phpcms图片上传漏洞解析
- WBOYOriginal
- 2016-06-06 20:08:561573browse
?针对下法程序说明: Fileext函数是对文件后缀名的提
?针对下法程序说明:
Fileext函数是对文件后缀名的提取。
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。我们回到public function crop_upload() 函数中if(is_image($_GET['file'])== false || strpos($_GET['file'],’.php’)!==false) exit();
在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数
这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。
漏洞文件:phpcms\modules\attachment\attachments.php
public function crop_upload() {
if (isset($GLOBALS["HTTP_RAW_POST_DATA"])) {
$pic = $GLOBALS["HTTP_RAW_POST_DATA"];
if (isset($_GET['width']) && !empty($_GET['width'])) {
$width = intval($_GET['width']);
}
if (isset($_GET['height']) && !empty($_GET['height'])) {
$height = intval($_GET['height']);
}
if (isset($_GET['file']) && !empty($_GET['file'])) {
$_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键
if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) {
$file = $_GET['file'];
$basename = basename($file);//获取带有后缀的文件名
if (strpos($basename, 'thumb_')!==false) {
$file_arr = explode('_', $basename);
$basename = array_pop($file_arr);
}
$new_file = 'thumb_'.$width.'_'.$height.'_'.$basename;
} else {
pc_base::load_sys_class('attachment','',0);
$module = trim($_GET['module']);
$catid = intval($_GET['catid']);
$siteid = $this->get_siteid();
$attachment = new attachment($module, $catid, $siteid);
$uploadedfile['filename'] = basename($_GET['file']);
$uploadedfile['fileext'] = fileext($_GET['file']);
if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) {
$uploadedfile['isimage'] = 1;
}
$file_path = $this->upload_path.date('Y/md/');
pc_base::load_sys_func('dir');
dir_create($file_path);
$new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext'];
$uploadedfile['filepath'] = date('Y/md/').$new_file;
$aid = $attachment->add($uploadedfile);
}
$filepath = date('Y/md/');
file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控
} else {
return false;
}
echo pc_base::load_config('system', 'upload_url').$filepath.$new_file;
exit;
}
}
后缀检测:phpcms\modules\attachment\functions\global.func.php
function is_image($file) {
$ext_arr = array('jpg','gif','png','bmp','jpeg','tiff');
$ext = fileext($file);关键地方
return in_array($ext,$ext_arr) ? $ext_arr :false;
}
?关键函数:
function fileext($filename) {
return strtolower(trim(substr(strrchr($filename, '.'), 1, 10)));
}
此漏洞官方已修复.信息来源wooyun.
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:解决PHP mail发送UTF-8中文邮件乱码Next article:Selcect表单取值运算的两种方法