描述: 任意以.php开头的文件名,Apache都当做php文件解析, 如”.php.comment”将被当做php文件解析,由此引发一系列漏洞.
MG2是在国外非常流行的一个PHP+HTML的图片管理程序,由于商业版被破解,程序流传甚广,在google搜索关键字为”Powered by MG2 v0.5.1″ 最新版本存在着文件写入漏洞,可配和Apache漏洞直接得shell
includes/mg2_functions.php中addcomment()函数如下
CODE:
function addcomment() {
$_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
$_REQUEST['input'] = $this->charfix($_REQUEST['input']);
$_REQUEST['email'] = $this->charfix($_REQUEST['email']);
$_REQUEST['name'] = $this->charfix($_REQUEST['name']);
$_REQUEST['input'] = strip_tags($_REQUEST['input'], “”);
$_REQUEST['input'] = str_replace(“\n”,”
“,$_REQUEST['input']);
$_REQUEST['input'] = str_replace(“\r”,”",$_REQUEST['input']);
if ($_REQUEST['input'] != “” && $_REQUEST['name'] != “” && $_REQUEST['email'] != “”) {
$this->readcomments(“pictures/” . $_REQUEST['filename'] . “.comment”);
$comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
$comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
$comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
if (count($comment_exists) == 0) {
$this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
$this->writecomments($_REQUEST['filename'] . “.comment”);
……..
漏洞很明显,可以自定义comment的文件名,如果你自定义的filename为”.php”,那么程序就会在图片根目录下生成一 个”.php.comment”的文件,由于Apache的漏洞,该程序被当做php文件解析,webshell就到手了,写了个利用程序如下:
CODE:
