wordpress漏洞上传php文件,WordPress wp-admin/includes/file.php任意文件上传漏洞

影响版本:

WordPress <= 2.8.5漏洞描述:

WordPress是一款免费的论坛Blog系统。

WordPress中负责上传文件的代码如下：

wp-admin/includes/file.php:

---[cut]---

line 217:

function wp_handle_upload( &$file, $overrides = false, $time = null ) {

---[cut]---

// All tests are on by default. Most can be turned off by $override[{test_name}] = \

false; $test_form = true;

$test_size = true;

// If you override this, you must provide $ext and $type!!!!

$test_type = true;

$mimes = false;

---[cut]---

// A properly uploaded file will pass this test. There should be no reason to \

override this one. if (! @ is_uploaded_file( $file['tmp_name'] ) )

return $upload_error_handler( $file, __( 'Specified file failed upload test.' \

));

// A correct MIME type will pass this test. Override $mimes or use the upload_mimes \

filter. if ( $test_type ) {

$wp_filetype = wp_check_filetype( $file['name'], $mimes );

extract( $wp_filetype );

if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )

return $upload_error_handler( $file,

__( 'File type does not meet security guidelines. Try another.' ));

if ( !$ext )

$ext = ltrim(strrchr($file['name'], '.'), '.');

if ( !$type )

$type = $file['type'];

} else {

$type = '';

}

// A writable uploads dir will pass this test. Again, there's no point overriding \

this one. if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads['error'] \

) ) return $upload_error_handler( $file, $uploads['error'] );

$filename = wp_unique_filename( $uploads['path'], $file['name'], \

$unique_filename_callback );

// Move the file to the uploads dir

$new_file = $uploads['path'] . "/$filename";

if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {

return $upload_error_handler( $file,

sprintf( __('The uploaded file could not be moved to %s.' ), $uploads['path'] ) \

); }

---[cut ]---

从上面代码可见所提供的文件名由$wp_filetype = wp_check_filetype( $file['name'], $mimes );执行检查。以下是wp_check_filetype()函数：

wp-includes/functions.php:

---[cut]---

line 2228:

function wp_check_filetype( $filename, $mimes = null ) {

// Accepted MIME types are set here as PCRE unless provided.

$mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', \

array( 'jpg|jpeg|jpe' => 'image/jpeg',

'gif' => 'image/gif',

'png' => 'image/png',

'bmp' => 'image/bmp',

'tif|tiff' => 'image/tiff',

'ico' => 'image/x-icon',

'asf|asx|wax|wmv|wmx' => 'video/asf',

'avi' => 'video/avi',

---[cut, more mime types]---

line 2279:

$type = false;

$ext = false;

foreach ( $mimes as $ext_preg => $mime_match ) {

$ext_preg = '!\.(' . $ext_preg . ')$!i';

if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {

$type = $mime_match;

$ext = $ext_matches[1];

break;

}

return compact( 'ext', 'type' );

}

文件的类型被设置为匹配所提供扩展名的预定义MIME类型，扩展名是从匹配最后一个句号后mime ext.字符串的正则表达式获得的。如果$type列表中没有扩展名，$ext就会被设置为FALSE，wordpress会生成以下出错消息：“File type does not meet security guidelines. Try another”。

以下函数在文件上传之前对文件名执行了其他一些检查：

$filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback );

wp-includes/functions.php:

line 2096:

function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) {

// sanitize the file name before we begin processing

$filename = sanitize_file_name($filename);

---[cut, code that only matters if uploaded file already exists]---

line 2126:

return $filename;

}

如果要完全了解wordpress所执行的文件过滤，还要了解sanitize_file_name()函数：

wp-includes/formatting.php:

line 601:

function sanitize_file_name( $filename ) {

$filename_raw = $filename;

$special_chars = array("?", "[", "]", "/", "\\", "=", "", ":", ";", \

",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", \

chr(0));

$special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw); $filename = str_replace($special_chars, '', $filename);

$filename = preg_replace('/[\s-]+/', '-', $filename);

$filename = trim($filename, '.-_');

return apply_filters('sanitize_file_name', $filename, $filename_raw);

}

过滤过程没有考虑到带有多个扩展名的文件，用户可以上传带有.php.jpg扩展名的任意PHP脚本，并通过直接请求上传的文件来执行恶意脚本。

wordpress漏洞上传php文件,WordPress wp-admin/includes/file.php任意文件上传漏洞相关推荐

linux用file查看文件类型,Linux怎么使用file命令识别文件类型
file是通过查看文件的头部内容,来获取文件的类型.使用file命令可以知道某个文件究竟是二进制(ELF格式)的可执行文件, 还是Shell Script文件,或者是其它的什么格式.那么Linux怎么 ...
php上传漏洞绕过gd库,jQuery File Upload任意文件上传漏洞
事件背景 jQuery是一个快速.简洁的JavaScript框架,是继Prototype之后又一个JavaScript代码库(或JavaScript框架).jQuery File Upload一个jQ ...
JSP中的文件操作：数据流、File类、文件浏览、目录操作、上传下载
文件可以永久地存储信息,从本质上讲文件就是存放在盘上的一系列数据的集合.应用程序如果想长期保存数据,就必须将数据存储到文件中,这就涉及到文件的操作.而在编写网站应用程序的过程中,有许多地方要对文件 ...
java注解接收上传文件,前台：Input type=file 后台获取文件内容用的是spring注解，当地环境上传图片是好的，发布到服务器上图片读取不到，求大神指点...
当前位置:我的异常网» Java Web开发 » 前台:Input type="file" 后台获取文件内前台:Input type="file" 后台获取文 ...
java本地读取文件的io类_Java File类与文件IO流总结
1.File类 File类被定义为"文件和目录路径名的抽象表示形式",这是因为File类既可以表示"文件"也可以表示"目录",他们都通过对应 ...
手把手教你使用微软官方文件免费恢复神器Windows File Recovery恢复文件
文章目录官网适用Windows版本官方文档下载.安装与启动使用实例重要提示基本恢复步骤如何选择模式并判断文件系统常用参数命令行语法默认模式示例段模式示例(/ r) 签名模式示例 ...
Electron中实现拖拽文件进div中通过File对象获取文件的路径和内容
场景用HTML和CSS和JS构建跨平台桌面应用程序的开源库Electron的介绍以及搭建HelloWorld: https://blog.csdn.net/BADAO_LIUMANG_QIZHI/a ...
struts2 ajax上传文件 file空_WordPress插件漏洞分析：WPDiscuz任意文件上传漏洞
写在前面的话就在不久之前,Wordfence的威胁情报团队在一款名叫wpDiscuz的Wordpress评论插件中发现了一个高危漏洞,而这款插件目前已有超过80000个网站在使用了.这个漏洞将允许未 ...
wordpress搜索不了中文linux,WordPress上传带中文汉字名称的图片不显示的解决办法...
以上是WordPress上传带中文汉字名称的图片不显示的情况,正常上传成功的话,在上图两个地方都会有图片缩略图显示.相信很多WordPress装载linux系统上的朋友都会遇到这样的错误. WordP ...

wordpress漏洞上传php文件,WordPress wp-admin/includes/file.php任意文件上传漏洞

wordpress漏洞上传php文件,WordPress wp-admin/includes/file.php任意文件上传漏洞相关推荐

最新文章

热门文章