Destoon 任意文件读取

技术 作者:HackerEye 2018-08-24 09:07:42
  1. 发布时间:2016-08-29
  2. 公开时间:N/A
  3. 漏洞类型:变量覆盖
  4. 危害等级:高
  5. 漏洞编号:xianzhi-2016-08-42442070
  6. 测试版本:N/A

漏洞详情

include/remote.class.php
function construct($file, $savepath, $savename = '') {
        global $DT, $_userid;
        $this->file = strip_sql($file, 0);
        $this->userid = $_userid;
        $this->ext = file_ext($file);
        in_array($this->ext, array('jpg', 'jpeg', 'gif', 'png', 'bmp')) or $this->ext = 'jpg';
        $this->maxsize = $DT['uploadsize'] ? $DT['uploadsize']1024 : 20481024;
        $this->savepath = $savepath;
        $this->savename = $savename;
    }
    function remote($file, $savepath, $savename = '') {
        $this->construct($file, $savepath, $savename);
    }
    function save() {
        include load('include.lang');
        if(!$this->isallow()) return $this->($L['uploadnot_allow']);
        $this->set_savepath($this->savepath);
        $this->set_savename($this->savename);
        if(file_copy($this->file, DT_ROOT.'/'.$this->saveto)) {
            if(!@getimagesize(DT_ROOT.'/'.$this->saveto)) {
                file_del(DT_ROOT.'/'.$this->saveto);
                return $this->($L['uploadbad']);
            }
            if($this->maxsize > 0 && filesize(DT_ROOT.'/'.$this->saveto) > $this->maxsize) {
                file_del(DT_ROOT.'/'.$this->saveto);
                return $this->($L['uploadsize_limit'].' ('.intval($this->maxsize/1024).'Kb)');
            }
            $this->image = 1;
            return true;
        } else {
            return $this->($L['uploadfailed']);
        }
    }
upload.php 行69
if($remote && strlen($remote) > 17 && strpos($remote, '://') !== false) {
    require DT_ROOT.'/include/remote.class.php';
    $do = new remote($remote, $uploaddir);
$remote可以随意提交 只要长度大于17且包含:// 就进入远程下载 虽然远程下载逻辑中判断了文件的格式,非法格式一律当作jpg来保存,防止了getshell 但是并没有对来源做限制 通过file://协议 就能任意读取本地文件 文件保存后有一个是否为图像文件的检查 如果不是就直接删除,这里可以用条件竞争来赶在文件删除前读取数据,当然 前提是要知道文件名 再来看看保存的文件名是如何定义的 remote.class.php 行68
function set_savename($savename) {
        global $DT_TIME;
        if($savename) {
            $this->savename = $this->adduserid ? str_replace('.'.$this->ext, $this->userid.'.'.$this->ext, $savename) : $savename;
        } else {
            $this->uptime = $DT_TIME;
            $name = date('His', $this->uptime).rand(10, 99);
            $this->savename = $this->adduserid ? $name.$this->userid.'.'.$this->ext : $name.'.'.$this->ext;
        }
        $this->saveto = $this->savepath.$this->savename;        
        if(!$this->overwrite && is_file(DT_ROOT.'/'.$this->saveto)) {
            $i = 1;
            while($i) {
                $saveto = str_replace('.'.$this->ext, '('.$i.').'.$this->ext, $this->saveto);
                if(is_file(DT_ROOT.'/'.$saveto)) {
                    $i++;
                    continue; 
                } else {
                    $this->saveto = $saveto; 
                    break;
                }
            }
        }
    }
在remote过程中 并没有初始化$savename 所以进入else逻辑 文件名就是 时间+两位数字+uid 还是比较弱的
作者:索马里的乌贼 链接:https://www.jianshu.com/p/9450adf28aa0

关注公众号:拾黑(shiheibook)了解更多

[广告]赞助链接:

四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

公众号 关注网络尖刀微信公众号
随时掌握互联网精彩
赞助链接