F2blog XMLRPC 上传任意文件漏洞

  • A+
所属分类:颓废's Blog
摘要

而他在check_user_pw的时候,并没有过滤,结合后面的上传没有做后缀判断,所有可以直接导致上传任意文件到服务器。简单分析:

影响:可上传任意文件到服务器

原理:get_http_raw_post_data()是获取最原始的传递过来的数据,也是说不会因为PHP环境的magic为on的影响。

而他在check_user_pw的时候,并没有过滤,结合后面的上传没有做后缀判断,所有可以直接导致上传任意文件到服务器。简单分析:

function metaWeblog_newMediaObject ($values) { //2007-02-01 add support for uploading files  global $settingInfo,$DMC, $DBPrefix,$defualtcategoryid;  //此处本是判断用户是否登录的,但是下面没有做检查,仅仅在这里返回了用户是否登录的一个值。  $userdetail = check_user_pw ($values['username'], $values['password']); $struct=$values['struct'];  //writetofile ('text1.php', $struct['bits']); //debug only  if ($struct['bits'] && $struct['name']) {  $writefilecontent=base64_decode($struct['bits']);  if (file_exists("attachments/{$struct['name']}")) @unlink("attachments/{$struct['name']}");  [email protected]("attachments/{$struct['name']}","wb");  if (!$filenum) {  xml_error ("Sorry, uploading file ({$struct['name']}) failed.");  }  flock($filenum,LOCK_EX);  fwrite($filenum,$writefilecontent);  //并没有判断文件是否安全,直接写入。  fclose($filenum);  }  $xml_content=make_xml_piece ("struct", array('url'=>"{$settingInfo['blogurl']}/attachments/{$struct['name']}"));  $body_xml=xml_generate($xml_content);  send_response ($body_xml);  }

本来说到这里都够明白了,下面就再把利用方法写下吧:

定义的方法数组:

$methodFamily=array('blogger.newPost', 'blogger.editPost', 'blogger.getUsersBlogs', 'blogger.getUserInfo', 'blogger.deletePost', 'blogger.getTemplate', 'blogger.setTemplate', 'metaWeblog.newPost', 'metaWeblog.editPost', 'metaWeblog.getPost', 'metaWeblog.newMediaObject', 'metaWeblog.getCategories', 'metaWeblog.getRecentPosts');
 
方法调用:
 
$methodName=parse_get($rawdata, 'methodName', true);  if ([email protected]_array($methodName, $methodFamily)) xml_error ("Method ({$methodName}) is not availble.");  $values=parse_get($rawdata, 'value');$values=parse_walk_array($values, $methodName);  //print_r($values); //For debug only  //exit();  //Get default category, for those editors which don't support Categories  $sql="select * from ".$DBPrefix."categories limit 0,1";  $arr_category=$DMC->fetchArray($DMC->query($sql));  $defualtcategoryid=$arr_category[id];$methodName=str_replace('.', '_', $methodName);  call_user_func ($methodName, $values);  $rawdata的来源:  $rawdata=get_http_raw_post_data();  //writetofile ("text4.xml", $rawdata); //For debug use  //$rawdata=file_get_contents("text4.xml"); //For debug useif (!$rawdata) die ("Sorry, don't visit this web!");$stringType_o="i4|int|boolean|struct|string|double|base64|dateTime/.iso8601";  $stringType="(".$stringType_o.")";$rawdata=str_replace("/r", '', $rawdata);  $rawdata=str_replace("/n", '', $rawdata);  $rawdata=str_replace("/t", '', $rawdata);  $rawdata=str_replace("<![CDATA[", '', $rawdata);  $rawdata=str_replace("]]>", '', $rawdata); //Stupid CDATA, I don't want it  $rawdata=preg_replace("/<([^>] ?) //>/is", '<//1><///1>', $rawdata); //Self-closed tags  //$rawdata=convert_utf8($rawdata);$rawdata=preg_replace_callback("/<struct>(. ?)<//struct>/is", 'filter_struct', $rawdata); //Struct can be a trouble, use this to avoid values and names being parsed  get_http_raw_post_data()方法:  function get_http_raw_post_data () { //Get http_raw_post_data  global $HTTP_RAW_POST_DATA;  if (isset($HTTP_RAW_POST_DATA)) { //Good, the server supports $HTTP_RAW_POST_DATA, then return it directly  return trim($HTTP_RAW_POST_DATA);  }  elseif (PHP_OS>="4.3.0") { //PHP 4.3.0 and higher version supports another way to get it  return readfromfile( 'php://input' );  }  else return false; //Sorry, no way out, or $raw data is not set at all  }

漏洞修补,简单点的,判断下用户是否有上传附件的权限。其他的自己发挥吧。

既然费了这么多话,那就顺便附上一个安全点的方法吧:

function metaWeblog_newMediaObject ($values) { //2008-05-27 edit by Neeao  global $settingInfo,$DMC, $DBPrefix,$defualtcategoryid;  $userdetail = check_user_pw ($values['username'], $values['password']); $records=$DMC->fetchArray($DMC->query("SELECT * FROM `{$DBPrefix}logs` WHERE `id`='{$values['postid']}'"));  if ($records['id']=='') xml_error ("Entry does not exist.");  else {  $struct=$values['struct'];  //writetofile ('text1.php', $struct['bits']); //debug only  if ($struct['bits'] && $struct['name']) {  $writefilecontent=base64_decode($struct['bits']);  if (file_exists("attachments/{$struct['name']}")) @unlink("attachments/{$struct['name']}");  $fi[email protected]("attachments/{$struct['name']}","wb");  if (!$filenum) {  xml_error ("Sorry, uploading file ({$struct['name']}) failed.");  }  flock($filenum,LOCK_EX);  fwrite($filenum,$writefilecontent);  fclose($filenum);  }  $xml_content=make_xml_piece ("struct", array('url'=>"{$settingInfo['blogurl']}/attachments/{$struct['name']}"));  $body_xml=xml_generate($xml_content);  send_response ($body_xml);  }  }

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: