Question

我的服务器上安装了一个着名的脚本程序员告诉我，我在其中一个页面中有一个代码，可以用来执行任何代码或函数，并grep我框中的所有数据

代码是

function fileRequestHandler($handler, $module = false, $file = false){
global $test_conf;

switch ($handler) {
    case 'reload':
// AJAX handler for reload event
        $response = do_reload();
        header("Content-type: application/json");
        echo json_encode($response);
        break;
    case 'file':
        /** Handler to pass-through file requests
         * Looks for "module" and "file" variables, strips .. and only allows normal filename characters.
         * Accepts only files of the type listed in $allowed_exts below, and sends the corresponding mime-type,
         * and always interprets files through the PHP interpreter. (Most of?) the environment is available,
         * including $db and $astman, and the user is authenticated.
         */
        if (!$module || !$file) {
            die_myscript("unknown");
        }
//TODO: this could probably be more efficient
        $module = str_replace('..', '.', preg_replace('/[^a-zA-Z0-9-\_\.]/', '', $module));
        $file = str_replace('..', '.', preg_replace('/[^a-zA-Z0-9-\_\.]/', '', $file));

        $allowed_exts = array(
            '.js' => 'text/javascript',
            '.js.php' => 'text/javascript',
            '.css' => 'text/css',
            '.css.php' => 'text/css',
            '.html.php' => 'text/html',
            '.php' => 'text/html',
            '.jpg.php' => 'image/jpeg',
            '.jpeg.php' => 'image/jpeg',
            '.png.php' => 'image/png',
            '.gif.php' => 'image/gif',
        );

这里的代码有什么问题？，可以通过该代码传递什么类型的操作？

我怎么能关闭它谢谢

Answer 1

一个简单的google search了解到你在哪里寻找这段代码：

http://cxsecurity.com/issue/WLB-2014020088

function fileRequestHandler($handler, $module = false, $file = false)
{
    global $amp_conf;

    switch ($handler) {
        case 'reload':
// AJAX handler for reload event
            $response = do_reload();
            header("Content-type: application/json");
            echo json_encode($response);
            break;
        case 'file':
            /** Handler to pass-through file requests
             * Looks for "module" and "file" variables, strips .. and only allows normal filename
             * characters.
             * Accepts only files of the type listed in $allowed_exts below, and sends the corresponding mime-type,
             * and always interprets files through the PHP interpreter. (Most of?) the freepbx environment is available,
             * including $db and $astman, and the user is authenticated.
             */
            if (!$module || !$file) {
                die_freepbx("unknown");
            }
//TODO: this could probably be more efficient
            $module = str_replace('..', '.', preg_replace('/[^a-zA-Z0-9-\_\.]/', '', $module));
            $file = str_replace('..', '.', preg_replace('/[^a-zA-Z0-9-\_\.]/', '', $file));

            $allowed_exts = array(
                '.js' => 'text/javascript',
                '.js.php' => 'text/javascript',
                '.css' => 'text/css',
                '.css.php' => 'text/css',
                '.html.php' => 'text/html',
                '.php' => 'text/html',
                '.jpg.php' => 'image/jpeg',
                '.jpeg.php' => 'image/jpeg',
                '.png.php' => 'image/png',
                '.gif.php' => 'image/gif',
            );
            foreach ($allowed_exts as $ext => $mimetype) {
                if (substr($file, -1 * strlen($ext)) == $ext) {
                    $fullpath = 'modules/' . $module . '/' . $file;
                    if (file_exists($fullpath)) {
// file exists, and is allowed extension

// image, css, js types - set Expires to 24hrs in advance so the client does
// not keep checking for them. Replace from header.php
                        if (!$amp_conf['DEVEL']) {
                            header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 86400) . ' GMT', true);
                            header('Cache-Control: max-age=86400, public, must-revalidate', true);
                        }
                        header("Content-type: " . $mimetype);
                        ob_start();
                        include($fullpath);
                        ob_end_flush();
                        exit();
                    }
                    break;
                }
            }
            die_freepbx("../view/not allowed");
            break;
        case 'api':
            if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {
                $function = $_REQUEST['function'];
                $args = isset($_REQUEST['args']) ? $_REQUEST['args'] : '';

//currently works for one arg functions, eventually need to clean this up to except more args
                $result = $function($args);
                $jr = json_encode($result);
            } else {
                $jr = json_encode(null);
            }
            header("Content-type: application/json");
            echo $jr;
            break;
    }
    exit();
}

//Function is called at admin / config . php at line 132

if (!in_array($display, array('noauth', 'badrefer'))
    && isset($_REQUEST['handler'])
) {
    $module = isset($_REQUEST['module']) ? $_REQUEST['module'] : '';
    $file = isset($_REQUEST['file']) ? $_REQUEST['file'] : '';
    fileRequestHandler($_REQUEST['handler'], $module, $file);
    exit();
}

Answer 2

所有$ _REQUEST都没有消毒。正如其他人所说，你必须清理用户输入（$ _GET，$ _POST，$ _REQUEST等......）如果你不能处理PHP我建议你聘请一个优秀的PHP程序员来保护你的应用程序。或者更好的是，不要使用包含这些漏洞的脚本。

如果这些不适合您，请将此代码添加到<?php标记之后的所有php文件中（如果包含所有php文件，则添加到config.php中）;

// sanitize $_GET variables
$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);        

// sanitize $_POST variables
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);       

// sanitize $_REQUEST variables
foreach($_REQUEST as $key => $val){
$_REQUEST[$key] = @filter_var(strip_tags(htmlspecialchars($val), FILTER_SANITIZE_STRING));
}

请注意，此代码可能会破坏您应用程序的某些部分，尤其是使用特殊字符...

利用我的PHP脚本

2 个答案: