某IP设备代码审计

说实在的。没见过如此的代码。竟然如此的拉跨

偶尔看到一个设备的漏洞挖掘。尝试也看了一下代码。如下：

参考：https://xz.aliyun.com/t/10371

漏洞一、任意文件上传

<?php

$error = false;
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");

if ($tmpFilePath != ""){
	$newFilePath = "./files/" . $_FILES['upload']['name'];
	
	if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
        $newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8"); 
    }
	
	if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
		$error = true;
	}
}

?>

URL：/upload/my_parser.php

参数为upload

访问URL：/upload/files/11.php

漏洞二、任意文件上传

URL:/php/addscenedata.php 

<?php
	require_once ('conversion.php');

	$arr['res'] = 0;
	$tmpFilePath = $_FILES['upload']['tmp_name'];	
	if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
		$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
	}

	if ($tmpFilePath != ""){
		$newFilePath = "../images/scene/" . $_FILES['upload']['name'];
		if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
			$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
		}
		
		if(move_uploaded_file($tmpFilePath, $newFilePath))
		{
			$arr['res'] = 1;
		}
	}

	echo JSON($arr);

?>

漏洞三、任意文件写入

URL:/php/uploadjson.php

<?php
	require_once ('conversion.php');

	$arr["res"] = "0";
	$postData = $_POST['jsondata'];
	if (isset($postData['filename']) && isset($postData['data']))
	{
		$filename = $postData['filename'];
		// WIN
		$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename;
		// Linux
		if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
			$fullpath = dirname(dirname(__FILE__))."/lan/".$filename;
		}

		$content = $postData['data'];
		// 写入文件
		$handle = fopen($fullpath, 'w');
		if ($handle)
		{
			flock($handle, LOCK_EX);
			fwrite($handle, $content);
			flock($handle, LOCK_UN);
			fclose($handle);
			$arr["res"] = "1";
		}
	}
	echo JSON($arr);
?>

漏洞三、任意文件上传

URL:/php/addupdatefiles.php

<?php

$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");

if ($tmpFilePath != ""){
	$newFilePath = dirname(dirname(dirname(dirname(__FILE__))))."/upload/" . $_FILES['upload']['name'];

	if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
        $newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
    }

	if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
		echo '{"res": "1"}';
	} else {
	    echo '{"res": "0"}';
	}
}
?>

任意文件读取

/php/getjson.php

<?php
	require_once ('conversion.php');
	
	$res = '{"res":"0"}';
	$postData = $_POST['jsondata'];	
	if (isset($postData['filename']))
	{	
		$filename = $postData['filename'];		
		// WIN
		$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename; 
		// Linux
		if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
			$fullpath = dirname(dirname(__FILE__))."/lan/".$filename; 
		}
		
		if (file_exists($fullpath))
		{
			$json_string = file_get_contents($fullpath);
			$res = '{"res":"1","data":'.$json_string.'}';
		}
	}
	echo $res;
?>

login.php

<?php
	require_once ('conversion.php');

	$postData = $_POST['jsondata'];
	$arr['res'] = 0;

	if (isset($postData['username'])) {
		$user = $postData['username'];
		$pass = $postData['password'];
		
		if ('800823' == $pass && 'administrator' == $user)
		{
			$arr['username'] = 'administrator';
			$arr['password'] = '800823';
			$arr['display'] = 'administrator';
			$arr['modules'] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1';
			$arr['rights'] = '*';
			$arr['serverrights'] = '*';
			$arr['isadmin'] = '1';
			$arr['bindterminals'] = '';
			$arr['res'] = 1;
			$arr['mainurl'] = 'main';
			$arr['token'] = 'SESSION';
			echo JSON($arr);
		}
		else
		{
			$result = UdpSendAndRecvJson($postData, "login");
			echo $result;
		}
	}
?>

牛啊。这代码