3. 漏洞影响范围
4. 漏洞代码分析
从/plus/recommand.php开始逐步分析
require_once(dirname(__FILE__)."/include/common.inc.php");
..
/include/common.inc.php
..
function _RunMagicQuotes(&$svar)
{
if(!get_magic_quotes_gpc())
{
if( is_array($svar) )
{
foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
}
else
{
if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE)#',$svar) )
{
exit('Request var not allow!');
}
$svar = addslashes($svar);
}
}
return $svar;
}
..
只要提交的URL中不包含cfg_|GLOBALS|_GET|_POST|_COOKIE,即可通过检查,_FILES[type][tmp_name]被带入引发漏洞的入口点在/include/uploadsafe.inc.php
..
//转换上传的文件相关的变量及安全处理、并引用前台通用的上传函数
if($_FILES)
{
require_once(DEDEINC.'/uploadsafe.inc.php');
}
..
/include/uploadsafe.inc.php
..
//URL参数中的_FILES[type][tmp_name],$_key为type,$$_key即为$type,从而导致了$type变量的覆盖
$$_key = $_FILES[$_key]['tmp_name'] = str_replace("\\\\","\\",$_FILES[$_key]['tmp_name']);
${$_key.'_name'} = $_FILES[$_key]['name'];
${$_key.'_type'} = $_FILES[$_key]['type'] = eregi_replace('[^0-9a-z\./]','',$_FILES[$_key]['type']);
${$_key.'_size'} = $_FILES[$_key]['size'] = ereg_replace('[^0-9]','',$_FILES[$_key]['size']);
..
/plus/recommand.php
//读取文档信息
if($action=='')
{
if($type=='sys'){
//读取文档信息
$arcRow = GetOneArchive($aid);
if($arcRow['aid']=='')
{
ShowMsg("无法把未知文档推荐给好友!","-1");
exit();
}
extract($arcRow, EXTR_OVERWRITE);
}
else
{
//注入语句被带入数据库查询,
$arcRow=$dsql->GetOne("SELECT s.*,t.* FROM `detest_member_stow` AS s LEFT JOIN `detest_member_stowtype` AS t ON s.type=t.stowname WHERE s.aid='$aid' AND s.type='$type'");
if(!is_array($arcRow)){
ShowMsg("无法把未知文档推荐给好友!","-1");
exit();
}
$arcRow['arcurl']=$arcRow['indexurl']."=".$arcRow['aid'];
extract($arcRow, EXTR_OVERWRITE);
}
}
5. 防御方法
/include/uploadsafe.inc.php
/* */ //$$_key = $_FILES[$_key]['tmp_name'] = str_replace("\\\\","\\",$_FILES[$_key]['tmp_name']); $$_key = $_FILES[$_key]['tmp_name']; /* */ ${$_key.'_name'} = $_FILES[$_key]['name']; ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) { if(!defined('DEDEADMIN')) { exit('Not Admin Upload filetype not allow !'); } } if(empty(${$_key.'_size'})) { ${$_key.'_size'} = @filesize($$_key); } /* 限制上传文件类型 */ $imtypes = array ( "image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp" ); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } /* */ 文件/include/uploadsafe.inc.php。 有2个地方: 1、搜索 ${$_key.'_size'} = @filesize($$_key); }(大概在42,43行左右) 替换成 ${$_key.'_size'} = @filesize($$_key); } $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } 2、搜索 $image_dd = @getimagesize($$_key);(大概在53行左右) 替换成 $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } 老规矩大红色地方标记了修改的地方,然后保存,接着备份原文件,比如文件名变为uploadsafe.inc.php.16.08.09.bak。然后上传修改好的文件即可。
查看更多关于dedecms上传漏洞uploadsafe.inc.php 整理的详细内容...