Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Upload vulnerability in PHPOK 5.7.140 #1

Open
HolaAsuka opened this issue May 9, 2023 · 0 comments
Open

File Upload vulnerability in PHPOK 5.7.140 #1

HolaAsuka opened this issue May 9, 2023 · 0 comments

Comments

@HolaAsuka
Copy link
Owner

HolaAsuka commented May 9, 2023

File Upload vulnerability in PHPOK 5.7.140

PoC

Enter the background and switch to development mode in the upper right corner

1

Click Install Application - Import and upload a zip-compressed php file

# 1.php
<?php phpinfo();?>

2

After easily completing the upload, visit the path _app/ and find what we uploaded

Uploading 3.jpg…

This creates a serious file upload vulnerability

Analysis

The upload first calls the zip function without any censorship or filtering of its contents, thus resulting in an arbitrary file upload

/**
     * 制作压缩包
     * @参数 $dir,支持单个文件,目录及数组
     * @参数 $saveName,保存的ZIP文件名
     **/
    public function zip($dir, $saveName)
    {
        if(@!function_exists('gzcompress')){
            return false;
        }
        ob_end_clean();
        $filelist = array();
        if(is_array($dir)){
            $filelist = $dir;
        }else{
            if(!file_exists($dir)){
                return false;
            }
            if(is_file($dir)){
                $filelist = array($dir);
            }else{
                $this->filelist($filelist,$dir);
            }
        }
        if(count($filelist) < 1){
            return false;
        }
        if(class_exists('ZipArchive')){
            $obj = new ZipArchive();
            $obj->open($saveName,ZipArchive::OVERWRITE|ZipArchive::CREATE);//创建一个空的zip文件
            foreach($filelist as $file){
                if(!file_exists($file) || !is_file($file)){
                    continue;
                }
                $name = substr($file,strlen($this->dir_root));
                $obj->addFile($file,$name);
            }
            $obj->close();
            return true;
        }
        foreach($filelist as $file){
            if(!file_exists($file) || !is_file($file)){
                continue;
            }
            $fd = fopen($file, "rb");
            $content = @fread($fd, filesize($file));
            fclose($fd);
            $file = substr($file, strlen($this->dir_root));
            if(substr($file, 0, 1) == "\\" || substr($file, 0, 1) == "/"){
                $file = substr($file, 1);
            }
            $this->addFile($content, $file);
        }
        $out = $this->file();
        $fp = fopen($saveName, "wb");
        fwrite($fp, $out, strlen($out));
        fclose($fp);
    }

After uploading the zip, unzip was called to decompress it, again without any filtered review content

public function unzip($file,$to='')
	{
		if(class_exists('ZipArchive')){
			$zip = new ZipArchive;
			$zip->open($file);
			$zip->extractTo($to);
			$zip->close();
			return true;
		}
		...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant