不安全的文件下載與上傳---時間競爭條件繞過

 
Pass-18
源代碼：

1 //index.php
  2 $is_upload = false;
  3 $msg = null;
  4 if (isset($_POST[‘submit‘]))
  5 {
  6     require_once("./myupload.php");
  7     $imgFileName =time();
  8     $u = new MyUpload($_FILES[‘upload_file‘][‘name‘], $_FILES[‘upload_file‘][‘tmp_name‘], $_FILES[‘upload_file‘][‘size‘],$imgFileName);
  9     $status_code = $u->upload($UPLOAD_ADDR);
 10     switch ($status_code) {
 11         case 1:
 12             $is_upload = true;
 13             $img_path = $u->cls_upload_dir . $u->cls_file_rename_to;
 14             break;
 15         case 2:
 16             $msg = ‘文件已經被上傳，但沒有重命名。‘;
 17             break; 
 18         case -1:
 19             $msg = ‘這個文件不能上傳到服務器的臨時文件存儲目錄。‘;
 20             break; 
 21         case -2:
 22             $msg = ‘上傳失敗，上傳目錄不可寫。‘;
 23             break; 
 24         case -3:
 25             $msg = ‘上傳失敗，沒法上傳該類型文件。‘;
 26             break; 
 27         case -4:
 28             $msg = ‘上傳失敗，上傳的文件過大。‘;
 29             break; 
 30         case -5:
 31             $msg = ‘上傳失敗，服務器已經存在相同名稱文件。‘;
 32             break; 
 33         case -6:
 34             $msg = ‘文件沒法上傳，文件不能複製到目標目錄。‘;
 35             break;      
 36         default:
 37             $msg = ‘未知錯誤！‘;
 38             break;
 39     }
 40 }
 41 
 42 //myupload.php
 43 class MyUpload{
 44 ......
 45 ......
 46 ...... 
 47   var $cls_arr_ext_accepted = array(
 48       ".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",
 49       ".html", ".xml", ".tiff", ".jpeg", ".png" );
 50 
 51 ......
 52 ......
 53 ......  
 54   /** upload()
 55    **
 56    ** Method to upload the file.
 57    ** This is the only method to call outside the class.
 58    ** @para String name of directory we upload to
 59    ** @returns void
 60   **/
 61   function upload( $dir ){
 62     
 63     $ret = $this->isUploadedFile();
 64     
 65     if( $ret != 1 ){
 66       return $this->resultUpload( $ret );
 67     }
 68 
 69     $ret = $this->setDir( $dir );
 70     if( $ret != 1 ){
 71       return $this->resultUpload( $ret );
 72     }
 73 
 74     $ret = $this->checkExtension();
 75     if( $ret != 1 ){
 76       return $this->resultUpload( $ret );
 77     }
 78 
 79     $ret = $this->checkSize();
 80     if( $ret != 1 ){
 81       return $this->resultUpload( $ret );    
 82     }
 83     
 84     // if flag to check if the file exists is set to 1
 85     
 86     if( $this->cls_file_exists == 1 ){
 87       
 88       $ret = $this->checkFileExists();
 89       if( $ret != 1 ){
 90         return $this->resultUpload( $ret );    
 91       }
 92     }
 93 
 94     // if we are here, we are ready to move the file to destination
 95 
 96     $ret = $this->move();
 97     if( $ret != 1 ){
 98       return $this->resultUpload( $ret );    
 99     }
100 
101     // check if we need to rename the file
102 
103     if( $this->cls_rename_file == 1 ){
104       $ret = $this->renameFile();
105       if( $ret != 1 ){
106         return $this->resultUpload( $ret );    
107       }
108     }
109     
110     // if we are here, everything worked as planned :)
111 
112     return $this->resultUpload( "SUCCESS" );
113   
114   }
115 ......
116 ......
117 ...... 
118 };

剛開始沒有找到繞過方法，最後下載做者Github提供的打包環境，利用上傳重命名競爭+Apache解析漏洞，成功繞過。
上傳名字爲18.php.7Z的文件，快速重複提交該數據包，會提示文件已經被上傳，但沒有被重命名。