bo-blog 0DAY上传漏洞及修复
关注了下最近几位大牛网站被黑的消息,知道了是用bo-blog,就下了套2.1.1看看,发现了点问题。此程序和F2blog存在一样的上传bug,只是利用难了点,要一定权限。但结合社工就有用了
xmlrpc.php
function metaWeblog_newMediaObject ($values) { //2006-12-2 add support for uploading files
global $config, $defualtcategoryid, $db_prefix, $mbcon, $nowtime;
$userdetail=check_user ($values['username'], $values['password']); //有判断权限
$struct=$values['struct'];
//writetofile ('text1.php', $struct['bits']); //debug only
if ($struct['bits'] && $struct['name']) {
$writefilecontent=base64_decode($struct['bits']);
$ext=strtolower(strrchr($struct['name'],'.'));
$ext=str_replace(".", '', $ext); //没有过滤后缀
$upload_filename=time().'_'.rand(1000, 9999).substr(md5($struct['name']), 0, 4).'.'.$ext;
if ($mbcon['uploadfolders']=='1') {
$targetfolder_ym=date("Ym").'/';
$targetfolder="attachment/{$targetfolder_ym}";
if (!is_dir ($targetfolder)) {
$mktargetfolder=@mkdir($targetfolder, 0777);
if (!$mktargetfolder) xml_error ("Sorry, uploading file ({$struct['name']}) failed because PHP was unable to create a new directory.");
}
} else {
$targetfolder_ym='';
$targetfolder='attachment';
}
$filenum=@fopen("{$targetfolder}/{$upload_filename}","wb");
if (!$filenum) {
xml_error ("Sorry, uploading file ({$struct['name']}) failed.");
}
flock($filenum,LOCK_EX);
fwrite($filenum,$writefilecontent);
fclose($filenum);
//DB updating, new function in 2.1.0
$blog=new boblog;
$blog->query("INSERT INTO `{$db_prefix}upload` (fid,filepath,originalname,uploadtime,uploaduser) VALUES (null, \"attachment/{$targetfolder_ym}{$upload_filename}\", \"{$struct['name']}\", {$nowtime['timestamp']}, {$userdetail['userid']})");
$currentid=db_insert_id();
if ($mbcon['wmenable']=='1') { //Add watermark
$imgext_watermark=array('jpg', 'gif', 'png');
if (in_array($ext, $imgext_watermark)) {
create_watermark("attachment/{$targetfolder_ym}{$upload_filename}");
}
}
}
$xml_content=make_xml_piece ("struct", array('url'=>"{$config['blogurl']}/attachment.php?fid={$currentid}"));
$body_xml=xml_generate($xml_content);
send_response ($body_xml);
}
function checkuser($username, $password) {
global $db_prefix;
$blog=new boblog;
$password=md5($password);
$username=mystrtolower($username);
$userdetail=$blog->getbyquery("SELECT * FROM `{$db_prefix}user` WHERE LOWER(username)='{$username}' AND `userpsw`='{$password}'");
if (!$userdetail) {
return false;
}
else {
if (file_exists("data/usergroup{$userdetail['usergroup']}.php")) include ("data/usergroup{$userdetail['usergroup']}.php");
else include("data/usergroup0.php");
if ($permission['XMLRPC']!=1) return false; //Check 'Browse' permission
else return $userdetail;
}
}
function check_user ($username, $password) {
$username=safe_convert(addslashes($username)); //2007-1-20 Security Fix
$password=safe_convert(addslashes($password)); //2007-1-20 Security Fix
$userdetail=checkuser($username, $password);
if (!$userdetail) xml_error("Authentification failed by the conbination of provided username ({$username}) and password.");
else return $userdetail;
}
上一篇:某网站程序BUG一个