Fork me on GitHub

tpshopv2.0.8漏洞分析

Posted on | Edited on

任意文件上传

application/admin/controller/Uploadify.phppreview()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
public function preview(){
	    
	    // 此页面用来协助 IE6/7 预览图片,因为 IE 6/7 不支持 base64
		$DIR = 'preview';
		// Create target dir
		if (!file_exists($DIR)) {
		    @mkdir($DIR);
		}
		
		$cleanupTargetDir = true; // Remove old files
		$maxFileAge = 5 * 3600; // Temp file age in seconds
		
		if ($cleanupTargetDir) {
		    if (!is_dir($DIR) || !$dir = opendir($DIR)) {
		        die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}');
		    }
		
		    while (($file = readdir($dir)) !== false) {
		        $tmpfilePath = $DIR . DIRECTORY_SEPARATOR . $file;		
		        // Remove temp file if it is older than the max age and is not the current file
		        if (@filemtime($tmpfilePath) < time() - $maxFileAge) {
		            @unlink($tmpfilePath);
		        }
		    }
		    closedir($dir);
		}
		
		$src = file_get_contents('php://input');
		if (preg_match("#^data:image/(\w+);base64,(.*)$#", $src, $matches)) {		
		    $previewUrl = sprintf(
		        "%s://%s%s",
		        isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ? 'https' : 'http',
		        $_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']
		    );
		    $previewUrl = str_replace("preview.php", "", $previewUrl);
		    $base64 = $matches[2];
		    $type = $matches[1];
		    if ($type === 'jpeg') {
		        $type = 'jpg';
		    }
		
		    $filename = md5($base64).".$type";
		    $filePath = $DIR.DIRECTORY_SEPARATOR.$filename;
		
		    if (file_exists($filePath)) {
		        die('{"jsonrpc" : "2.0", "result" : "'.$previewUrl.'preview/'.$filename.'", "id" : "id"}');
		    } else {
		        $data = base64_decode($base64);
		        file_put_contents($filePath, $data);
		        die('{"jsonrpc" : "2.0", "result" : "'.$previewUrl.'preview/'.$filename.'", "id" : "id"}');
		    }
		} else {
		    die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "un recoginized source"}}');
		}
    }
}

  • $src = file_get_contents('php://input');读取POST的数据并赋值给src变量,且变量没经过处理;
  • preg_match("#^data:image/(\w+);base64,(.*)$#", $src, $matches) 获取数据里面的base64加密的数据,匹配成功进入if判断
    $matches[1] 为image/ 后的字符,即文件类型,$matches[2]为 base64后的内容,及文件数据;
  • $filename = md5($base64).".$type";上传后的文件名可知
    $filePath = $DIR.DIRECTORY_SEPARATOR.$filename;preview/$filename
  • $data = base64_decode($base64); 将其解码后执行 file_put_contents($filePath, $data); 即将数据写入,GetShell。且die()将加密后的文件命输出了。

order by sql注入

/application/home/controller/Goods.php

正向排序和反向排序,依据的字段名均没有采用过滤,也没有判断字段名是否存在,直接将输入带入SQL order语句,在order by处出现注入,可以采用报错注入

sql注入

/application/home/controller/Api.phpshop()

1
2
先获取外部输入并赋值给变量
`$province_id`、`$province_id`、`$district_id`判断以上三个遍历是否为空,若成立返回空的json;将`$province_id`、`$city_id`、`$district_id`放入`$where`数组中;定义变量`$field`并赋值为`*`,定义变量`$order`并赋值为`shop_id desc`;判断变量$longitude是否为真;将`$longitude`、`$latitude`拼接到SQL语句中并赋值到`$field`中;将`$order`赋值为`distance ASC`;判断`$shop_address`是否为真;将`$shop_address`放入`$where`数组中以供SQL查询;带入SQL查询

-------------本文结束感谢您的阅读-------------