### 简要描述: 最新版 这程序更新得真块 任意文件删除。删除status.txt 可以直接重装系统。 ### 详细说明: [WooYun: Youyax V5.4.1 注入 (可修改其他用户的密码)#4](http://www.wooyun.org/bugs/wooyun-2014-063013) 下个最新的程序来看看官方是怎么修补的。 ``` public function saveself() { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); $face = addslashes($_POST['face']); mysql_query("update " . C('db_prefix') . "user set face='" . $face . "' where user='" . $user . "'"); mysql_query("update " . C('db_prefix') . "talk set face='" . $face . "' where zuozhe='" . $user . "'"); mysql_query("update " . C('db_prefix') . "reply set face1='" . $face . "' where zuozhe1='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark2 set pic='" . $face . "' where marker='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark1 set pic='" . $face . "' where marker='" . $user . "'"); ``` 可以看到是把$face进行了addslashes一次 转义后这里就不能注入了。 然后入库。 ``` | status | tinyint(1) | NO | | NULL | |...
### 简要描述: 最新版 这程序更新得真块 任意文件删除。删除status.txt 可以直接重装系统。 ### 详细说明: [WooYun: Youyax V5.4.1 注入 (可修改其他用户的密码)#4](http://www.wooyun.org/bugs/wooyun-2014-063013) 下个最新的程序来看看官方是怎么修补的。 ``` public function saveself() { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); $face = addslashes($_POST['face']); mysql_query("update " . C('db_prefix') . "user set face='" . $face . "' where user='" . $user . "'"); mysql_query("update " . C('db_prefix') . "talk set face='" . $face . "' where zuozhe='" . $user . "'"); mysql_query("update " . C('db_prefix') . "reply set face1='" . $face . "' where zuozhe1='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark2 set pic='" . $face . "' where marker='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark1 set pic='" . $face . "' where marker='" . $user . "'"); ``` 可以看到是把$face进行了addslashes一次 转义后这里就不能注入了。 然后入库。 ``` | status | tinyint(1) | NO | | NULL | | | email | varchar(50) | NO | | NULL | | | complete | int(4) | NO | | NULL | | | face | varchar(50) | NO | | NULL | | ``` 50个字符 足够了。 出库导致的任意文件删除。 在lib/indexaction.php中 ``` public function resize($filename) { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); $album = "./Public/pic/upload"; $filenameall = $album . "/" . $filename; // File and new size // Content type //header('Content-type: image/jpeg'); // Get new sizes list($width, $height) = getimagesize($filenameall); list($font, $back) = explode(".", $filename); //获取扩展名 if ($width >= $height && $width > 120) { $newwidth = 120; $newheight = $newwidth * $height / $width; } else if ($height >= $width && $height > 120) { $newheight = 120; $newwidth = $newheight * $width / $height; } else { $newwidth = $width; $newheight = $height; } // Load $thumb = imagecreatetruecolor($newwidth, $newheight); switch (strtolower($back)) { case 'gif': $source = imagecreatefromgif($filenameall); imagecopyresized($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height); $name = time() . ".gif"; imagegif($thumb, $album . "/" . $name); break; case 'jpg': case 'jpeg': $source = imagecreatefromjpeg($filenameall); imagecopyresized($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height); $name = time() . ".jpg"; imagejpeg($thumb, $album . "/" . $name); break; case 'png': $source = imagecreatefrompng($filenameall); imagesavealpha($source, true); imagealphablending($thumb, false); imagesavealpha($thumb,true); imagecopyresized($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height); $name = time() . ".png"; imagepng($thumb, $album . "/" . $name); break; default: break; } $oldface = mysql_fetch_array(mysql_query("select * from " . C('db_prefix') . "user where user='" . $user . "'"));//这里出库 $oldface2 = $oldface['face'];//这里点。 mysql_query("update " . C('db_prefix') . "user set face='upload/" . $name . "' where user='" . $user . "'"); mysql_query("update " . C('db_prefix') . "talk set face='upload/" . $name . "' where zuozhe='" . $user . "'"); mysql_query("update " . C('db_prefix') . "reply set face1='upload/" . $name . "' where zuozhe1='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark2 set pic='upload/" . $name . "' where marker='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark1 set pic='upload/" . $name . "' where marker='" . $user . "'"); if (preg_match_all("https://images.seebug.org/upload/", $oldface2, $tmp)) { @unlink("./Public/pic/$oldface2"); } @unlink("./Public/pichttps://images.seebug.org/upload/$filename"); } ``` ``` if (preg_match_all("https://images.seebug.org/upload/", $oldface2, $tmp)) { @unlink("./Public/pic/$oldface2"); } @unlink("./Public/pichttps://images.seebug.org/upload/$filename"); ``` 这里$filename 是不可控的, $oldface2 出库来的 可控。 所以 ``` if (preg_match_all("https://images.seebug.org/upload/", $oldface2, $tmp)) { @unlink("./Public/pic/$oldface2"); ``` 要进这里 所以来让$oldface2 能匹配出https://images.seebug.org/upload/ 就能进这个unlink。 构造一下`/../..https://images.seebug.org/upload/../install/status.txt` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201406/07113435709ab55efd21ee1b571695d14b7d04ed.jpg" alt="y1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/07113435709ab55efd21ee1b571695d14b7d04ed.jpg) 入库 然后访问 [<img src="https://images.seebug.org/upload/201406/07113510546d5fa6b368b73f8b9a39325644184c.jpg" alt="y2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/07113510546d5fa6b368b73f8b9a39325644184c.jpg) [<img src="https://images.seebug.org/upload/201406/071136047f80698182b38ed018266a3b2ebf23bb.jpg" alt="y3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/071136047f80698182b38ed018266a3b2ebf23bb.jpg) 删除后就能直接重装了。
