Problems in 55 to 63 lines of index.php
// If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) && is_string($_REQUEST['target']) && ! preg_match('/^index/', $_REQUEST['target']) && ! in_array($_REQUEST['target'], $target_blacklist) && Core::checkPageValidity($_REQUEST['target']) ) { include $_REQUEST['target']; exit; }
Parameters passed five conditions, if satisfied would include parameters comprising
1. not empty
2. string
3. not to index the beginning
4. not appear in: $ target_blacklist in
checkPageValidity class determination method 5.Core
The first three were largely ignored, and the fourth was found
/index.php //line 50-52 $target_blacklist = array ( 'import.php', 'export.php' );
That is not a target import.php and export.php
Finally Core function to determine class checkPageValidity
//443-478 public static function checkPageValidity(&$page, array $whitelist = []) { if (empty($whitelist)) { $whitelist = self::$goto_whitelist; } if (! isset($page) || !is_string($page)) { return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } return false; }
There is also a function of five judges:
1. $ whitelist is empty reference a static statement: $ goto_whitelist
2. If the $ page is not defined string false if not
3. Returns true if the $ page there is $ whitepage
4. If the present $ $ _page whitelist returns true ($ _ page is taken in front of a question mark something $ page)
5. After the decoded url $ _Page Returns true $ whitelist in the presence of the
When index.php call checkPageValidity did not pass a value $ whitelist, it will enter the self :: $ goto_whitelist;
public static $goto_whitelist = array( 'db_datadict.php', 'db_sql.php', 'db_events.php', 'db_export.php', 'db_importdocsql.php', 'db_multi_table_query.php', 'db_structure.php', ...... 'user_password.php', );
Defines the file name can be included in the $ goto_whitelist in (a lot, some small part)
The second satisfied, skip, third:
$_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; }
If the $ page equals $ goto_whitelist a value, return true
Here taking into account the target parameter talk back to the $ _page? Segmentation, then go to the previous character and then determines whether there is in the $ goto_whitelist
Also taking into account the circumstances url encoded url if not successfully decode the next step
Returns true will make the two-pass encoding of incoming content checkPageValidity
For example, incoming:? Target = db_datadict.php% 253f
The server automatically decode once? Target = db_datadict.php% 3f
After checkPageValidity decoding function becomes:? Target = db_datadict.php?
This will be in line with the? Contents will return true earlier in the whitelist, but index.php in $ _REQUEST [ 'target'] is still db_datadict.php% 3f, and will be included, by directory traversal will cause arbitrary files contain loophole
Example:
http://web5.buuoj.cn/
Reference:
https://www.waitalone.cn/cve-2018-12613.html