1.1K Star 7.2K Fork 2.3K

GVP众邦科技 / CRMEB打通版

 / 详情

File upload causes getshell in Windows System

Done
Task
Opened this issue  
2020-01-20 14:32

Test environment

OS:windows
ERMEB version:3.1.0+
download time: 2020/1/18

Code analysis

search some keyword like "上传文件非法",and the file path /crmeb/crmeb/services/UploadService.php in line 410.

test-1

In the file() funcion,it will call getOriginalExtension() in line 409.The getOriginalExtension() is in line 130 with the file /crmeb/vendor/topthink/framework/src/think/file/UploadedFile.php.

test-2

From the code point of view, it is only compared by obtaining the suffix name, and no filtering is performed.

Vulnerability Test

Step-1

first,you need to add a configuration item about file upload like this.

test-3

The contents of the configuration items are as follows.

test-4

Step-2

Open the file upload configuration item in settings,and it like this.

test-5

In this operation, you can see that there is an option named fileuPload,it was create in the Step-1.Then you can click it and upload file in this.

Then I upload one file is name shell.jpg,and the content is like this.

Payload Content

<?php

phpinfo();

?>

and modify the file extension to .php::$DATA when uploading was like this.Because the character ::$DATA is automatically ignored in the windows system, it can be bypassed by this character.

test-6

it will response a uri address like this.

test-7

Shell URL

http://127.0.0.1/uploads/config/file/20200119/f97d96036a769ae2d3154b591304f1df.php

Step-3

access this url and you will getshell for this web server.

test-7

Solution

filter ::$DATA.

Attachments

Comments (2)

c0d1M4x created任务

噢卖糕。。这不是说容易被种木马?

需要在CRMEB\crmeb\app\admin\controller\setting\SystemConfig.php 得第 403行开启上传验证

setAutoValidate(true)
等风来,随风去 changed issue state from 待办的 to 已完成

Sign in to comment

Status
Assignees
Projects
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
Duration (hours)
Confirm
参与者(3)
PHP
1
https://gitee.com/ZhongBangKeJi/CRMEB.git
git@gitee.com:ZhongBangKeJi/CRMEB.git
ZhongBangKeJi
CRMEB
CRMEB打通版

Search