The mining of logic upload vulnerability in code audit

0x00 Preface

Say a person's happiness, two people share will become two happy, this I see not necessarily, if share and be shared between the two is a rival relationship, and the share of happy reason is ... Haha, do not say, all understand;

But, if a skill is shared, then the beneficiary I believe is definitely far more than two, so what we should learn is – share!

Today, simply talk about the file upload vulnerability caused by a logical flaw in vulnerability mining.

Tips: Traditional MIME authentication, client-side JS verification, blacklist validation, parsing vulnerabilities, and so on are relatively simple, not within our scope of discussion.

0X01 Programmer's mistaken understanding of some common functions

These functions are: empty()、isset()、strpos()、rename() etc., such as the following code (excerpted from the UF ICC software):

 if ($operateId = = 1) {$date = date ("Ymd"); $dest = $CONFIG->basepath. " Data/files/". $date."    /";    $COMMON->createdir ($dest);    if (!is_dir ($dest)) mkdir ($dest, 0777);    $NAMEEXT = Strtolower ($COMMON->getfileextname ($_files[' Filedata ' [' name ']));    $allowedType = array (' jpg ', ' gif ', ' BMP ', ' png ', ' jpeg ');    if (!in_array ($NAMEEXT, $allowedType)) {$msg = 0; } if (empty ($msg)) {$filename = Getmicrotime (). '. '.        $NAMEEXT; $file _url = UrlEncode ($CONFIG->baseurl. ' Data/files/'. $date. "        /". $filename);        $filename = $dest. $filename;        if (Empty ($_files[' Filedata ' [' Error '])) {move_uploaded_file ($_files[' Filedata '] [' tmp_name '], $filename);            } if (File_exists ($filename)) {//$msg = 1;            $msg = $file _url;        @chmod ($filename, 0444);        }else{$msg = 0;    }} $OUTMSG = "fileurl=". $msg;    $_session["eoutmsg"] = $OUTMSG; Exit;} 

Let's take a look at the above code, if you want to upload the file successfully, if (empty ($msg)) must be true to go to the If branch, next we see when the empty function returns True, to see what PHP manual say,

Obviously, "", 0, "0″, NULL, FALSE, Array (), Var $var; and objects that do not have any properties will be considered empty and return True if Var is empty. Very good, next we look back, there are a few lines of code

$allowedType = array (' jpg ', ' gif ', ' BMP ', ' png ', ' jpeg '), if (!in_array ($NAMEEXT, $allowedType)) {    $msg = 0;}

See no, even if we upload a file similar to shell.php, although the program's security check to assign the $msg value of 0, after empty ($msg), still return true, so we use this logic flaw can successfully upload shell.php.

For details, see the vulnerability case:

http://www.wooyun.org/bugs/wooyun-2010-04685

0X02 Programmer's incorrect use of some common functions

These functions have Iconv (), copy (), and so on, as in the following code (excerpt from Sitestar)

Public Function Img_create () {$file _info =& paramholder::get (' Img_name ', Array (), ps_files);         if ($file _info[' error '] > 0) {notice::set (' mod_marquee/msg ', __ (' Invalid post file data! '));     Content::redirect (Html::uriquery (' Mod_tool ', ' upload_img ')); } if (!preg_match ('/\.         Pic_allow_ext. ') $/i ', $file _info["name"])) {notice::set (' mod_marquee/msg ', __ (' File Type error! '));     Content::redirect (Html::uriquery (' Mod_marquee ', ' upload_img ')); } if (File_exists (ROOT. '      /upload/image/'. $file _info["name"]) {$file _info["name"] = TOOLKIT::RANDOMSTR (8). STRRCHR ($file _info["name"], "."); } if (! $this->_savelinkimg ($file _info)) {notice::set (' mod_marquee/msg ', __ (' Link image upload failed! ')         ));      Content::redirect (Html::uriquery (' Mod_marquee ', ' upload_img ')); }      //... }    Private Function _savelinkimg ($struct _file) {$struct _file[' name '] = Iconv ("UTF-8", "gb2312", $struct _file[' name ']); Move_uploaded_file ($struct_file[' Tmp_name '), ROOT. '    /upload/image/'. $struct _file[' name ']); Return Paramparser::fire_virus (ROOT. ') /upload/image/'. $struct _file[' name ');}

Let's look at this code again, the logic of the Img_create () function is very tight and the security check is done in place. However, the problem is in the _savelinkimg () function, that is, the programmer mistakenly used the Iconv () function before saving the file, and the filename passed this function, why is it wrong? Because AH Iconv function during transcoding, there may be a problem with string truncation:

In the process of Iconv transcoding, utf->gb2312 (the same problem as conversion between other parts of the encoding) causes the string to be truncated, such as: $filename="shell.php(hex).jpg"; (Hex is 0x80-0x99), after Iconv transcoding will become$filename="shell.php ";

So, after Iconv $struct_file[' name '] is shell.php, so we use this logic flaw can successfully upload shell.php (if the uploaded file name is shell.php{%80-%99}.jpg).

For details, see the vulnerability case:

http://www.wooyun.org/bugs/wooyun-2010-048293

0X03 History Classic Bug broke out again

Conditional competition loopholes, this kind of historical classic loopholes in gradually fade out of sight of people, again broke out.

Then look at the following code (excerpt from a VPN system)

<?if ($_post[' realfile ')) {    copy ($_post[' realfile '],$_post[' path ');} $file = mb_convert_encoding ($_post[file], "GBK", "UTF-8"), Header ("Pragma:"), Header ("Cache-control:"), Header (" Content-type:application/octet-stream "), Header (" Content-length: ". FileSize ($_post[path])); Header (" Content-disposition:attachment;filename=\ "$file \" "); ReadFile ($_post[path]); if ($_post[' Realfile ']) {    unlink ( $_post["path"]);}? >

The logical surface of the above code looks like this (for an attacker):

Using the copy function, the realfile generation shell.php-→ deleted shell.php

It doesn't seem to make sense at first, but when you think about it, this code actually has a logic problem, so we can use this logic flaw to achieve getshell.

Specific utilization methods:

Copy into Temp.php–> constant access temp.php->temp.php build shell.php-> Delete temp.php

For details, see the vulnerability case:

http://www.wooyun.org/bugs/wooyun-2010-048202

http://www.wooyun.org/bugs/wooyun-2010-049794

The mining of logic upload vulnerability in code audit