Iwebshop 0-day code analysis and repair methods for uploading image Trojans

A typical method of website intrusion is to log on to the background and upload webshell. This article analyzes how to break through the upload restrictions and upload an IMG containing a Trojan horse.
1. Find an upload location:

When we find the upload point, the first thing we think of is to directly upload the webshell. Unfortunately, iwebshop uses the swfupload component for upload. This component limits the File Upload type and cannot directly upload PHP files. (Of course, you can use a proxy tool such as burpsuite to modify the upload data stream. This method has not been tried, but it can be seen from the code analysis below)
 
Ii. Analyze code breakthrough restrictions
Locate the goods_img_upload () function through the file
/Iwebshop/controllers/-> goods. php (source)
 

This function is used to obtain information about image files and thumbnail files, and then call the run method by instantiating the PhotoUpload class object.
/Iwebshop/classes/-> photoupload. php (source)

The most important thing is to call the execute function in IUpload, which is the place where the upload logic is actually processed.
/Iwebshop/lib/core/util/-> upload_class.php(Source)

Here is the file check during upload. One of the key points is the getFileType function, which checks the uploaded file. If the check is passed (it is an image file), the upload is successful. Let's see how he checked it.
/Iwebshop/lib/core/util/->File_class.php(Source)

Obviously, this application only checks the first two bytes of the file by unpack () with php () compare the returned content to confirm the file type (for details about unpack, refer to the php Manual ). Naturally, we can upload a jpg image Trojan to break through the restrictions and upload webshells.
 
The structure of the jpg image Trojan is very simple. The first step is to prepare an image 1.jpg, a PHP file with a Trojan written in one sentence, and use the following statement:

Generate a trojan named 2.jpg.
We can use vim to view the hexadecimal content of the image:
File Header:

File tail:

We can see that the file header still indicates that this is a jpg file, and a trojan is inserted at the end of the file.
 
Now we can upload 2.jpg to the server and find the Image Location:

Connect with a kitchen knife:

One-sentence Trojan is successfully connected.
 
Summary:
This vulnerability is caused by the absence of a good content check on the uploaded files. It is easy to check the file header. However, it is unknown that the upload vulnerability is an important part of web security protection, there are many ways to avoid and confuse. In addition, we need to emphasize that the security of the front-end and back-end of the website is equally important. The weak background often gives attackers the opportunity to attack.
 
Suggestion:
Checks the content of an image file, and uses the existing one-time rendering and secondary rendering technology to determine the authenticity of the image file.