phpwind 7.5 0day©

[phpwind 7.5 0day© ȫ]
phpwind 7.5 Multiple Include Vulnerabilities 

һ.api/class_base.phpذ©

1.

api/class_base.phpļcallback$modeûй˵ļ,ӶִPHP.

2. 

api/class_base.phpļ:

function callback($mode, $method, $params) {
if (!isset($this->classdb[$mode])) {
if (!file_exists(R_P.''''api/class_'''' . $mode . ''''.php'''')) {
return new ErrorMsg(API_MODE_NOT_EXISTS, "Class($mode) Not Exists");
}
require_once(R_P.''''api/class_'''' . $mode . ''''.php''''); //
$this->classdb[$mode] = new $mode($this);
}
if (!method_exists($this->classdb[$mode], $method)) {
return new ErrorMsg(API_METHOD_NOT_EXISTS, "Method($method of $mode) Not Exists");
}
!is_array($params) && $params = array();
return @call_user_func_array(array(&$this->classdb[$mode], $method), $params);
}

Ǽһ¾ݵĹ. ĺrun()е:

function run($request) {
$request = $this->strips($request); 
if (isset($request[''''type'''']) && $request[''''type''''] == ''''uc'''') {
$this->type = ''''uc'''';
$this->apikey = $GLOBALS[''''uc_key''''];//עҲǸ©Ĺؼ
} else {
$this->type = ''''app'''';
$this->apikey = $GLOBALS[''''db_siteownerid''''];
            $this->siteappkey = $GLOBALS[''''db_siteappkey''''];
}
/***
if ($this->type == ''''app'''' && !$GLOBALS[''''o_appifopen'''']) {
return new ErrorMsg(API_CLOSED, ''''App Closed'''');
}
***/
ksort($request);
reset($request);
$arg = '''''''';
foreach ($request as $key => $value) {
if ($value && $key != ''''sig'''') {
$arg .= "$key=$value&";
}
}
if (md5($arg . $this->apikey) != $request[''''sig'''']) { //עж,Ҫƹ.ĴԿĳ$this->apikey = $GLOBALS[''''uc_key''''],$request[''''sig'''']
                                                    //Կ,ôƹ
return new ErrorMsg(API_SIGN_ERROR, ''''Error Sign'''');
}
$mode = $request[''''mode'''']; //ȡ$mode ûйֱӽcallback()
$method = $request[''''method''''];
$params = isset($request[''''params'''']) ? unserialize($request[''''params'''']) : array();
        if (isset($params[''''appthreads''''])) {
            if (PHP_VERSION < 5.2) {
                require_once(R_P.''''api/class_json.php'''');
                $json = new Services_JSON(true);
                $params[''''appthreads''''] = $json->decode(@gzuncompress($params[''''appthreads'''']));
            } else {
                $params[''''appthreads''''] = json_decode(@gzuncompress($params[''''appthreads'''']),true);
            }
        }
if ($params && isset($request[''''charset''''])) {
$params = pwConvert($params, $this->charset, $request[''''charset'''']);
}
return $this->callback($mode, $method, $params); //callback ()
}

Ǽrun()ĵ:

pw_api.phpļ:

$api = new api_client();
$response = $api->run($_POST + $_GET);//ֱrun$_POST , $_GETύı.

ķз©ύĹ,ʵ©һα:require_once(R_P.''''api/class_'''' . $mode . ''''.php'''');ҪƹħŲſ
ļ.ע⿴run()ĵһ 

$request = $this->strips($request); 

strips()Ĵ:

function strips($param) {
if (is_array($param)) {
foreach ($param as $key => $value) {
$param[$key] = $this->strips($value);
}
} else {
$param = stripslashes($param); //ֱʹstripslashes,ôǿֱƹħ :)
}
return $param;
}

3.POC/EXP

ȱ

4.FIX

©Ϣй,ٷ©Ѿ޲:

http://www.phpwind.net/read-htm-tid-914851.html

:

require_once Pcv(R_P.''''api/class_'''' . $mode . ''''.php'''');

function Pcv($filename,$ifcheck=1){
$tmpname = strtolower($filename);
$tmparray = array('''' http://'''',"\0"); //http:// \0 ˼ǲԶ ýض
$ifcheck && $tmparray[] = ''''..'''';    //.. ˼ǲתĿ¼
if (str_replace($tmparray,'''''''',$tmpname)!=$tmpname) {
exit(''''Forbidden'''');
}
return $filename;
} 

Pcv()ԿphpwindĲǺ,pcv кܶ߼,http://˺ܸЦ,˼ҾͲftp://? ...


.apps/share/index.phpԶ̰©

1.

apps/share/index.php $route$basePathûгʼ,Զ̰߱ذphpļ,ִphp

2.

<?php
if ($route == "share") {
require_once $basePath . ''''/action/m_share.php'''';
} elseif ($route == "sharelink") {
require_once $basePath . ''''/action/m_sharelink.php'''';
}
?>

©̫Ҫ!!!! ҽдӦÿ۳ս...

3.POC/EXP

ȱ

4.FIX

ȴٷ,òŵֱӰļɾ.

.apps/groups/index.phpԶ̰©

1.

apps/groups/index.php $route$basePathûгʼ,Զ̰߱ذphpļ,ִphp

2.

<?php
if ($route == "groups") {
require_once $basePath . ''''/action/m_groups.php'''';
} elseif ($route == "group") {
require_once $basePath . ''''/action/m_group.php'''';
} elseif ($route == "galbum") {
require_once $basePath . ''''/action/m_galbum.php'''';
}


©̫Ҫ!!!! ҽдӦÿ۳ս...

3.POC/EXP

ȱ

4.FIX

ȴٷ,òŵֱӰļɾ.

Ϣ ĿǰٷѾhttp://www.phpwind.net/read-htm-tid-914851.html
