H�m nay t�i mu?n g?i v? c�c l?i g?n ��y nh?t m� t�i �? t?m th?y trong PHP, CVE-2015-2348. L?i n�y l� kh� quan tr?ng (xem x�t s? l�?ng c?a c�c nh� ph�t tri?n b? ?nh h�?ng).
V?n �? x?y ra trong ch?c n�ng move_uploaded_files c?a php r?t ph? bi?n ��?c s? d?ng �? x? l? c�c t?p tin ��?c t?i l�n. Ch?c n�ng n�y ki?m tra �? �?m b?o r?ng c�c t?p tin ��?c ch? �?nh theo t�n t?p tin l� m?t t?p tin upload h?p l? (ngh?a l� n� �? ��?c t?i l�n th�ng qua HTTP POST c� ch? upload PHP). N?u t?p tin c� gi� tr?, n� s? ��?c chuy?n �?n c�c t�n t?p tin ��ch.
V� d?:
T�i s? l?y m?t v� d? v?i DVWA v?i m?c cao nh?t. D�?i ��y l� m? snippit t? https://github.com/RandomStorm/DVWA/blob/master/vulnerabilities/upload/source/high.php:
H?u h?t c�c h?nh th?c upload ch?y PHP tr�?c 5.4.39, 5.5.x tr�?c 5.5.23, v� 5.6.x tr�?c 5.6.7 �?u d�nh l?i n�y.
C�ch kh?c ph?c
L?c b? gi� tr? Nullbyte trong t�n c?a t?p tin t?i l�n m�y ch? ($_FILES[�uploaded�][�name�]) tr�?c khi s? d?ng h�m move_uploaded_file v� c?p nh?t l�n c�c b?n PHP m?i nh?t �? v� l?i.
D?ch t?: www.paulosyibelo.com
V?n �? x?y ra trong ch?c n�ng move_uploaded_files c?a php r?t ph? bi?n ��?c s? d?ng �? x? l? c�c t?p tin ��?c t?i l�n. Ch?c n�ng n�y ki?m tra �? �?m b?o r?ng c�c t?p tin ��?c ch? �?nh theo t�n t?p tin l� m?t t?p tin upload h?p l? (ngh?a l� n� �? ��?c t?i l�n th�ng qua HTTP POST c� ch? upload PHP). N?u t?p tin c� gi� tr?, n� s? ��?c chuy?n �?n c�c t�n t?p tin ��ch.
V� d?:
move_uploaded_file ( string $filename , string $destination )C�c v?n �? v?i n� l� c� m?t c�ch �? ch�n byts null �? bypass, S? d?ng nullbytes m?t k? t?n c�ng c� th? th?c hi?n bypass upload, c�c t?p tin l� t��ng �?i h?p l? v� t?i l�n c�c t?p tin �?c h?i c� th? g�y ra RCE b?ng c�ch s? d?ng s? d?ng c�c k? t? \ x00.
T�i s? l?y m?t v� d? v?i DVWA v?i m?c cao nh?t. D�?i ��y l� m? snippit t? https://github.com/RandomStorm/DVWA/blob/master/vulnerabilities/upload/source/high.php:
$uploaded_name = $_FILES['uploaded']['name'];D? ki?n ??h�nh vi bypass PHP �? t?o ra:
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); $uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
$html .= '';
$html .= 'Your image was not uploaded.';
$html .= ''; }
else {
$html .= $target_path . ' succesfully uploaded!';
.
.
move_uploaded_file ($ _ FILES ['name'] ['tmp_name'], "/ file.php \ x00.jpg")v� �? t?o ra c�c t?p tin "file.php \ x00.jpg"Th?c t? th? n� t?o ra: file.php
H?u h?t c�c h?nh th?c upload ch?y PHP tr�?c 5.4.39, 5.5.x tr�?c 5.5.23, v� 5.6.x tr�?c 5.6.7 �?u d�nh l?i n�y.
C�ch kh?c ph?c
L?c b? gi� tr? Nullbyte trong t�n c?a t?p tin t?i l�n m�y ch? ($_FILES[�uploaded�][�name�]) tr�?c khi s? d?ng h�m move_uploaded_file v� c?p nh?t l�n c�c b?n PHP m?i nh?t �? v� l?i.
D?ch t?: www.paulosyibelo.com
Exploiting PHP Upload forms
4/
5
Oleh
Unknown
