[漏洞分析] WordPress History Collection <=1.1.1 Arbitrary File Download

漏洞编号为EDB-ID：37254

Wordpress history collection插件包含一个名为download.php的文件，此文件并没有过滤GET输入，攻击者利用这个漏洞可以强制下载任意文件。

<?php
$file=$_GET['var'];
$filename = $file;//从URL的var变量中获得文件名

// required for IE, otherwise Content-disposition is ignored
if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');

// addition by Jorg Weske
$file_extension = strtolower(substr(strrchr($filename,"."),1));//获得文件的扩展名

if( $filename == "" ) //未指定要下载的文件
{
echo "<html><title>eLouai's Download Script</title><body>ERROR: download file NOT SPECIFIED. USE force-download.php?file=filepath</body></html>";
exit;
} elseif ( ! file_exists( $filename ) ) //要下载的文件不存在
{
echo "<html><title>eLouai's Download Script</title><body>ERROR: File not found. USE force-download.php?file=filepath</body></html>";
exit;
};
switch( $file_extension )//根据文件的后缀名，设置相应的Content-Type字段
{
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "csv": $ctype="application/csv"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
default: $ctype="application/force-download";
}
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers
header("Content-Type: $ctype");##确定被下载的文件的类型
// change, added quotes to allow spaces in filenames, by Rajkumar Singh
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );#被下载的文件的名称
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");#被下载资源所在的文件
exit();
?>

一、漏洞复盘：

首先不指定要下载的文件，程序报错



其次指定一个不存在的文件，程序报错



最后指定变量var为../../wangpeng.txt，下载了网站根目录以外的文件



二、关键函数解析

1、header函数：

header():用于发送一个自定义的http报文

PHP下载对话框

如果想提醒用户去保存你发送的数据，例如保存一个生成的PDF文件，可以使用Content-Disposition的报文信息来提供一个推荐的文件名，并且强制浏览器显示一个文件下载的对话框。

<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');

//It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

//The PDF source is in original.pdf
readfile('original.pdf');
?>

2、readfile函数：

readfile():输出一个文件，读取一个文件并写入到输出缓冲

<?php
$file = 'monkey.gif';

if(file_exists($file)){
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment;filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>

以上例子的输出类似于：



完事儿