首页 > 漏洞预警和分析 > metinfo(getshell)iis

metinfo(getshell)iis

[2018.03.05]

漏洞文件:/member/index.php

$M_MODULE='web';

if(@$_GET['m'])$M_MODULE=$_GET['m'];

if(@!$_GET['n'])$_GET['n']="user";

if(@!$_GET['c'])$_GET['c']="profile";

if(@!$_GET['a'])$_GET['a']="doindex";

@define('M_NAME', $_GET['n']);

@define('M_MODULE', $M_MODULE);

@define('M_CLASS', $_GET['c']);

@define('M_ACTION', $_GET['a']);

require_once '../app/system/entrance.php';



我这里简单的说明一下这里的功能处,这里是为了调用class文件

先跟入entrance


if (!defined('M_MODULE')) {

    define ('M_MODULE', 'include');

    define ('M_CLASS', $_GET['c']);

    define ('M_ACTION', $_GET['a']);

}

//µ±Ç°Îļþ¼ÐµØÖ·

if(M_TYPE == 'system'){

    if(M_MODULE == 'include'){

       define ('PATH_OWN_FILE', PATH_APP.M_TYPE.'/'.M_MODULE.'/module/');

    }else{

       define ('PATH_OWN_FILE', PATH_APP.M_TYPE.'/'.M_MODULE.'/'.M_NAME.'/');

    }

}else{

    define ('PATH_OWN_FILE', PATH_APP.M_TYPE.'/'.M_NAME.'/'.M_MODULE.'/');

    define ('PATH_APP_FILE', PATH_APP.M_TYPE.'/'.M_NAME.'/');

}


define ('PATH_MODULE_FILE', PATH_APP.'system'.'/'.M_MODULE.'/');


load::module();

这里是链接变量定义常量然后载入module,跟入

       public static function module($path = '', $modulename = '', $action = '') {

       if (!$path) {

           if (!$path) $path = PATH_OWN_FILE;

           if (!$modulename) $modulename = M_CLASS;

           if (!$action) $action = M_ACTION;

           if (!$action) $action = 'doindex';

       }

       return self::_load_class($path, $modulename, $action);

    }


对相应的变量进行判断赋值载入_load_class

$classname=str_replace('.class.php', '', $classname);

       $is_myclass = 0;

       if(!self::$mclass[$classname]){

           if(file_exists($path.$classname.'.class.php')){

              require_once $path.$classname.'.class.php';


替换后缀判断class中是否存在classname然后再链接后缀判断是否存在文件,存在则包含

if ($action) {

           if (!class_exists($classname)) {

              die($action.' classÿfile is not exists!!!');

           }

           if(self::$mclass[$classname]){

              $newclass = self::$mclass[$classname];

           }else{

              if($is_myclass){

                  $newclass = new $myclass;

              }else{

                  $newclass = new $classname;

              }

              self::$mclass[$classname] = $newclass;

           }

           if ($action!='new') {

              if(substr($action, 0, 2) != 'do'){

                  die($action.' function no permission load!!!');

              }



判断action,action非new的时候前两位必须为do也就是只能加载doxx的action


来找一个有问题的class文件


漏洞文件:/app/system/include/module/uploadify.class.php


       public function doupfile(){

       global $_M;

       $this->upfile->set_upfile();

       $info['savepath'] = $_M['form']['savepath'];

       $info['format'] = $_M['form']['format'];

       $info['maxsize'] = $_M['form']['maxsize'];

       $info['is_rename'] = $_M['form']['is_rename'];

       $info['is_overwrite'] = $_M['form']['is_overwrite'];

       $this->set_upload($info);

       $back = $this->upload($_M['form']['formname']);

       if($_M['form']['type']==1){

           if($back['error']){

              $back['error'] = $back['errorcode'];

           }else{

              $backs['path'] = $back['path'];

              $backs['append'] = 'false';

              $back = $backs;

           }

       }

       echo jsonencode($back);

    }


从这里可以看见是没有任何问题的,先记住$_M['form']后面的内容

然后先跟入set_upload

       public function set_upload($info){

       global $_M;

       $this->upfile->set('savepath', $info['savepath']);

       $this->upfile->set('format', $info['format']);

       $this->upfile->set('maxsize', $info['maxsize']);

       $this->upfile->set('is_rename', $info['is_rename']);

       $this->upfile->set('is_overwrite', $info['is_overwrite']);

    }


继续跟入set

       public function set($name, $value) {

       if ($value === NULL) {

           return false;

       }

       switch ($name) {

           case 'savepath':

              $this->savepath = path_standard(PATH_WEB.'upload/'.$value);


           break;

           case 'format':

              $this->format = $value;

           break;

           case 'maxsize':

              $this->maxsize = min($value*1048576, $this->maxsize);

           break;

           case 'is_rename':

           echo  $value;

              $this->is_rename = $value;

           break;

       }  

    }

先说问题所在savepath,当name有savepath的时候则连接value也就是我们的变量值。

那么也就是路径可控0.0所以你懂的了,别问我为什么不继续看后面的上传,因为没意义后缀是白名单效验



本地复现:



北京通和实益电信科学技术研究所有限公司 版权所有 京ICP备15030238号-1