某IP设备代码审计
偶尔看到一个设备的漏洞挖掘。尝试也看了一下代码。如下:
参考:https://xz.aliyun.com/t/10371
漏洞一、任意文件上传
<?php
$error = false;
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
if ($tmpFilePath != ""){
$newFilePath = "./files/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
$error = true;
}
}
?>
URL:/upload/my_parser.php
参数为upload
访问URL:/upload/files/11.php
漏洞二、任意文件上传
URL:/php/addscenedata.php
<?php
require_once ('conversion.php');
$arr['res'] = 0;
$tmpFilePath = $_FILES['upload']['tmp_name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
}
if ($tmpFilePath != ""){
$newFilePath = "../images/scene/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(move_uploaded_file($tmpFilePath, $newFilePath))
{
$arr['res'] = 1;
}
}
echo JSON($arr);
?>
漏洞三、任意文件写入
URL:/php/uploadjson.php
<?php
require_once ('conversion.php');
$arr["res"] = "0";
$postData = $_POST['jsondata'];
if (isset($postData['filename']) && isset($postData['data']))
{
$filename = $postData['filename'];
// WIN
$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename;
// Linux
if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
$fullpath = dirname(dirname(__FILE__))."/lan/".$filename;
}
$content = $postData['data'];
// 写入文件
$handle = fopen($fullpath, 'w');
if ($handle)
{
flock($handle, LOCK_EX);
fwrite($handle, $content);
flock($handle, LOCK_UN);
fclose($handle);
$arr["res"] = "1";
}
}
echo JSON($arr);
?>
漏洞三、任意文件上传
URL:/php/addupdatefiles.php
<?php
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
if ($tmpFilePath != ""){
$newFilePath = dirname(dirname(dirname(dirname(__FILE__))))."/upload/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
echo '{"res": "1"}';
} else {
echo '{"res": "0"}';
}
}
?>
任意文件读取
/php/getjson.php
<?php
require_once ('conversion.php');
$res = '{"res":"0"}';
$postData = $_POST['jsondata'];
if (isset($postData['filename']))
{
$filename = $postData['filename'];
// WIN
$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename;
// Linux
if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
$fullpath = dirname(dirname(__FILE__))."/lan/".$filename;
}
if (file_exists($fullpath))
{
$json_string = file_get_contents($fullpath);
$res = '{"res":"1","data":'.$json_string.'}';
}
}
echo $res;
?>
最重要的login.php 来了
<?php
require_once ('conversion.php');
$postData = $_POST['jsondata'];
$arr['res'] = 0;
if (isset($postData['username'])) {
$user = $postData['username'];
$pass = $postData['password'];
if ('800823' == $pass && 'administrator' == $user)
{
$arr['username'] = 'administrator';
$arr['password'] = '800823';
$arr['display'] = 'administrator';
$arr['modules'] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1';
$arr['rights'] = '*';
$arr['serverrights'] = '*';
$arr['isadmin'] = '1';
$arr['bindterminals'] = '';
$arr['res'] = 1;
$arr['mainurl'] = 'main';
$arr['token'] = 'SESSION';
echo JSON($arr);
}
else
{
$result = UdpSendAndRecvJson($postData, "login");
echo $result;
}
}
?>
总结一下:~~~
转载
分享
0 条评论
可输入 255 字
发布投稿
