[祝PKAV以及wooyun所有白帽子元旦快乐]anwsion缺陷大结合.

### 简要描述： foreach处理不当爆路径,程序设置缺陷,绕过全局变量的包含----变量覆盖 ### 详细说明： (1).foreach处理不当爆路径 ``` http://wenda.anwsion.com/search/ajax/search_result/ ``` [<img src="https://images.seebug.org/upload/201212/312029196482d10d063a578d7ef5b58a62f2b970.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201212/312029196482d10d063a578d7ef5b58a62f2b970.jpg) 缺陷: ``` <?php foreach ($this->search_result AS $key => $val) ``` 代码没有检测$this->search_result是否为空,是否没数组.... \wenda\views\default\inbox\read_message.tpl.htm ``` <?php foreach($this->list AS $key => $val) { ``` 缺陷一样. [<img src="https://images.seebug.org/upload/201212/31203737261a6c6f7fdb134148d8c96599f0e6e5.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201212/31203737261a6c6f7fdb134148d8c96599f0e6e5.jpg) 2)程序设置缺陷. ``` http://wenda.anwsion.com/question/395 ``` 当你直接点击桌面zip下载需需要注册. 在源码中看见: ``` file/download/file_name-5qGM6Z2iLnppcA==__url-aHR0cDovL3dlbmRhLmFud3Npb24uY29tL3VwbG9hZHMvcXVlc3Rpb25zLzIwMTIwNjA3L2JkMGFhY2FhNjg2YzEyNDlkOTY1YzZjZWM5ZDEwY2Y1LnppcA== ``` 其中: ``` aHR0cDovL3dlbmRhLmFud3Npb24uY29tL3VwbG9hZHMvcXVlc3Rpb25zLzIwMTIwNjA3L2JkMGFhY2FhNjg2YzEyNDlkOTY1YzZjZWM5ZDEwY2Y1LnppcA== ``` 我们base64解码下. 最终连接; ``` http://wenda.anwsion.com/uploads/questions/20120607/bd0aacaa686c1249d965c6cec9d10cf5.zip ``` = =不用登陆能下载了,如果对方指定为VIP用户或者得注册(要邀请码)才能下载的话呢?? 3)绕过全局变量的包含----变量覆盖 wenda\system\init.php 中 ``` if (@ini_get('register_globals')) { if ($_REQUEST) { foreach ($_REQUEST AS $name => $value) { unset($$name); } } } ``` 此段代码程序是当全局开启全局时销毁变量,防止恶意代码赋值导致严重的后果. 但是程序员没了解,unset()默认只会销毁局部变量. 我们测试下: ``` <?php if (@ini_get('register_globals')) { if ($_REQUEST) { foreach ($_REQUEST AS $name => $value) { unset($$name); } } } print $a." "; print $_GET[b]; ?> ``` ``` http://127.0.0.1:8080/wenda/system/unset.php?a=1&b=2 ``` [<img src="https://images.seebug.org/upload/201212/31212017a4ed59537bbb2609bfb525374deb425f.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201212/31212017a4ed59537bbb2609bfb525374deb425f.jpg) a变量被销毁,达到程序目的. 可是:.... ``` http://127.0.0.1:8080/wenda/system/unset.php?GLOBALS[a]=1&b=2 ``` [<img src="https://images.seebug.org/upload/201212/3121241579e95165544c53263b8e56596c541640.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201212/3121241579e95165544c53263b8e56596c541640.jpg) GLOBALS[a]以覆盖全局变量时,则可以成功控制变量$a的值~~~~ 还有思路突破: http://zone.wooyun.org/content/1872 ``` 为什么超全局变量$_REQUEST没有读取到$_COOKIE的参数呢？这个是php 5.3以后php.ini默认设置 request_order = "GP"，所以你懂的！如果你修改request_order = "GPC"，$_REQUEST应该就可以接受到参数了！ 所以如果php是大于5.3的，变量覆盖漏洞应该可以再次利用！ ``` ### 漏洞证明： 见详细说明.