攻防世界 weiphp writeup
cms审计 文件上传
1.源码
git泄露 https://git.coding.net/weiphpdev/weiphp5.0.git 拿到源码
2.审计
1.info.php 有phpinfo信息,并且没有关掉debug
2.file.php发现与upload_picture相比没有限制登陆的 文件上传口
/* 文件上传 到根目录 */ public function upload_root() { $return = array( 'status' => 1, 'info' => '上传成功', 'data' => '' ); /* 调用文件上传组件上传文件 */ $File = D('home/File'); $file_driver = strtolower(config('picture_upload_driver')); $setting = array ( 'rootPath' => './' , ); $info = $File->upload($setting, config('picture_upload_driver'), config("upload_{$file_driver}_config")); // $info = $File->upload(config('download_upload'), config('picture_upload_driver'), config("upload_{$file_driver}_config")); /* 记录附件信息 */ if ($info) { $return['status'] = 1; $return = array_merge($info['download'], $return); } else { $return['status'] = 0; $return['info'] = $File->getError(); } /* 返回JSON数据 */ return json_encode($return); }
3.看调用上传的函数具体过滤
function upload_files($setting = '', $driver = '', $config = '', $type = 'picture', $isTest = false) { $return['msg'] = ''; $files = request()->file(); // dump($_FILES); // dump($files);//dump($rr); if (empty($files) || count($files) <= 0) { $return['msg'] = '找不到上传文件'; } if ($return['msg'] != '') { return $return; } $key = key($files); $file = isset($files[$key]) ? $files[$key] : []; $rootpath = './uploads/' . $type . '/'; $saveName = time_format(time(), 'Ymd') . '/' . uniqid(); if (isset($setting['rootPath'])) { unset($setting['rootPath']); } // 检测上传根目录 if (empty($return['msg'])) { if (!is_dir($rootpath) && function_exists('mkdirs')) { mkdirs($rootpath); } if (!(is_dir($rootpath) && is_writable($rootpath))) { $return['msg'] = '上传根目录不存在!请尝试手动创建:' . $rootpath; } } if (empty($return['msg'])) { //判断扩展名是不是php,不支持上传php文件 $info = $file->getInfo(); $info = pathinfo($info['name']); if (strtolower($info['extension']) == 'php') { $return['msg'] = '不支持上传该文件类型'; $return['code'] = 0; $redata[$key] = $return; return $redata; } $checkRule = []; if ($type == 'picture') { //图片扩展名验证 ,图片大小不超过20M $checkRule['ext'] = 'gif,jpg,jpeg,png,bmp'; $checkRule['size'] = 20971520; } else { $allowExt = input('allow_file_ext', ''); if ($allowExt != '') { $checkRule['ext'] = $allowExt; } $allowSize = input('allow_file_maxsize', ''); if ($allowSize > 0) { $checkRule['size'] = $allowSize; } } $info = $file->isTest($isTest) ->rule('uniqid') ->validate($checkRule) ->move($rootpath, DIRECTORY_SEPARATOR . $saveName); if ($info) { $return['mime'] = $info->getMime(); $return['name'] = $info->getFilename(); $return['key'] = $key; $return['ext'] = $info->getExtension(); $return['savename'] = str_replace('\\', '/', $info->getSaveName()); $return['md5'] = $info->md5(); $return['sha1'] = $info->sha1(); $return['code'] = 1; $of = $info->getInfo(); isset($of['name']) || $of['name'] = $return['name']; $return['old_name'] = $of['name']; $return['size'] = isset($of['size']) ? $of['size'] : 0; $return['rootPath'] = $rootpath; } else { $return['msg'] = $file->getError(); $return['code'] = 0; } } $redata[$key] = $return; return $redata; }
过滤掉了php上传后缀,但是
$allowExt = input('allow_file_ext', ''); if ($allowExt != '') { $checkRule['ext'] = $allowExt; }
我们可以修改允许上传的后缀。
来自非洲的欧提大人
