Analysis of phpcms Avatar Upload vulnerability

What is an upload vulnerability?
Many cms provides functions such as uploading portraits and images to enrich their functions. However, if the uploaded content is not properly filtered, the attacker is given a way to execute arbitrary code. For example, attackers can upload a file containing malicious code and disguise it as an image to bypass the background detection mechanism.
In the past, the general Upload vulnerability mainly resulted from the following methods:
0. Verify the format of the file uploaded by the user using javascript or flash on the client, but the file is not verified after being uploaded to the server.
1. Only ContentType is checked for the files uploaded by the user, but ContentType can be modified by the user. Therefore, the user-uploaded script file can change ContentType to image/gif to bypass the check.
2. Blacklist mechanism. Check the suffix of the file uploaded by the user. If the suffix is in the blacklist, an error message is returned. However, the blacklist mechanism is poor and not complete enough. When there are omissions in the blacklist, attackers will be able to break into the blacklist.
3. The file uploaded by the user is not renamed. When the website checks the file suffix .jpg or .gif uploaded by the user, the upload is successful and the name of the uploaded file is not changed. However, once the server has a parsing vulnerability, attackers can use malformed file names to upload malicious code. For example, iis6.0, the attacker can upload the file named "alima.asp;.gif". Although it looks like a gif format, IIS6.0 parses it into an asp script for running.
4. Decompression causes problems. Some websites have such functions, such as wordpress and emlog backend support uploading compressed packages (automatically decompress the packages after uploading), so that we can write malicious code in a file in the compressed package, after the upload is decompressed, it can be run.

Like some large CMS, there are many users and their security is also good. There are few vulnerabilities in front-end direct upload to bypass arbitrary code execution. Once this vulnerability exists on the front-end, anyone can upload a webshell to the website.

But it is said that phpcms had this 0day a year ago, and it was only known yesterday.

 

Process Demonstration
First, find the target website (built using phpcms) and register an account. Go to User Center-upload Avatar


First select a normal avatar:


Open burp_suite, which is a tool I like very much. There is a packet capture and packet change function in it. We need to modify the data packet we sent during the upload and bypass the suffix verification of the client.
How to use the specific burp_suite is not the focus, and the students who want to know about it are Google.
Open burp_suite, listen to 8080, and then open the browser proxy to localhost: 8080. Click "Save Image" here ".
In this case, the uploaded data packet is intercepted in burp_suite:


From the "PK" to the end, a large part of things is actually the image we uploaded. We delete all of them, including "PK ".
Then we need to construct a data packet containing malicious code. I created a zip package containing the "phi" folder, which contains a webshell: "xm. php ". Is/phi/xm. php
Then we will go back to burp_suite and right-click the PK position-Paste from file:



Select our compressed package:


Then click Forward to release the data packet.
Next, go to the history record. You will see a file similar to phpsso_server/uploadfile/avatar/1/1/1/90 * 90.jpg. Here is the upload directory of our profile picture.



In fact, here we have uploaded successfully, we upload this webshell here: http://www.xxx.com/phpsso_server/uploadfile/avatar/1/1/1/phi/xm.php
The red is your avatar Upload directory. The blue is the file structure of your compressed package.
The access address is OK.



The kitchen knife was connected successfully, and I was not interested in the rest of the work:

Vulnerability principle
Let's explain why getshell can be constructed by constructing such a compressed package.
Phpcms does this for avatar upload. After the uploaded zip file is decompressed, it deletes non-image files.
Key code:

 

The code is as follows:

Copy code

// Store the flashpost image $ Filename = $ dir. $ this-> uid.'.zip '; File_put_contents ($ filename, $ this-> avatardata );   // Write the compressed folder content at this time   // Decompress the file Pc_base: load_app_class ('pclzip ', 'phpsso', 0 ); $ Archive = new PclZip ($ filename ); If ($ archive-> extract (PCLZIP_OPT_PATH, $ dir) = 0 ){ Die ("Error:". $ archive-> errorInfo (true ));   }   // 568 rows   // Determine file security, delete compressed packages and non-jpg images $ Avatararr = array('180x180.jpg ', '30x30.jpg', '45x45.jpg ', '90x90.jpg '); If ($ handle = opendir ($ dir )){ While (false! ==( $ File = readdir ($ handle ))){ If ($ file! = '.' & $ File! = '..'){ If (! In_array ($ file, $ avatararr )){ @ Unlink ($ dir. $ file ); } Else { $ Info = @ getimagesize ($ dir. $ file ); If (! $ Info | $ info [2]! = 2 ){ @ Unlink ($ dir. $ file );       }      }     }       }

As you can see, it does not recursively delete or delete folders when deleted. In this way, as long as our webshell is placed in the folder of the compressed package, we can avoid being deleted.
So I created a compressed package containing the phi folder, and put the pony xm. php in phi to upload it.

Prevent Upload vulnerabilities
First, you must verify the user's upload on the server. You do not need to check the ContentType and directly check the suffix. If the file is in the whitelist, rename the file and copy it to the website directory, the white list suffix is used for renaming. You can rename a file by using timestamp + random number .jpg.
Try not to allow front-end users to upload a compressed package. If you upload a compressed package, recursively check all file suffixes in the compressed package and delete invalid files.
Finally, set the upload directory to unexecutable. In this way, even if the webshell is uploaded, it cannot be executed. For example, although xm. php has been successfully uploaded to a large hacker website I tested, it is forbidden to execute:

Additional: how to find a website using phpcms
I have this topic in the first two articles. Since we are in the early stage of web security, we usually need to practice more, so we can find some websites for practical use.
Phpcms is a large cms that uses a large number of people, basically counting tens of thousands, so it is easy to find it.
Baidu powered by phpcms:


When you study, please keep a low profile, don't get involved, and be invited to drink tea. Source: lvtao.net