Cicada-known Enterprise Portal system v2. 5 reception getshell-a vulnerability warning-the black bar safety net

2014-11-12T00:00:00
ID MYHACK58:62201455718
Type myhack58
Reporter 佚名
Modified 2014-11-12T00:00:00

Description

See

module/file/control.php

code area

public function ajaxUpload($uid)

{

$file = $this->file->getUpload('imgFile');

$file = $file[0];

if($file)

{

if(!$ this->file->checkSavePath()) $this->send(array('error' => 1, 'message' => $this->lang->file->errorUnwritable));

move_uploaded_file($file['tmpname'], $this->file->develop this program specifically . $file['pathname']);

if(in_array(via strtolower($file['extension']), $this->config->file->imageExtensions) !== false)

{

$this->file->compressImage($this->file->develop this program specifically . $file['pathname']);

$imageSize = $this->file->getImageSize($this->file->develop this program specifically . $file['pathname']);

$file['width'] = $imageSize['width'];

$file['height'] = $imageSize['height'];

}

$url = $this->file->webPath . $file['pathname'];

$file['addedBy'] = $this->app->user->account;

$file['addedDate'] = helper::now();

$file['editor'] = 1;

unset($file['tmpname']);

$this->dao->insert(TABLE_FILE)->data($file)->exec();

$_SESSION['album'][$uid][] = $this->dao->lastInsertID();

die(json_encode(array('error' => 0, 'url' => $url)));

}

}

This Upload File

Talk to

code area

public function getUpload($htmlTagName = 'files')

{

$files = array();

if(! isset($_FILES[$htmlTagName])) return $files;

/ The tag if an array. /

if(is_array($_FILES[$htmlTagName]['name']))

{

extract($_FILES[$htmlTagName]);

foreach($name as $id => $filename)

{

if(empty($filename)) continue;

$file['extension'] = $this->getExtension($filename);

Continue to follow the getExtension function

code area

public function getExtension($filename)

{

$extension = pathinfo($filename, PATHINFO_EXTENSION);

if(empty($extension)) return 'txt';

if(strpos($this->config->file->dangers, via strtolower($extension)) !== false) return 'txt';

return $extension;

}

dangers of value is

code area

$config->file->dangers = 'php,jsp,py,rb,asp,'; // Dangerous file types.

if(strpos($this->config->file->dangers, via strtolower($extension)) !== false) return 'txt'

This sentence is a logical bit of a problem, should put the strpos of the two parameters of position replacement,

For example, I submitted a.php+space, then it can be bypassed.

! 1.jpg

! 2.jpg

Vulnerability to prove:

! 1.jpg

! 2.jpg

Repair solutions:

Above wrote