slackero
commented
3 years ago Thanks, the problem is solved. All uploads will be checked against allowed file extensions too.
Closed AirSkye closed 3 years ago
slackero
commented
3 years ago Thanks, the problem is solved. All uploads will be checked against allowed file extensions too.
在
include/inc_lib/general.inc.php1709行中,使用getimagesize获取了上传图像文件的大小信息。其后未对后缀名进行单独判断,可以制作图片木马进行上传绕过。 In the line 1709 ofinclude/inc_lib/general.inc.php, usegetimagesizeto get the size information of the uploaded image file. After that, without a separate judgment on the suffix name, a picture Trojan horse can be made to upload and bypass.漏洞验证: Vulnerability recurrence:: 登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8 首先点击Create new campaign Login to visit the background page http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8 First click Create new campaign
创建任意条目,点击create To create any entry, click create
回到上级,点击编辑 Go back to the upper level, click edit
选中生成好的图片马(在图片文件特殊位置插入php代码,不影响其打开),点击上传,出现报错不用管 poc下载:2.zip
Select the generated picture horse (insert the php code in the special position of the picture file, it will not affect its opening), click upload, and there will be an error and don’t care. pocdownload:2.zip
上传后的文件目录为\content\marketing+参数adcampaign_id,查看下该目录下生成的新文件,文件命名规则为日期_2 访问url:http://www.pw.com/content/marketing/3/20210701_2.php,成功执行php文件 The uploaded file directory is \content\marketing+parameter adcampaign_id, check the new file generated in this directory, the file naming rule is date_2 Visit url: http://www.pw.com/content/marketing/3/20210701_2.php, successfully execute the php file
修复建议: 1.正确验证文件后缀。 2.限制目录执行权限。
Repair suggestions: