IMCAFS

 Home

analysis of vulnerability in uploading arbitrary file of member's image in finecms v5

Posted by deaguero at 2020-03-11
all

Preface

Today, when visiting the forum, I found an article about vulnerability analysis of free file upload of finecms V5 member's Avatar. In line with the attitude of "Shii" and "Yi" and "Bi", I studied the vulnerability and reproduced it to you.

Finecms (free version or commonweal version for short) is an efficient and simple content management system for small and medium-sized enterprises based on PHP + MySQL + CI framework. It is designed for multiple terminals, including PC and mobile pages. It supports customized content model and membership model, and can customize fields. It can provide a heavy-duty website construction solution for small and medium-sized websites, which is suitable for small websites and enterprises Industry level websites, news content websites, etc., and the preferred station building system for individual webmasters and small and medium-sized enterprises.

According to the English name, this document is related to the account. (it doesn't matter if you don't know English. I haven't passed level 4, but I know you. If you don't agree, bite me!)

As a whole, it's hard for beginners or people without PHP foundation, so I'll explain it in blocks here:

First, look at the first three lines of code for this function:

! is? Dir ($DIR) & Dr? Mkdirs ($DIR); / / if the directory does not exist, create a new directory

Through the explanation, we can see that it is the pre preparation for uploading pictures. I've annotated the code clearly, and there's no point here, so I won't explain it in detail.

Then look at the IF section starting from the fourth line:

If ($_post [TX]) {/ / here, post method is used to submit the content of TX, and TX is the uploaded image content. $file = str_replace (, +, $_post [TX]); / / replace space with a plus sign

If (preg_match (/ ^ (data: s * image / (W +); Base64,) /, $file, $result)) {/ / use regular expressions to match key header information.

$new_file = $dir.0x0.. $result [2]; / / generate (pieced) the complete file address. Here $result [2] is a part of the content of TX passed in by post, which is the suffix of the generated file.

Exit (dr_json (0, insufficient directory permission or full disk)); / / if the write fails, an error will be reported and no further execution will be performed. The exit function is to end the process and give a prompt;

OK, the most important part is coming out. The main process here is to first use regular expressions to segment the incoming content and extract the content of the uploaded image and the suffix of the file name. Then construct the complete path and write the content to the corresponding address. The file name suffix is controlled by imag: XXX during the upload process. If the write fails, the process ends and an error is reported.

In order to facilitate the understanding of Xiaobai. We can do a little experiment to see how regular expressions are divided.

First of all, we take out and modify the number of lines in this part. The main modification is to change what is passed by post into the variable of string that we manually input the test content.

Finally, executing this code, you can see that the content of figure 2.4 is displayed.

Well, it's not difficult to think about the corresponding code of finecms again. The reason for the vulnerability is that the suffix of the file can be controlled by us, so if we carefully construct the content of TX, we can pass a word of Trojan horse or other Damascus into the server.

The above is the vulnerability analysis of finecms. The next issue brings you the process of vulnerability recurrence. Remember to pay attention to it!

To the wonderful world of white hat

© 2023