Analysis of a Korean site upload point

Author: conqu3
 
Pax. Mac core member
 
When someone in the group asks for help uploading, he broke through. Then I sent an address: http://www.bkjia.com/club/cafe_bbs.php? Cafeid = zmaica & ptype = board & sptype = insert & mode = insert & code = bookmark_1
After a few minutes, the webshell Will be taken directly after the flowers bloom.
At that time, I did not get it immediately. Then I checked it and found it was too easy to bypass. The key to the child's breakthrough every day lies in the breakthrough ideas!
For example, if we upload a paxmac. php. r file with the suffix of Time plus. p. r. and then upload paxmac. aphp, The 201211122. php file will appear directly. It's easy to know. The bypass method here. Very simple .... Not much.
 
Next I will analyze the source code.
Upload the first step. Check the mime header of the file and determine whether it is an image file! The Code is as follows .... Under/admin/lib. php
 
Function img_type ($ srcimg)
{
If (is_file ($ srcimg )){
$ Image_info = getimagesize ($ srcimg );
Switch ($ image_info ['mime ']) {
Case 'image/gif': return true; break;
Case 'image/jpeg ': return true; break;
Case 'image/png ': return true; break;
Case 'image/bmp ': return true; break;
Default: return false; break;
}
} Else {
Return false;
}
 
}
 
This is easy to bypass. You can add GIE89a to the image file or use an IMG.
 
Upload step 2, check whether the file extension is php | htm | html file/admin/lib. php
 
Function file_check ($ filename, $ file_str = "php | htm | html "){
 
$ File_arr = explode ("|", $ file_str );
 
$ Name_arr = explode (".", $ filename );
 
$ Name_cnt = count ($ name_arr)-1;
 
For ($ ii = 0; $ ii <count ($ file_arr); $ ii ++ ){
 
If (! Strcmp (strtolower ($ name_arr [$ name_cnt]), strtolower ($ file_arr [$ ii]) {
 
Error? When there are too many rows when there are too many rows ?");
 
}
 
}
 
}
 
I won't talk about it here!
 
The key code is as follows:
 
In the cafe_lib.php file, the uploaded object is defined as follows:
 
/*-= -=
 
* File upload Failed (your upload has been completed successfully ;;)
 
* Type = file Usage? Name desired? Too many FILES $ _ FILES [{€?
 
* UploadFile? Why? Why? | Too many threads? Why? . Jpg |. bmp |. gif)
 
/*-= -= */
 
Function uploadFile ($ ufile, $ updir, $ upfile, $ upexf = "") {// note here $ upexf = "" if the author thinks it is necessary to design a variable of .jpg |. bmp |. gif "! After investigation, global variables are set at the end. Finally, pass the value in!
$ Base_dir = $ updir; // obtain the upload path
 
$ Kdir = str_replace ($ _ SERVER [DOCUMENT_ROOT], ", $ updir); // remove the path from the root path as the relative path.
 
$ Kdir _ = explode ("/", $ kdir); // separate
 
$ _ Rootdir = $ _ SERVER [DOCUMENT_ROOT]; // obtain the absolute path.
 
$ _ Tmpdir = ";
 
// What is the cause? As a result
 
Foreach ($ kdir _ as $ key => $ value) {// the path for storing uploaded files
 
If (! Empty ($ value )){
 
$ _ Tmpdir. = '/'. $ value;
 
If (! Is_dir ($ _ rootdir. $ _ tmpdir )){
 
@ Mkdir ($ _ rootdir. $ _ tmpdir, 0707 );
 
} Else {
 
@ Chmod ($ _ rootdir. $ _ tmpdir, 0707 );
 
}
 
}}
 
$ Fls = $ ufile; // obtain the information of the uploaded file
 
$ Flsname = $ upfile;
 
// What is the timeout threshold? Why does it happen? Why? If ($ upexf) {// when the extension is determined here, the input has been assigned a null value, so it takes effect at the end, but it can be used for reference.
 
$ Exif_tmp = explode ('|', $ upexf); // separate .jpg |. bmp |. gif by |. Assign a value to the $ exif_tmp variable
 
$ Exif = ";
 
Foreach ($ exif_tmp as $ key => $ value ){
 
$ Exif. = "\". $ exif_tmp [$ key]. "$ |"; // This section separates the name of the detail protection and serves as a regular expression model.
 
}
 
$ Exif = substr ($ exif, 0,-1); // obtain the regular model
 
}
 
If ($ fls) {// determines whether the file to be uploaded is empty. Upload is not empty here.
 
If ($ upexf) // because the value has been assigned at the beginning, our file suffix can be any
 
{
 
If (! Eregi ($ exif, $ fls [name]) // checks whether the uploaded file extension is a value in the whitelist in regular expressions. The whitelist mode {
 
Echo 'Too many attempts? Why are there too many other users? ';
 
$ Fileupload = '0 ′;
 
Return; exit;
 
} Else {
 
// What is the timeout threshold? €E? $ Fileupload = '1 ′;
 
}
 
} Else {// because $ upexf is null, $ fileupload = 1 Causes Arbitrary File Upload.
 
$ Fileupload = '1 ′;
 
}
 
// Why does it fail? Why does it happen?
 
$ Fexi = substr ($ fls [name],-3); // After the upload, the last three digits of the suffix are intercepted in the file format. The vulnerability exists. You only need to use paxmac. ephp.
 
$ Upfilename = $ upfile. '.'. $ fexi; // connection, upload
 
@ Mkdir ($ updir, 0777); // create a directory
 
If (move_uploaded_file ($ fls [tmp_name], "$ updir/$ upfilename") {// upload a file
 
Return $ upfilename; // return the file name
 
} Else {
 
Return false;
 
}
 
@ Unlink ($ fls [tmp_name]); // Delete the last night object
 
} Else {
 
Echo "was too busy? There are too many other users .";
 
}}
The above Code clearly shows the vulnerability location.
 
The method is simple. Directly upload mei. aphp to get webshell. The so-called upload breakthrough is only a few methods. The key lies in flexible use, rather than simply checking how others upload.
If any error occurs, please correct it. Thank you!