Explore the PHP Mkdir function-vulnerability warning-the black bar safety net

ID MYHACK58:62201993449
Type myhack58
Reporter 佚名
Modified 2019-04-01T00:00:00


A, causes In the reproducibility analysis of Wordpress-5.0.0 RCE of the time, because in the written pictures of the process, according to the picture dirname create the directory, then according to the basename of the write picture. In the directory is successfully created, the premise should be written to the file. But the situation is not so, the process I want to write in the target image before, you must also re-write one of the auxiliary pictures. In fact, this auxiliary picture is not very important, and it is important that the auxiliary picture of the directory to create. This process, for example the need to write the Target file is: ! First, you need to first write a ! Why is this so? Assume that write directly to the Target file, the process will first create the directory: ! In fact, this process is not creating any directory, because the judgment is directoryalready ,to the next write into the picture here is Imagick::writeImage, where it will go wrong. invaildfile path. Error. Because there does not exist /var/www/html/wordpress/wp-content/uploads/2019/03/1.jpg? This directory, which involves the system calls, because the system is different with respect to the system processing function processing in different ways. Columns as in kali the following Imagick::writeImage writes ./ 1?/../ 1. png , ./ 1? This directory is an error. Specific system calls are as follows: ! First, determine the status of the file, and then calling openat to open this file doesn't exist. AT_FDCWD indicates to open the file location relative to the current directory. This is what I'm doing when encountered. But in the WORDPRESS IMAGE remote code execution vulnerability analysis of a text, or even other articles. Haven't mentioned two write picture. Is it because Windows and linux different? On this issue I conducted a mkdir inquiry. Found there are actually very interesting. Second, PHP core && systematic differences of mkdir() 2.1 Linux &&PHP; 7.3.2-3 mkdir(‘./ 1?/../ 1',777 ,true); mkdir(‘./ 1?/../ 1',777 ,false); the When the third parameter$recursive is true can write to the directory, the first way of this parameter the meaning of the$recursive for loop to create the directory. What does it mean, when false, you can only create 1-level directory, i.e. the directory the connection identifier of the last directory. And when the true is you can create multi-level directory to the last directory. Such as./ a/b/c when the abc does not exist, will be through the system function mkdir loop to create the directory abc will be created, but if it is false because go to a directory does not exist, you do not go back and create the last one c. But the first mkdir even to true but also does not create 1? Directory,here we from php internal mkdir implementation and system mkdir implementation to explore. 2.1. 1PHP_FUNTCION(mkdir) PHP within the demodulation process as shown below: ! We in the branch of the local subdivision /php-src/main/streams/plain_wrapper. c ! $recursive =fasle Which appear in the branch where the judgment$recursive if not need to loop to create it directly into php_mkdir /php-src/ext/standard/file. c ! Follow php_mkdir_ex ! First of all will check the open_basedir,then will enter the VCWD_MKDIR ,VCWD_MKDIR is a macro command, there are three different definition: ! Here I just start and not think too much, followed by a gdb to the process to go, the direct implementation of the mkdir () will directly call the system's _mkdir() . mkdir(“./ 1?/../ 1",01411) = - 1 ENOENT (No such file or directory) Will directly report the error. In anticipation of such, a linux system: mkdir is not allowed so create the directory, will be tested each layer of the directory's effectiveness. Back to the first occurrence of the bifurcation. $recursive =true ! Here will enter the expand_filepath_with_mode,here is actually very familiar with, before looking at the path processing the time to see this function, it is an expanded function through a recursive manner the need is to create the directory. In which process will be the relative directory and the current execution of the script directory rating up,if absolute directory is ignored. Wherein our relative directory for ./ 1?/../ 1 would become /var/www/html/WordPress/wp-content/themes/4/5/6/./ 1?/../ 1 currently my directory is /var/www/html/WordPress/wp-content/themes/4/5/6 then by recursively removing the ../, ./ ,//. And the corresponding directory before the move, it will become /var/www/html/WordPress/wp-content/themes/4/5/6/1 then in the passed to the system's mkdir function. In this function inside the presence of win32 and linux in different branches, but in the specific deal before the win32 determines the directory name must not exist*, right?

[1] [2] [3] next