VULHUB ™

### 简要描述： 后台绕过文件过滤限制可shell ### 详细说明： ``` system/libs/upload.class.php 上传的核心验证文件 public function upload_process(){ $num=count($_FILES[ $this->upload_form_field ]['name']); for($key=0;$key<$num;$key++){ $this->_clean_paths(); //创建存储路径 $save_path=$this->out_save_dir."uploadfile/".$this->upload_folder."/"; if (!file_exists($save_path)) { mkdir($save_path); } $ymd = date("Ymd"); $save_path .= $ymd; if (!file_exists($save_path)) { mkdir($save_path); } $this->out_file_dir = $save_path; //开始获取上传的文件 if ( ! function_exists( 'getimagesize' ) ){ $this->image_check = 0; } $FILE_NAME = isset($_FILES[ $this->upload_form_field ]['name'][$key]) ? $_FILES[ $this->upload_form_field ]['name'][$key] : ''; $FILE_SIZE = isset($_FILES[ $this->upload_form_field ]['size'][$key]) ? $_FILES[ $this->upload_form_field ]['size'][$key] : ''; $FILE_TYPE = isset($_FILES[ $this->upload_form_field ]['type'][$key]) ? $_FILES[ $this->upload_form_field ]['type'][$key] : ''; $FILE_TYPE = preg_replace( "/^(.+?);.*$/",...

### 简要描述： 后台绕过文件过滤限制可shell ### 详细说明： ``` system/libs/upload.class.php 上传的核心验证文件 public function upload_process(){ $num=count($_FILES[ $this->upload_form_field ]['name']); for($key=0;$key<$num;$key++){ $this->_clean_paths(); //创建存储路径 $save_path=$this->out_save_dir."uploadfile/".$this->upload_folder."/"; if (!file_exists($save_path)) { mkdir($save_path); } $ymd = date("Ymd"); $save_path .= $ymd; if (!file_exists($save_path)) { mkdir($save_path); } $this->out_file_dir = $save_path; //开始获取上传的文件 if ( ! function_exists( 'getimagesize' ) ){ $this->image_check = 0; } $FILE_NAME = isset($_FILES[ $this->upload_form_field ]['name'][$key]) ? $_FILES[ $this->upload_form_field ]['name'][$key] : ''; $FILE_SIZE = isset($_FILES[ $this->upload_form_field ]['size'][$key]) ? $_FILES[ $this->upload_form_field ]['size'][$key] : ''; $FILE_TYPE = isset($_FILES[ $this->upload_form_field ]['type'][$key]) ? $_FILES[ $this->upload_form_field ]['type'][$key] : ''; $FILE_TYPE = preg_replace( "/^(.+?);.*$/", "\\1", $FILE_TYPE ); //判断错误类型 if ( !isset($_FILES[ $this->upload_form_field ]['name'][$key]) or $_FILES[ $this->upload_form_field ]['name'][$key] == "" or !$_FILES[ $this->upload_form_field ]['name'][$key] or !$_FILES[ $this->upload_form_field ]['size'][$key] or ($_FILES[ $this->upload_form_field ]['name'][$key] == "none") ) { $this->error_no = 1; return; } ……………… if ( $this->make_script_safe ){ if ( preg_match( "/\.(cgi|pl|js|asp|php|html|htm|jsp|jar)(\.|$)/i", $FILE_NAME ) ){ $FILE_TYPE = 'text/plain'; $this->file_extension = 'txt'; $this->parsed_file_name = preg_replace( "/\.(cgi|pl|js|asp|php|html|htm|jsp|jar)(\.|$)/i", "$2", $this->parsed_file_name ); $renamed = 1; } } 主要是以上这段代码存在漏洞。很明显过滤有问题我们提交 php+空格 即可绕过 另外还有脚本也可以提交。具体见漏洞证明 ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201406/13111447bec421fc44dfea6e5f8765bd95d3554c.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/13111447bec421fc44dfea6e5f8765bd95d3554c.jpg) [<img src="https://images.seebug.org/upload/201406/13111433eb0c0ba323e71bf8ec37f12320a923aa.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/13111433eb0c0ba323e71bf8ec37f12320a923aa.jpg) 抓包type修改为1 确保走文件上传分支 [<img src="https://images.seebug.org/upload/201406/13111340aa039d51b4a8b1222ae6ee8a29067517.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/13111340aa039d51b4a8b1222ae6ee8a29067517.jpg) [<img src="https://images.seebug.org/upload/201406/131112255b455fb9e5014befaf47448308983dc3.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/131112255b455fb9e5014befaf47448308983dc3.jpg) [<img src="https://images.seebug.org/upload/201406/13111124783d47b3af4418c2aaf3e8e14d5f9f75.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/13111124783d47b3af4418c2aaf3e8e14d5f9f75.jpg)