某IP设备代码审计

·  阅读 66
某IP设备代码审计

偶尔看到一个设备的漏洞挖掘。尝试也看了一下代码。如下:

参考:my.oschina.net/u/5242808/b…5

漏洞一、任意文件上传

 <?php

$error = false ;
$tmpFilePath = $_FILES [ 'upload' ][ 'tmp_name' ];
$tmpFilePath = mb_convert_encoding ( $tmpFilePath , "GBK" , "UTF-8" );

if ( $tmpFilePath != "" ){
    $newFilePath = "./files/" . $_FILES [ 'upload' ][ 'name' ];

    if ( strtoupper ( substr ( PHP_OS , 0 , 3 )) == 'WIN' ){
        $newFilePath = mb_convert_encoding ( $newFilePath , "GBK" , "UTF-8" ); 
    }

    if ( ! move_uploaded_file ( $tmpFilePath , $newFilePath )) {
        $error = true ;
    }
}

?> 
复制代码

URL:/upload/my_parser.php

【点击查看学习资料·攻略】

参数为upload

访问URL:/upload/files/11.php

漏洞二、任意文件上传

URL:/php/addscenedata.php

 <?php
    require_once  ( 'conversion.php' ); 

    $arr [ 'res' ]  = 0 ; 
    $tmpFilePath = $_FILES [ 'upload' ][ 'tmp_name' ];    
    if  ( strtoupper ( substr ( PHP_OS ,  0 ,  3 ))  == 'WIN' )   { 
        $tmpFilePath = mb_convert_encoding ( $tmpFilePath ,  "GBK" ,  "UTF-8" ); 
     } 

    if  ( $tmpFilePath  != "" ){ 
        $newFilePath = "../images/scene/"  .  $_FILES [ 'upload' ][ 'name' ]; 
        if  ( strtoupper ( substr ( PHP_OS ,  0 ,  3 ))  == 'WIN' )   { 
            $newFilePath = mb_convert_encoding ( $newFilePath ,  "GBK" ,  "UTF-8" ); 
         } 

        if ( move_uploaded_file ( $tmpFilePath ,  $newFilePath )) 
         { 
            $arr [ 'res' ]  = 1 ; 
         } 
     } 

    echo JSON ( $arr ); 

 ?> 
复制代码

漏洞三、任意文件写入

URL:/php/uploadjson.php

 <?php
    require_once  ( 'conversion.php' ); 

    $arr [ "res" ]  = "0" ; 
    $postData = $_POST [ 'jsondata' ]; 
    if  ( isset ( $postData [ 'filename' ])   &&  isset ( $postData [ 'data' ])) 
     { 
        $filename = $postData [ 'filename' ]; 
         // WIN
        $fullpath = dirname ( dirname ( __FILE__ )) . "\lan\" . $filename ; 
         // Linux
        if  ( strtoupper ( substr ( PHP_OS ,  0 ,  3 ))   != 'WIN' )   { 
            $fullpath = dirname ( dirname ( __FILE__ )) . "/lan/" . $filename ; 
         } 

        $content = $postData [ 'data' ]; 
         // 写入文件
        $handle = fopen ( $fullpath ,  'w' ); 
        if  ( $handle ) 
         { 
            flock ( $handle ,  LOCK_EX ); 
            fwrite ( $handle ,  $content ); 
            flock ( $handle ,  LOCK_UN ); 
            fclose ( $handle ); 
            $arr [ "res" ]  = "1" ; 
         } 
     } 
    echo JSON ( $arr ); 
 ?> 
复制代码

漏洞四、任意文件上传

URL:/php/addupdatefiles.php

 <?php

$tmpFilePath = $_FILES [ 'upload' ][ 'tmp_name' ]; 
$tmpFilePath = mb_convert_encoding ( $tmpFilePath ,  "GBK" ,  "UTF-8" ); 

if  ( $tmpFilePath  != "" ){ 
    $newFilePath = dirname ( dirname ( dirname ( dirname ( __FILE__ )))) . "/upload/"  .  $_FILES [ 'upload' ][ 'name' ]; 

    if  ( strtoupper ( substr ( PHP_OS ,  0 ,  3 ))  == 'WIN' ){ 
        $newFilePath = mb_convert_encoding ( $newFilePath ,  "GBK" ,  "UTF-8" ); 
     } 

    if ( ! move_uploaded_file ( $tmpFilePath ,  $newFilePath ))   { 
        echo '{"res": "1"}' ; 
     }  else  { 
        echo '{"res": "0"}' ; 
     } 
 } 
 ?> 
复制代码

任意文件读取

/php/getjson.php

 <?php
    require_once  ( 'conversion.php' ); 

    $res = '{"res":"0"}' ; 
    $postData = $_POST [ 'jsondata' ];  
    if  ( isset ( $postData [ 'filename' ])) 
     {    
        $filename = $postData [ 'filename' ];       
         // WIN
        $fullpath = dirname ( dirname ( __FILE__ )) . "\lan\" . $filename ;  
         // Linux
        if  ( strtoupper ( substr ( PHP_OS ,  0 ,  3 ))   != 'WIN' )   { 
            $fullpath = dirname ( dirname ( __FILE__ )) . "/lan/" . $filename ;  
         } 

        if  ( file_exists ( $fullpath )) 
         { 
            $json_string = file_get_contents ( $fullpath ); 
            $res = '{"res":"1","data":' . $json_string . '}' ; 
         } 
     } 
    echo $res ; 
 ?> 
复制代码

最重要的login.php 来了

 <?php
    require_once  ( 'conversion.php' ); 

    $postData = $_POST [ 'jsondata' ]; 
    $arr [ 'res' ]  = 0 ; 

    if  ( isset ( $postData [ 'username' ]))   { 
        $user = $postData [ 'username' ]; 
        $pass = $postData [ 'password' ]; 

        if  ( '800823' == $pass  &&  'administrator' == $user ) 
         { 
            $arr [ 'username' ]  = 'administrator' ; 
            $arr [ 'password' ]  = '800823' ; 
            $arr [ 'display' ]  = 'administrator' ; 
            $arr [ 'modules' ]  = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1' ; 
            $arr [ 'rights' ]  = '*' ; 
            $arr [ 'serverrights' ]  = '*' ; 
            $arr [ 'isadmin' ]  = '1' ; 
            $arr [ 'bindterminals' ]  = '' ; 
            $arr [ 'res' ]  = 1 ; 
            $arr [ 'mainurl' ]  = 'main' ; 
            $arr [ 'token' ]  = 'SESSION' ; 
            echo JSON ( $arr ); 
         } 
        else
         { 
            $result = UdpSendAndRecvJson ( $postData ,  "login" ); 
            echo $result ; 
         } 
     } 
 ?> 
复制代码

 

最后

有在学习网络安全的可以点击查看【网络安全学习资料·攻略

  1. 2000多本网络安全系列电子书
  2. 网络安全标准题库资料
  3. 项目源码
  4. 网络安全基础入门、Linux、web安全、攻防方面的视频
  5. 网络安全学习路线图**
分类:
代码人生
标签:
收藏成功!
已添加到「」, 点击更改