[jQuery-File-Upload](ad5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8s2g2W2K9h3#2H3i4K6u0r3K9W2q4#2k6i4u0&6i4K6u0V1c8X3W2D9k6g2)9J5k6q4g2H3L8r3!0S2k6q4)9J5z5b7`.`. 是 Github 上继 jQuery 之后最受关注的 jQuery 项目,该项目最近被披露出一个存在了长达三年之久的任意文件上传漏洞,该漏洞在随后发布的 v9.22.2 版本中被修复,但是在 [VulnSpy](88eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8r3&6K6M7s2W2Q4x3X3g2U0L8$3#2Q4x3V1k6Q4x3U0V1`. 团队对代码的复查中发现了另外一个严重的命令执行漏洞,该漏洞允许攻击者通过上传恶意的图片文件来执行任意系统命令。
### 漏洞细节
在 jQuery-File-Upload 的 PHP 上传处理文件 [/server/php/UploadHandler.php](53dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8s2g2W2K9h3#2H3i4K6u0r3K9W2q4#2k6i4u0&6i4K6u0V1c8X3W2D9k6g2)9J5k6q4g2H3L8r3!0S2k6q4)9J5c8X3u0D9L8$3u0Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6K6k6i4u0$3k6i4u0Q4x3V1k6H3K9s2m8Q4x3V1k6g2M7r3I4G2j5h3c8t1j5h3&6V1L8r3g2J5i4K6u0W2M7r3S2H3i4K6t1&6 中优先使用了 Imagick 来校验上传的图片:
```php
protected function get_image_size($file_path) {
if ($this->options['image_library']) {
if (extension_loaded('imagick')) {
$image = new \Imagick();
try {
if (@$image->pingImage($file_path)) {
$dimensions = array($image->getImageWidth(), $image->getImageHeight());
$image->destroy();
return $dimensions;
}
return false;
} catch (\Exception $e) {
error_log($e->getMessage());
}
}
if ($this->options['image_library'] === 2) {
$cmd = $this->options['identify_bin'];
$cmd .= ' -ping '.escapeshellarg($file_path);
exec($cmd, $output, $error);
if (!$error && !empty($output)) {
// image.jpg JPEG 1920x1080 1920x1080+0+0 8-bit sRGB 465KB 0.000u 0:00.000
$infos = preg_split('/\s+/', substr($output[0], strlen($file_path)));
$dimensions = preg_split('/x/', $infos[2]);
return $dimensions;
}
return false;
}
}
if (!function_exists('getimagesize')) {
error_log('Function not found: getimagesize');
return false;
}
return @getimagesize($file_path);
}
```
我们都知道 ImageMagick 在近几年来出现了多个严重的安全漏洞:
* [More Ghostscript Issues: Should we disable PS coders in policy.xml by default?](839K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6k6h3y4D9K9i4y4@1M7#2)9J5k6h3!0J5k6#2)9J5c8X3!0K6M7#2)9J5k6s2y4W2j5#2)9J5c8U0t1H3x3e0S2Q4x3V1k6I4x3#2)9J5c8U0p5@1x3W2)9J5z5b7`.`.
* [CVE Request - multiple ghostscript -dSAFER sandbox problems](44dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4W2j5$3I4A6M7%4c8K6i4K6u0W2L8%4u0Y4i4K6u0r3L8%4y4K6i4K6u0V1M7$3g2U0i4K6u0r3x3U0l9I4y4W2)9J5c8Y4p5@1i4K6u0r3x3U0W2Q4x3U0V1`.
* [CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename](353K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6k6h3y4D9K9i4y4@1M7#2)9J5k6h3!0J5k6#2)9J5c8X3!0K6M7#2)9J5k6s2y4W2j5#2)9J5c8U0t1H3x3e0k6Q4x3V1k6I4x3W2)9J5c8U0b7K6x3W2)9J5z5b7`.`.
因此我们可已直接通过上传含有恶意代码的图片来利用该漏洞,按照老规矩,[VulnSpy](fd6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8r3&6K6M7s2W2Q4x3X3g2U0L8$3#2Q4x3V1k6Q4x3U0V1`. 已经准备好了在线的实验环境,大家可以移步到下面链接进行测试:
**在线测试地址:[197K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2$3N6h3I4F1M7%4m8&6i4K6u0W2j5$3!0E0i4K6u0r3j5$3&6Q4x3X3c8B7M7i4g2W2M7Y4W2Q4x3X3c8X3K9h3I4W2i4K6u0V1N6i4m8D9L8$3q4V1i4K6u0V1j5X3g2D9L8%4N6Q4x3X3c8$3z5g2)9J5k6i4S2Q4x3X3c8J5j5$3g2Q4x3V1k6Q4y4f1c8Q4x3U0S2Z5N6s2c8H3M7#2)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8r3&6K6M7s2W2Q4x3X3g2U0L8$3#2Q4x3V1k6U0L8W2)9J5k6r3A6I4N6h3g2J5P5g2)9J5k6r3k6A6L8r3g2Q4x3X3c8#2M7r3I4G2j5h3c8Q4x3X3c8T1k6h3I4G2N6#2)9J5k6s2j5&6i4K6u0W2P5q4)9J5k6s2u0U0k6g2)9J5c8W2)9J5z5g2)9J5b7g2)9J5b7b7`.`.
### 如何修复
将 [/server/php/UploadHandler.php](082K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8s2g2W2K9h3#2H3i4K6u0r3K9W2q4#2k6i4u0&6i4K6u0V1c8X3W2D9k6g2)9J5k6q4g2H3L8r3!0S2k6q4)9J5c8X3u0D9L8$3u0Q4x3V1j5J5z5o6k6X3x3U0g2U0k6e0V1$3y4o6k6T1y4$3j5$3z5e0V1I4x3e0m8W2k6U0R3%4y4$3f1K6y4o6j5&6x3K6m8T1x3h3t1&6j5$3q4V1i4K6u0r3M7$3g2J5N6X3g2J5i4K6u0r3M7r3S2H3i4K6u0r3g2i4m8D9L8$3q4V1d9r3q4F1k6r3I4W2M7W2)9J5k6i4m8Z5M7q4)9J5x3@1H3I4x3K6q4Q4x3U0V1`. 中的默认图片处理库修改为GD库:
```php
// Set to 0 to use the GD library to scale and orient images,
// set to 1 to use imagick (if installed, falls back to GD),
// set to 2 to use the ImageMagick convert binary directly:
'image_library' => 0
```
**本文转载自:[jQuery-File-Upload <= 9.x 远程命令执行漏洞 (ImageMagick/Ghostscript)](e6aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2N6Y4g2D9L8Y4y4H3P5g2)9J5k6h3y4G2L8g2)9J5c8U0t1H3x3e0S2Q4x3V1j5I4x3q4)9J5c8U0t1K6i4K6u0r3K9W2q4#2k6i4u0&6i4K6u0V1c8X3W2D9k6g2)9J5k6q4g2H3L8r3!0S2k6q4)9J5k6o6W2Q4x3X3c8^5i4K6u0V1f1X3g2E0L8%4c8W2i4K6u0V1b7$3!0V1k6g2)9J5k6p5g2^5k6h3y4#2N6r3W2G2L8W2)9J5k6q4N6A6N6r3S2Q4x3X3c8u0L8h3q4Y4k6f1#2S2k6$3W2U0K9#2)9J5k6p5N6Z5L8%4y4@1M7$3y4J5K9i4m8@1i4K6u0V1b7@1&6Q4x3V1k6Q4x3U0W2Q4x3V1q4Q4x3V1p5`.
### 参考
* [Remote code execution vulnerability in the PHP component](abeK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8s2g2W2K9h3#2H3i4K6u0r3K9W2q4#2k6i4u0&6i4K6u0V1c8X3W2D9k6g2)9J5k6q4g2H3L8r3!0S2k6q4)9J5c8X3u0D9L8$3u0Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6h3g2f1I4z5c8g2u0m8b7V1W2x3d9g2c8u0c8g2y4Q4x3X3g2E0k6q4)9J5x3%4u0W2L8h3!0@1k6g2)9J5k6r3y4G2k6r3g2Q4x3X3c8W2P5r3g2U0N6i4c8A6L8$3&6Q4x3X3c8$3N6h3I4F1k6i4u0S2j5X3W2D9K9i4c8&6i4K6u0V1K9h3&6Q4x3X3c8@1K9r3g2Q4x3X3c8H3K9s2m8Q4x3X3c8U0L8$3#2H3L8$3&6W2L8Y4c8Q4x3U0V1`.
