手机
当前位置:查字典教程网 >网络安全 >漏洞分析 >F2blog XMLRPC 上传任意文件漏洞
F2blog XMLRPC 上传任意文件漏洞
摘要:刚从官方下载的最新版:F2blog-v1.2_build_03.01_full存在漏洞文件:xmlrpc.php,影响:可上传任意文件到服务...

刚从官方下载的最新版:F2blog-v1.2_build_03.01_full 存在漏洞文件:xmlrpc.php,

影响:可上传任意文件到服务器。

原理:get_http_raw_post_data()是获取最原始的传递过来的数据,也是说不会因为PHP环境的magic为on的影响。

而他在check_user_pw的时候,并没有过滤,结合后面的上传没有做后缀判断,所有可以直接导致上传任意文件到服务器。 简单分析:

function metaWeblog_newMediaObject ($values) { //2007-02-01 add support for uploading files

global $settingInfo,$DMC, $DBPrefix,$defualtcategoryid;

//此处本是判断用户是否登录的,但是下面没有做检查,仅仅在这里返回了用户是否登录的一个值。

$userdetail = check_user_pw ($values['username'], $values['password']); $struct=$values['struct'];

//writetofile ('text1.php', $struct['bits']); //debug only

if ($struct['bits'] && $struct['name']) {

$writefilecontent=base64_decode($struct['bits']);

if (file_exists("attachments/{$struct['name']}")) @unlink("attachments/{$struct['name']}");

$filenum=@fopen("attachments/{$struct['name']}","wb");

if (!$filenum) {

xml_error ("Sorry, uploading file ({$struct['name']}) failed.");

}

flock($filenum,LOCK_EX);

fwrite($filenum,$writefilecontent);

//并没有判断文件是否安全,直接写入。

fclose($filenum);

}

$xml_content=make_xml_piece ("struct", array('url'=>"{$settingInfo['blogurl']}/attachments/{$struct['name']}"));

$body_xml=xml_generate($xml_content);

send_response ($body_xml);

}

本来说到这里都够明白了,下面就再把利用方法写下吧:

定义的方法数组:

$methodFamily=array('blogger.newPost', 'blogger.editPost', 'blogger.getUsersBlogs', 'blogger.getUserInfo', 'blogger.deletePost', 'blogger.getTemplate', 'blogger.setTemplate', 'metaWeblog.newPost', 'metaWeblog.editPost', 'metaWeblog.getPost', 'metaWeblog.newMediaObject', 'metaWeblog.getCategories', 'metaWeblog.getRecentPosts');

方法调用:

$methodName=parse_get($rawdata, 'methodName', true);

if (!@in_array($methodName, $methodFamily)) xml_error ("Method ({$methodName}) is not availble.");

$values=parse_get($rawdata, 'value'); $values=parse_walk_array($values, $methodName);

//print_r($values); //For debug only

//exit();

//Get default category, for those editors which don't support Categories

$sql="select * from ".$DBPrefix."categories limit 0,1";

$arr_category=$DMC->fetchArray($DMC->query($sql));

$defualtcategoryid=$arr_category[id]; $methodName=str_replace('.', '_', $methodName);

call_user_func ($methodName, $values);

$rawdata的来源:

$rawdata=get_http_raw_post_data();

//writetofile ("text4.xml", $rawdata); //For debug use

//$rawdata=file_get_contents("text4.xml"); //For debug use if (!$rawdata) die ("Sorry, don't visit this web!"); $stringType_o="i4|int|boolean|struct|string|double|base64|dateTime.iso8601";

$stringType="(".$stringType_o.")"; $rawdata=str_replace("r", '', $rawdata);

$rawdata=str_replace("n", '', $rawdata);

$rawdata=str_replace("t", '', $rawdata);

$rawdata=str_replace("<![CDATA[", '', $rawdata);

$rawdata=str_replace("]]>", '', $rawdata); //Stupid CDATA, I don't want it

$rawdata=preg_replace("/<([^>] ?) />/is", '<1></1>', $rawdata); //Self-closed tags

//$rawdata=convert_utf8($rawdata); $rawdata=preg_replace_callback("/<struct>(. ?)</struct>/is", 'filter_struct', $rawdata); //Struct can be a trouble, use this to avoid values and names being parsed

get_http_raw_post_data()方法:

function get_http_raw_post_data () { //Get http_raw_post_data

global $HTTP_RAW_POST_DATA;

if (isset($HTTP_RAW_POST_DATA)) { //Good, the server supports $HTTP_RAW_POST_DATA, then return it directly

return trim($HTTP_RAW_POST_DATA);

}

elseif (PHP_OS>="4.3.0") { //PHP 4.3.0 and higher version supports another way to get it

return readfromfile( 'php://input' );

}

else return false; //Sorry, no way out, or $raw data is not set at all

} 漏洞修补,简单点的,判断下用户是否有上传附件的权限。其他的自己发挥吧。

既然费了这么多话,那就顺便附上一个安全点的方法吧:

function metaWeblog_newMediaObject ($values) { //2008-05-27 edit by Neeao

global $settingInfo,$DMC, $DBPrefix,$defualtcategoryid;

$userdetail = check_user_pw ($values['username'], $values['password']); $records=$DMC->fetchArray($DMC->query("SELECT * FROM `{$DBPrefix}logs` WHERE `id`='{$values['postid']}'"));

if ($records['id']=='') xml_error ("Entry does not exist.");

else {

$struct=$values['struct'];

//writetofile ('text1.php', $struct['bits']); //debug only

if ($struct['bits'] && $struct['name']) {

$writefilecontent=base64_decode($struct['bits']);

if (file_exists("attachments/{$struct['name']}")) @unlink("attachments/{$struct['name']}");

$filenum=@fopen("attachments/{$struct['name']}","wb");

if (!$filenum) {

xml_error ("Sorry, uploading file ({$struct['name']}) failed.");

}

flock($filenum,LOCK_EX);

fwrite($filenum,$writefilecontent);

fclose($filenum);

}

$xml_content=make_xml_piece ("struct", array('url'=>"{$settingInfo['blogurl']}/attachments/{$struct['name']}"));

$body_xml=xml_generate($xml_content);

send_response ($body_xml);

}

}

没有加文件格式的判断,有点麻烦了,懒得写了。

【F2blog XMLRPC 上传任意文件漏洞】相关文章:

ckeditor/DesignCms上传漏洞

Adobe Flash Player SWF 文件中的标签堆溢出漏洞

Zblog最新跨站漏洞及利用代码

雅虎通 ActiveX控件GetFile方式任意文件上传漏洞

Adobe Acrobat Reader acroread创建临时文件漏洞

Move Media Player ActiveX控件栈溢出漏洞

IBM Tivoli Storage Manager Express 堆溢出漏洞

FTP客户端目录遍历漏洞可向任意位置写文件

SurgeMail IMAP服务器LIST 含命令远程栈溢出漏洞

浅析 LxBlog V6 变量未初始化漏洞

精品推荐
分类导航