Youyax 任意文件删除。

2014-06-07T00:00:00
ID SSV:95205
Type seebug
Reporter Root
Modified 2014-06-07T00:00:00

Description

简要描述:

最新版 这程序更新得真块 任意文件删除。删除status.txt 可以直接重装系统。

详细说明:

WooYun: Youyax V5.4.1 注入 (可修改其他用户的密码)#4 下个最新的程序来看看官方是怎么修补的。

public function saveself() { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); $face = addslashes($_POST['face']); mysql_query("update " . C('db_prefix') . "user set face='" . $face . "' where user='" . $user . "'"); mysql_query("update " . C('db_prefix') . "talk set face='" . $face . "' where zuozhe='" . $user . "'"); mysql_query("update " . C('db_prefix') . "reply set face1='" . $face . "' where zuozhe1='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark2 set pic='" . $face . "' where marker='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark1 set pic='" . $face . "' where marker='" . $user . "'");

可以看到是把$face进行了addslashes一次 转义后这里就不能注入了。 然后入库。

| status | tinyint(1) | NO | | NULL | | | email | varchar(50) | NO | | NULL | | | complete | int(4) | NO | | NULL | | | face | varchar(50) | NO | | NULL | |

50个字符 足够了。 出库导致的任意文件删除。 在lib/indexaction.php中

public function resize($filename) { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); $album = "./Public/pic/upload"; $filenameall = $album . "/" . $filename; // File and new size // Content type // header('Content-type: image/jpeg'); // Get new sizes list($width, $height) = getimagesize($filenameall); list($font, $back) = explode(".", $filename); //获取扩展名 if ($width >= $height && $width > 120) { $newwidth = 120; $newheight = $newwidth * $height / $width; } else if ($height >= $width && $height > 120) { $newheight = 120; $newwidth = $newheight * $width / $height; } else { $newwidth = $width; $newheight = $height; } // Load $thumb = imagecreatetruecolor($newwidth, $newheight); switch (strtolower($back)) { case 'gif': $source = imagecreatefromgif($filenameall); imagecopyresized($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height); $name = time() . ".gif"; imagegif($thumb, $album . "/" . $name); break; case 'jpg': case 'jpeg': $source = imagecreatefromjpeg($filenameall); imagecopyresized($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height); $name = time() . ".jpg"; imagejpeg($thumb, $album . "/" . $name); break; case 'png': $source = imagecreatefrompng($filenameall); imagesavealpha($source, true); imagealphablending($thumb, false); imagesavealpha($thumb,true); imagecopyresized($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height); $name = time() . ".png"; imagepng($thumb, $album . "/" . $name); break; default: break; } $oldface = mysql_fetch_array(mysql_query("select * from " . C('db_prefix') . "user where user='" . $user . "'"));//这里出库 $oldface2 = $oldface['face'];//这里点。 mysql_query("update " . C('db_prefix') . "user set face='upload/" . $name . "' where user='" . $user . "'"); mysql_query("update " . C('db_prefix') . "talk set face='upload/" . $name . "' where zuozhe='" . $user . "'"); mysql_query("update " . C('db_prefix') . "reply set face1='upload/" . $name . "' where zuozhe1='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark2 set pic='upload/" . $name . "' where marker='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark1 set pic='upload/" . $name . "' where marker='" . $user . "'"); if (preg_match_all("https://images.seebug.org/upload/", $oldface2, $tmp)) { @unlink("./Public/pic/$oldface2"); } @unlink("./Public/pichttps://images.seebug.org/upload/$filename"); }

if (preg_match_all("https://images.seebug.org/upload/", $oldface2, $tmp)) { @unlink("./Public/pic/$oldface2"); } @unlink("./Public/pichttps://images.seebug.org/upload/$filename");

这里$filename 是不可控的, $oldface2 出库来的 可控。 所以

if (preg_match_all("https://images.seebug.org/upload/", $oldface2, $tmp)) { @unlink("./Public/pic/$oldface2");

要进这里 所以来让$oldface2 能匹配出https://images.seebug.org/upload/ 就能进这个unlink。 构造一下/../..https://images.seebug.org/upload/../install/status.txt

漏洞证明:

<img src="https://images.seebug.org/upload/201406/07113435709ab55efd21ee1b571695d14b7d04ed.jpg" alt="y1.jpg" width="600" onerror="javascript:errimg(this);">

入库 然后访问

<img src="https://images.seebug.org/upload/201406/07113510546d5fa6b368b73f8b9a39325644184c.jpg" alt="y2.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201406/071136047f80698182b38ed018266a3b2ebf23bb.jpg" alt="y3.jpg" width="600" onerror="javascript:errimg(this);">

删除后就能直接重装了。