内容纲要
php任意文件上传 CVE-2015-2348 漏洞涉及的版本存在于PHP5.4.38-5.6.6
漏洞分析:
move_uploaded_file()
函数,这个函数是将上传的文件移动到新位置.
1 |
move_uploaded_file ( string $filename , string $destination ) |
$destination为move_uploaded_file的保存文件名,如果可控,可以使用%00截断的方法来达到上传任意文件的目的。
测试代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
<html> <meta content="text/html" charset="utf-8"> <body> <form action="" method="post" enctype="multipart/form-data"> <label>选择图片:<label> <input type="file" name="file" /> <input type="hidden" name="address" value="<?php echo time(); ?>"> <br /> <input type="submit" value="Submit" /> <br /> </form> </body> <?php error_reporting(0); $upload_name=$_FILES['file']['name']; $type=substr($upload_name,strrpos($upload_name,'.')+1); if($type == "jpg" || $type == "png" || $type == "gif"){ $address=$_POST['address'].".".$type; if (move_uploaded_file($_FILES['file']['tmp_name'],"tmp/".$address)) { echo "图片地址:tmp/".$address; } }else{ echo "上传类型错误!"; } ?> </html> |
将$address改为x.php%00 编码后上传
可看到文件名被截断成php