phpcms avatar upload vulnerability and the subsequent impact-vulnerability warning-the black bar safety net

2014-09-11T00:00:00
ID MYHACK58:62201453514
Type myhack58
Reporter 佚名
Modified 2014-09-11T00:00:00

Description

Summer vacation writing articles, recent blog didn't dry, issued to entertainment.

In response to the love of pot Mramydnei, the line masters of Somali pirates, the fd cattle(/fd's call for the establishment of the parsec team, and fellow teachers over the years of my education, I want to write memories of the draft. Look at the title you may think, this Chen sesame rotten millet things you come up with to say it. Of course, my own twist a little it doesn't matter, but how can the loss of a parsec of the face, you still hear me meanders~

0×0 1 Initial phpcms avatar upload getshell vulnerabilities Do not know if you remember the phpcms had a fire pole time the Avatar upload vulnerability does not, because of this loophole on the Internet a large number of sites to be Black, the impact is extremely bad. That thing after I analyzed the vulnerability to the Genesis and use of the method, in simple terms phpcms on the Avatar upload is a so processing: the uploaded up the zip file, it is first decompressed, and then deleted the non-picture files. The key places of the code:

| 0 1 | //storage flashpost pictures ---|---

0 2 | $filename = $dir.$ this->uid.'. zip'; ---|---

0 3 | file_put_contents($filename, $this->avatardata); ---|---

0 4 | ---|---

0 5 | //in this case written to a compressed folder content ---|---

0 6 | ---|---

0 7 | //unzip the file ---|---

0 8 | pc_base::load_app_class('pclzip', 'phpsso', 0); ---|---

0 9 | $archive = new PclZip($filename); ---|---

1 0 | if ($archive->extract(PCLZIP_OPT_PATH, $dir) == 0) { ---|---

1 1 | die("Error : ".$ archive->errorInfo(true)); ---|---

1 2 | } ---|---

1 3 | ---|---

1 4 | //5 6 8 line ---|---

1 5 | ---|---

1 6 | //determine the file secure, delete the compressed packet and a non-jpg images ---|---

1 7 | $avatararr = array('180x180.jpg', '30x30.jpg', '45x45.jpg', '90x90.jpg'); ---|---

1 8 | if($handle = opendir($dir)) { ---|---

1 9 | while(false !== ($file = readdir($handle))) { ---|---

2 0 | if($file !== '.' && $file !== '..') { ---|---

2 1 | if(! in_array($file, $avatararr)) { ---|---

2 2 | @unlink($dir.$ file); ---|---

2 3 | } else { ---|---

2 4 | $info = @getimagesize($dir.$ file); ---|---

2 5 | if(!$ info || $info[2] != 2) { ---|---

2 6 | @unlink($dir.$ file); ---|---

2 7 | } ---|---

2 8 | } ---|---

2 9 | } ---|---

3 0 | } ---|---

[1] [2] [3] [4] [5] [6] [7] next