不安全的文件下载与上传---时间竞争条件绕过

标签：his   add   竞争条件   hub   ase   returns   tin   exists   directory   

  1 //index.php
  2 $is_upload = false;
  3 $msg = null;
  4 if (isset($_POST[‘submit‘]))
  5 {
  6     require_once("./myupload.php");
  7     $imgFileName =time();
  8     $u = new MyUpload($_FILES[‘upload_file‘][‘name‘], $_FILES[‘upload_file‘][‘tmp_name‘], $_FILES[‘upload_file‘][‘size‘],$imgFileName);
  9     $status_code = $u->upload($UPLOAD_ADDR);
 10     switch ($status_code) {
 11         case 1:
 12             $is_upload = true;
 13             $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
 14             break;
 15         case 2:
 16             $msg = ‘文件已经被上传，但没有重命名。‘;
 17             break; 
 18         case -1:
 19             $msg = ‘这个文件不能上传到服务器的临时文件存储目录。‘;
 20             break; 
 21         case -2:
 22             $msg = ‘上传失败，上传目录不可写。‘;
 23             break; 
 24         case -3:
 25             $msg = ‘上传失败，无法上传该类型文件。‘;
 26             break; 
 27         case -4:
 28             $msg = ‘上传失败，上传的文件过大。‘;
 29             break; 
 30         case -5:
 31             $msg = ‘上传失败，服务器已经存在相同名称文件。‘;
 32             break; 
 33         case -6:
 34             $msg = ‘文件无法上传，文件不能复制到目标目录。‘;
 35             break;      
 36         default:
 37             $msg = ‘未知错误！‘;
 38             break;
 39     }
 40 }
 41 
 42 //myupload.php
 43 class MyUpload{
 44 ......
 45 ......
 46 ...... 
 47   var $cls_arr_ext_accepted = array(
 48       ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
 49       ".html", ".xml", ".tiff", ".jpeg", ".png" );
 50 
 51 ......
 52 ......
 53 ......  
 54   /** upload()
 55    **
 56    ** Method to upload the file.
 57    ** This is the only method to call outside the class.
 58    ** @para String name of directory we upload to
 59    ** @returns void
 60   **/
 61   function upload( $dir ){
 62     
 63     $ret = $this->isUploadedFile();
 64     
 65     if( $ret != 1 ){
 66       return $this->resultUpload( $ret );
 67     }
 68 
 69     $ret = $this->setDir( $dir );
 70     if( $ret != 1 ){
 71       return $this->resultUpload( $ret );
 72     }
 73 
 74     $ret = $this->checkExtension();
 75     if( $ret != 1 ){
 76       return $this->resultUpload( $ret );
 77     }
 78 
 79     $ret = $this->checkSize();
 80     if( $ret != 1 ){
 81       return $this->resultUpload( $ret );    
 82     }
 83     
 84     // if flag to check if the file exists is set to 1
 85     
 86     if( $this->cls_file_exists == 1 ){
 87       
 88       $ret = $this->checkFileExists();
 89       if( $ret != 1 ){
 90         return $this->resultUpload( $ret );    
 91       }
 92     }
 93 
 94     // if we are here, we are ready to move the file to destination
 95 
 96     $ret = $this->move();
 97     if( $ret != 1 ){
 98       return $this->resultUpload( $ret );    
 99     }
100 
101     // check if we need to rename the file
102 
103     if( $this->cls_rename_file == 1 ){
104       $ret = $this->renameFile();
105       if( $ret != 1 ){
106         return $this->resultUpload( $ret );    
107       }
108     }
109     
110     // if we are here, everything worked as planned :)
111 
112     return $this->resultUpload( "SUCCESS" );
113   
114   }
115 ......
116 ......
117 ...... 
118 };

刚开始没有找到绕过方法，最后下载作者Github提供的打包环境，利用上传重命名竞争+Apache解析漏洞，成功绕过。
上传名字为18.php.7Z的文件，快速重复提交该数据包，会提示文件已经被上传，但没有被重命名。

不安全的文件下载与上传---时间竞争条件绕过

标签：his   add   竞争条件   hub   ase   returns   tin   exists   directory   

原文地址：https://blog.51cto.com/ruguworking/2539916