[VIM] Root cause of NPDS SQL injection is variable extraction/evaluation

Steven M. Christey coley at mitre.org
Fri Mar 23 21:16:42 UTC 2007


Researcher: DarkFig

Ref: Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day
     http://www.securityfocus.com/archive/1/archive/1/463176/100/0/threaded

Granted the layout isn't optimal, but he excerpts the relevant source
code for each step of the exploit - actually pretty cool.

Anyway, here's my rough analysis:

1) line 31 of print.php uses $DB variable in a query.

2) grab_globals.php shows a whole bunch of juicy extract() goodness
   with EXTR_OVERWRITE, so we get to modify nearly-arbitrary variables
   including whatever superglobal the relevant PHP version isn't
   protecting.  So, _FILES[DB][tmp_name] is overwritten in line 83.

3) Lines 133-134 in grab_globals.php do the dynamic variable
   evaluation; looping through the values of _FILES[], we wind up
   processing _FILES[DB], setting $$DB = _FILES[DB][tmp_name] .

4) I didn't investigate any further, but it wouldn't be surprising if
   there were other attacks using the extract capability.


- Steve


More information about the VIM mailing list