PHP-00截断总结(CVE-2006-7243)

less than 1 minute read

PHP-00截断总结(CVE-2006-7243)

CVE-2006-7243

漏洞成因:

php在判断上传文件路径的时候使用了char指针,C语言中char指针以\0作为字符串结束的标志,所以会文件名被\0截断。\0后面的内容会被忽略。

CVE相关信息

PHP before 5.3.4

CVE-2006-7243

下面是PHP的源码:

/* proto bool move_uploaded_file(string path, string new_path)   
Move a file if and only if it was created by an upload */
PHP_FUNCTION(move_uploaded_file)
{
    char *path, *new_path;
    size_t path_len, new_path_len;
    zend_bool successful = 0;
#ifndef PHP_WIN32 int oldmask;
    int ret;
#endif if (!SG(rfc1867_uploaded_files)) { RETURN_FALSE; }
    ZEND_PARSE_PARAMETERS_START(2, 2)
    Z_PARAM_STRING(path, path_len)
    Z_PARAM_PATH(new_path, new_path_len) ZEND_PARSE_PARAMETERS_END();
    if (!zend_hash_str_exists(SG(rfc1867_uploaded_files), path, path_len))
    {
        RETURN_FALSE;
    }
    if (php_check_open_basedir(new_path))
    {
        RETURN_FALSE;
    }
    if (VCWD_RENAME(path, new_path) == 0)
    {
        successful = 1;
#ifndef PHP_WIN32 oldmask = umask(077);
        umask(oldmask);
        ret = VCWD_CHMOD(new_path, 0666 & ~oldmask);
        if (ret == -1)
        {
            php_error_docref(NULL, E_WARNING, "%s", strerror(errno));
        }
#endif
    }
    else if (php_copy_file_ex(path, new_path, STREAM_DISABLE_OPEN_BASEDIR) == SUCCESS)
    {
        VCWD_UNLINK(path);
        successful = 1;
    }
    if (successful)
    {
        zend_hash_str_del(SG(rfc1867_uploaded_files), path, path_len);
    }
    else
    {
        php_error_docref(NULL, E_WARNING, "Unable to move '%s' to '%s'", path, new_path);
    }
    RETURN_BOOL(successful);
}

漏洞利用:

可以利用\0来构造特殊的文件后缀名,比如.php\0.jpg来绕过文件上传限制。

下面利用DVWA来演示:

文件名:exploit.php .jpg

内容:

<?php
phpinfo();
>

Tags:

Categories:

Updated:

Comments