Code audit-logic Upload Vulnerability Mining

0 × 00 Preface

When talking about a person's happiness, sharing between two people will become two happy ones. I don't think so. If the relationship between sharing and being shared is an enemy relationship, and the reason for the happiness of the sharer is exactly... Haha, I don't know;

BUT if a skill is shared, I firmly believe that there will be more than two people who benefit from it, so what we should learn more is-share!

Today: briefly introduces the file upload vulnerability caused by logical defects in vulnerability mining.

Tips: Traditional MIME verification, client js verification, blacklist verification, parsing vulnerabilities, and so on are all relatively simple and not within the scope of our discussion.

0 × 01 programmer's misunderstanding of some common functions

These functions include: empty (), isset (), strpos (), rename (), and so on. The following code (from ufida icc ):

 

 

if($operateId == 1){$date = date(“Ymd”);$dest = $CONFIG->basePath.”data/files/”.$date.”/”;$COMMON->createDir($dest);//if (!is_dir($dest)) mkdir($dest, 0777);$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));$allowedType = array(‘jpg’, ‘gif’, ‘bmp’, ‘png’, ‘jpeg’);if(!in_array($nameExt, $allowedType)){$msg = 0;}if(empty($msg)){$filename = getmicrotime().’.’.$nameExt;$file_url = urlencode($CONFIG->baseUrl.’data/files/’.$date.”/”.$filename);$filename = $dest.$filename;if(empty($_FILES['Filedata']['error'])){move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);}if (file_exists($filename)){//$msg = 1;$msg = $file_url;@chmod($filename, 0444);}else{$msg = 0;}}$outMsg = “fileUrl=”.$msg;$_SESSION["eoutmsg"] = $outMsg;exit;}

Let's take a look at the above Code. To successfully upload a file, if (empty ($ msg) must be True to enter the if branch. Next, let's see when the empty function returns True, let's see what PHP Manual says,

Obviously, "", 0, "0", NULL, FALSE, array (), var $ var; and objects without any attributes will be considered empty, if var is null, True is returned. Very good. Let's look back at the following code:

$allowedType = array(‘jpg’, ‘gif’, ‘bmp’, ‘png’, ‘jpeg’);if(!in_array($nameExt, $allowedType)){$msg = 0;}

See no, even if we upload something similar to shell. php files, although the program's security check assigned $ msg to 0, after empty ($ msg), returns True, so we can use this logical defect to successfully upload shell. php.

For details, see the vulnerability case:

Yonyou ICC website Customer Service System Remote Code Execution Vulnerability http://www.bkjia.com/Article/201204/127159.html

 

0 × 02 programmers use some common functions incorrectly

These functions include iconv () and copy (). The Code below (from SiteStar)

public function img_create(){$file_info =& ParamHolder::get(‘img_name’, array(), PS_FILES);if($file_info['error'] > 0){Notice::set(‘mod_marquee/msg’, __(‘Invalid post file data!’));Content::redirect(Html::uriquery(‘mod_tool’, ‘upload_img’));}if(!preg_match(‘/\.(‘.PIC_ALLOW_EXT.’)$/i’, $file_info["name"])){Notice::set(‘mod_marquee/msg’, __(‘File type error!’));Content::redirect(Html::uriquery(‘mod_marquee’, ‘upload_img’));}if(file_exists(ROOT.’/upload/image/’.$file_info["name"])){$file_info["name"] = Toolkit::randomStr(8).strrchr($file_info["name"],”.”);}if(!$this->_savelinkimg($file_info)){Notice::set(‘mod_marquee/msg’, __(‘Link image upload failed!’));Content::redirect(Html::uriquery(‘mod_marquee’, ‘upload_img’));}//…}private function _savelinkimg($struct_file){$struct_file['name'] = iconv(“UTF-8″, “gb2312″, $struct_file['name']);move_uploaded_file($struct_file['tmp_name'], ROOT.’/upload/image/’.$struct_file['name']);return ParamParser::fire_virus(ROOT.’/upload/image/’.$struct_file['name']);}

 

Let's take a look at this Code. The logic of the img_create () function is very strict, and the security check is well performed. However, the problem lies in the _ savelinkimg () function, that is, the programmer mistakenly used the iconv () function before saving the file, and the file name passed through this function. Why is it wrong? The iconv function may have a string truncation problem during transcoding:

During iconv transcoding, utf-> gb2312 (Conversion between other encodings also causes this problem) causes the string to be truncated, for example, $ filename = "shell.php(hex).jpg "; (hex is 0 × 80-0 × 99). After iconv transcoding, it is changed to $ filename = "shell. php ";

So, after iconv commit ).

0 × 03 history classic vulnerabilities once again

Condition-based competitive vulnerabilities. These historical and classic vulnerabilities gradually fade out of sight and erupt again ..

Next, let's look at the following code (from a VPN system)

<?if($_POST['realfile']){copy($_POST['realfile'],$_POST['path']);}$file = mb_convert_encoding($_POST[file],”GBK”,”UTF-8″);header(“Pragma:”);header(“Cache-Control:”);header(“Content-type:application/octet-stream”);header(“Content-Length:”.filesize($_POST[path]));header(“Content-Disposition:attachment;filename=\”$file\”");readfile($_POST[path]);if($_POST['realfile']){unlink($_POST["path"]);}?>

The logic of the above Code looks like this (for attackers ):

 

Use the copy function to generate shell. php In realfile-→ Delete shell. php

 

In this way, it seems that the Code cannot be used at the beginning, but after careful consideration, there is actually a logic problem, so we can use this logic defect to achieve the GetShell goal.

Specific usage:

Copy to temp. php-> constantly access temp. php-> temp. php to generate shell. php-> Delete temp. php