Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file upload vulnerability #312

Closed
AirSkye opened this issue Jul 2, 2021 · 1 comment
Closed

Arbitrary file upload vulnerability #312

AirSkye opened this issue Jul 2, 2021 · 1 comment

Comments

@AirSkye
Copy link

AirSkye commented Jul 2, 2021

include/inc_lib/general.inc.php 1709行中,使用getimagesize获取了上传图像文件的大小信息。其后未对后缀名进行单独判断,可以制作图片木马进行上传绕过。
In the line 1709 of include/inc_lib/general.inc.php, use getimagesize to get the size information of the uploaded image file. After that, without a separate judgment on the suffix name, a picture Trojan horse can be made to upload and bypass.

image

漏洞验证:
Vulnerability recurrence::
登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
首先点击Create new campaign
Login to visit the background page http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8 First click Create new campaign

image

创建任意条目,点击create
To create any entry, click create

image

回到上级,点击编辑
Go back to the upper level, click edit

image

选中生成好的图片马(在图片文件特殊位置插入php代码,不影响其打开),点击上传,出现报错不用管
poc下载:2.zip

Select the generated picture horse (insert the php code in the special position of the picture file, it will not affect its opening), click upload, and there will be an error and don’t care.
pocdownload:2.zip

image

上传后的文件目录为\content\marketing+参数adcampaign_id,查看下该目录下生成的新文件,文件命名规则为日期_2
访问url:http://www.pw.com/content/marketing/3/20210701_2.php,成功执行php文件
The uploaded file directory is \content\marketing+parameter adcampaign_id, check the new file generated in this directory, the file naming rule is date_2
Visit url: http://www.pw.com/content/marketing/3/20210701_2.php, successfully execute the php file

image

修复建议:
1.正确验证文件后缀。
2.限制目录执行权限。

Repair suggestions:

  1. Verify the file suffix correctly.
  2. Restrict directory execution permissions.
@slackero
Copy link
Owner

slackero commented Jul 4, 2021

Thanks, the problem is solved. All uploads will be checked against allowed file extensions too.

@slackero slackero closed this as completed Jul 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants