蚂蚁分类信息系统文件上传漏洞及修复办法

来源：互联网发布：三菱plc编程软件最新版编辑：程序博客网时间：2024/05/09 13:06

文件/member/include/inc_shop.php

if($if_corp == 1){        if($ac == 'base'){            if(empty($tname)) write_msg('','?m=shop&type=corp&error=39');            if(empty($areaid)) write_msg('','?m=shop&type=corp&error=40');            $db -> query("UPDATE `{$db_mymps}member` SET tname='$tname',catid='$catids',areaid='$areaid',introduce='$introduce',address='$address',busway='$busway',mappoint='$mappoint',msn='$msn',web='$web' $where AND if_corp = '1'");            write_msg('','?m=shop&type=corp&success=13');        } elseif($ac == 'template') {            if($_FILES[$name_file]['name']){                require_once MYMPS_INC.'/upfile.fun.php';                $destination = "/banner/".date('Ym')."/";                $mymps_image = start_upload($name_file,$destination,0,'','',$oldbanner,'');

前面的ac不用管就是if判断然后进入操作而已。我们主要看template这里，获取name_file的上传内容然后传入start_upload，这里说一下传参中可控的有oldbanner

看下函数内容

function start_upload( $file_name, $destination_folder, $watermark = 0, $limit_width = "", $limit_height = "", $edit_filename = "", $edit_pre_filename = "" ){    global $mymps_global;    global $timestamp;    if ( !is_uploaded_file( $_FILES[$file_name]['tmp_name'] ) )    {        write_msg( "请重新选择您要上传的图片!" );    }    $file = $_FILES[$file_name];    @createdir( MYMPS_UPLOAD.$destination_folder );    $file_name = $file['tmp_name'];    $pinfo = pathinfo( $file['name'] );    $ftype = $pinfo['extension'];    $fname = $pinfo[basename];    if ( empty( $edit_filename ) && empty( $edit_pre_filename ) )    {        $destination_file = $timestamp.random( ).".".$ftype;        $destination = MYMPS_UPLOAD.$destination_folder.$destination_file;        $small_destination = MYMPS_UPLOAD.$destination_folder."pre_".$destination_file;    }    else    {        $destination = MYMPS_ROOT.$edit_filename;        $small_destination = MYMPS_ROOT.$edit_pre_filename;        $forbidarray = array(            MYMPS_ROOT."/images/logo.gif",            MYMPS_ROOT."/images/nopic.gif",            MYMPS_ROOT."/images/nophoto.jpg",            MYMPS_ROOT."/images/noavatar.gif",            MYMPS_ROOT."/images/noavatar_small.gif"        );        if ( !in_array( $destination, $forbidarray ) || $destination != MYMPS_ROOT )        {            @unlink( $destination );        }        if ( !in_array( $small_destination, $forbidarray ) || $destination != MYMPS_ROOT )        {            @unlink( $small_destination );        }        unset( $forbidarray );    }    if ( file_exists( $destination ) )    {        write_msg( "同名图片已存在，请重新选择您要上传的图片！" );    }    if ( !move_uploaded_file( $file_name, $destination ) )    {        write_msg( "图片上传失败，请重新选择您要上传的图片！" );}

看这里

$file = $_FILES[$file_name];    @createdir( MYMPS_UPLOAD.$destination_folder );    $file_name = $file['tmp_name'];    $pinfo = pathinfo( $file['name'] );    $ftype = $pinfo['extension'];    $fname = $pinfo[basename];

先是获取了文件内容然后获取了文件后缀以及文件名这些

{        $destination = MYMPS_ROOT.$edit_filename;        $small_destination = MYMPS_ROOT.$edit_pre_filename;        $forbidarray = array(            MYMPS_ROOT."/images/logo.gif",            MYMPS_ROOT."/images/nopic.gif",            MYMPS_ROOT."/images/nophoto.jpg",            MYMPS_ROOT."/images/noavatar.gif",            MYMPS_ROOT."/images/noavatar_small.gif"        );

这里的edit与edit_pre是非空所以进入了该if进行后缀以及路径拼接(期间并无任何效验)

if ( file_exists( $destination ) )    {        write_msg( "同名图片已存在，请重新选择您要上传的图片！" );    }    if ( !move_uploaded_file( $file_name, $destination ) )    {        write_msg( "图片上传失败，请重新选择您要上传的图片！" );    }

下面接着判断了是否存在相同名如果不存在同名则直接上传。

修复办法
打开include/upfile.fun.php 文件
84行左右找到function start_upload 函数

    global $timestamp;    //下面的一句是增加的上传验证函数    check_upimage($file_name);

保存即可

0 0

蚂蚁分类信息系统 文件上传漏洞及修复办法

蚂蚁分类信息系统文件上传漏洞及修复办法