乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-14: 细节已通知厂商并且等待厂商处理中 2014-06-19: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-08-13: 细节向核心白帽子及相关领域专家公开 2014-08-23: 细节向普通白帽子公开 2014-09-02: 细节向实习白帽子公开 2014-09-09: 细节向公众公开
后台绕过文件过滤限制可shell
system/libs/upload.class.php 上传的核心验证文件public function upload_process(){ $num=count($_FILES[ $this->upload_form_field ]['name']); for($key=0;$key<$num;$key++){ $this->_clean_paths(); //创建存储路径 $save_path=$this->out_save_dir."uploadfile/".$this->upload_folder."/"; if (!file_exists($save_path)) { mkdir($save_path); } $ymd = date("Ymd"); $save_path .= $ymd; if (!file_exists($save_path)) { mkdir($save_path); } $this->out_file_dir = $save_path; //开始获取上传的文件 if ( ! function_exists( 'getimagesize' ) ){ $this->image_check = 0; } $FILE_NAME = isset($_FILES[ $this->upload_form_field ]['name'][$key]) ? $_FILES[ $this->upload_form_field ]['name'][$key] : ''; $FILE_SIZE = isset($_FILES[ $this->upload_form_field ]['size'][$key]) ? $_FILES[ $this->upload_form_field ]['size'][$key] : ''; $FILE_TYPE = isset($_FILES[ $this->upload_form_field ]['type'][$key]) ? $_FILES[ $this->upload_form_field ]['type'][$key] : ''; $FILE_TYPE = preg_replace( "/^(.+?);.*$/", "\\1", $FILE_TYPE ); //判断错误类型 if ( !isset($_FILES[ $this->upload_form_field ]['name'][$key]) or $_FILES[ $this->upload_form_field ]['name'][$key] == "" or !$_FILES[ $this->upload_form_field ]['name'][$key] or !$_FILES[ $this->upload_form_field ]['size'][$key] or ($_FILES[ $this->upload_form_field ]['name'][$key] == "none") ) { $this->error_no = 1; return; }………………if ( $this->make_script_safe ){ if ( preg_match( "/\.(cgi|pl|js|asp|php|html|htm|jsp|jar)(\.|$)/i", $FILE_NAME ) ){ $FILE_TYPE = 'text/plain'; $this->file_extension = 'txt'; $this->parsed_file_name = preg_replace( "/\.(cgi|pl|js|asp|php|html|htm|jsp|jar)(\.|$)/i", "$2", $this->parsed_file_name ); $renamed = 1; } }主要是以上这段代码存在漏洞。很明显过滤有问题我们提交 php+空格 即可绕过 另外还有脚本也可以提交。具体见漏洞证明
抓包type修改为1 确保走文件上传分支
好好整啊,亲附送后台登陆sql注入一枚。貌似被某大神提交过了。但是你们为什么一直不修复。
危害等级:无影响厂商忽略
忽略时间:2014-09-09 22:18
暂无