bluecms v1.0 图片上传绕过漏洞

BlueCMS(地方分类信息门户专用CMS系统) include/upload.class.php发现，只是检测了文件头，没有检测后缀. ...... class upload { private $allow_image_type = array('image/jpg', 'image/gif', 'image/png', 'image/pjpeg'); ...... function img_upload($file, $dir = '', $imgname = ''){ if(empty($dir)){ $dir = BLUE_ROOT.DATA.UPLOAD.date("Ym")."/"; }else{ $dir = BLUE_ROOT.DATA.UPLOAD.$dir."/"; } if(!file_exists($dir)){ if(!mkdir($dir)){ showmsg('上传过程中创建目录失败'); } } if(empty($imgname)){ $imgname = $this->create_tempname().$this->get_type($file['name']); } $imgname = $dir . $imgname; if(!in_array($file['type'],$this->allow_image_type)){ //只是检测了文件头部来着，那我们就直接构造一个SHELL就好了 showmsg('不允许的图片类型'); } } ##1.漏洞分析 include/upload.class.php 只是检测了文件头，没有检测后缀. ```php ...... class upload { private $allow_image_type = array(’image/jpg’, ’image/gif’, ’image/png’, ’image/pjpeg’); ...... function img_upload($file, $dir = ’’, $imgname = ’’){ if(empty($dir)){ $dir = BLUE_ROOT.DATA.UPLOAD.date("Ym")."/"; }else{ $dir = BLUE_ROOT.DATA.UPLOAD.$dir."/"; } if(!file_exists($dir)){ if(!mkdir($dir)){ showmsg(’上传过程中创建目录失败’); } } if(empty($imgname)){ $imgname = $this->create_tempname().$this->get_type($file[’name’]); } $imgname = $dir . $imgname; if(!in_array($file[’type’],$this->allow_image_type)){ //只是检测了文件头部来着，那我们就直接构造一个SHELL就好了 showmsg(’不允许的图片类型’); } ``` 来看看哪里调用了上传 publish.php 90行 ```php elseif($act == 'do_upload'){ require_once(BLUE_ROOT."include/upload.class.php"); $image = new upload(); if(isset($_FILES['upload_file']['error']) && $_FILES['upload_file']['error'] == 0){ $upload_pic = $image->img_upload($_FILES['upload_file']); } template_assign('add_pic', $upload_pic); $smarty->caching = false; $smarty->display('upload.htm'); } ``` 通过修改mime就能任意上传php脚本 ##2.漏洞利用 上传接口 http://[host]/publish.php?act=do_upload ```php $imgname = $dir . $imgname; if(!in_array($file[’type’],$this->allow_image_type)){ //这里开始是临时补丁 $ext_arr = array('jpg', 'jpeg','png','gif'); //获得文件扩展名 $temp_arr = explode(".", $imgname); $file_ext = array_pop($temp_arr); $file_ext = strtolower(trim($file_ext)); //检查扩展名 if (in_array($file_ext, $ext_arr) === false) { showmsg(’不允许的图片类型’); } ```