXP

ȱ

4.FIX

Ѿͬʱ''޲''
http://www.phpwind.net/read-htm-tid-914851.html

<?php
!function_exists(''readover'') &&exit(''Forbidden'');
if ($route == "share") {
require_once $basePath . ''/action/m_share.php'';
} elseif ($route == "sharelink") {
require_once $basePath . ''/action/m_sharelink.php'';
}
?>

.apps/groups/index.phpԶ̰©

1.

apps/groups/index.php $route$basePathûгʼ,Զ̰߱ذphpļ,ִphp

2.

<?php
if ($route == "groups") {
require_once $basePath . ''/action/m_groups.php'';
} elseif ($route == "group") {
require_once $basePath . ''/action/m_group.php'';
} elseif ($route == "galbum") {
require_once $basePath . ''/action/m_galbum.php'';
}

©̫Ҫ!!!! ҽдӦÿ۳ս...

3.POC/EXP

ȱ

4.FIX

Ѿͬʱ''޲''
http://www.phpwind.net/read-htm-tid-914851.html

<?php
!function_exists(''readover'') &&exit(''Forbidden'');
if ($route == "groups") {
require_once $basePath . ''/action/m_groups.php'';
} elseif ($route == "group") {
require_once $basePath . ''/action/m_group.php'';
} elseif ($route == "galbum") {
require_once $basePath . ''/action/m_galbum.php'';
}
?>
