emlog 2.5.3\/2.5.4 后台文件上传漏洞分析报告<\/h1>

漏洞概述<\/h2>
本报告详细分析 emlog 2.5.3 及 2.5.4 版本中存在的后台文件上传漏洞，该漏洞允许经过认证的攻击者通过插件上传功能上传恶意 ZIP 文件，最终导致任意代码执行。<\/p>

环境搭建<\/h2>

下载安装<\/strong>：<\/p>

从官网 https:\/\/www.emlog.net\/ 下载 emlog 2.5.3 版本<\/li>
解压到 PHP 环境（如 phpstudy 的 www 目录）<\/li>
访问 install.php 完成安装<\/li> <\/ul> <\/li>

后台访问<\/strong>：<\/p>

需要管理员权限账号登录后台<\/li> <\/ul> <\/li> <\/ol>
漏洞定位<\/h2>
漏洞位于插件上传功能，相关文件为 \/admin\/plugin.php<\/code><\/p>
代码分析<\/h2> 关键代码段<\/h3> if<\/span> ($action ==<\/span> 'upload_zip'<\/span>) { <\/span><\/span> if<\/span> (defined<\/span>('APP_UPLOAD_FORBID'<\/span>) &&<\/span> APP_UPLOAD_FORBID<\/span> ===<\/span> true<\/span>) { <\/span><\/span> emMsg<\/span>('系统禁止上传安装应用'<\/span>); <\/span><\/span> } <\/span><\/span> LoginAuth<\/span>::<\/span>checkToken<\/span>(); <\/span><\/span> $zipfile =<\/span> isset<\/span>($_FILES['pluzip'<\/span>]) ?<\/span> $_FILES['pluzip'<\/span>] :<\/span> ''<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 省略部分错误检查代码... <\/span><\/span><\/span><\/span> <\/span><\/span> if<\/span> (getFileSuffix<\/span>($zipfile['name'<\/span>]) !=<\/span> 'zip'<\/span>) { <\/span><\/span> emDirect<\/span>(".\/plugin.php?error_f=1"<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> $ret =<\/span> emUnZip<\/span>($zipfile['tmp_name'<\/span>], '..\/content\/plugins\/'<\/span>, 'plugin'<\/span>); <\/span><\/span> \/\/ 省略后续处理代码... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>核心函数 emUnZip<\/h3> function<\/span> emUnZip<\/span>($zipfile, $path, $type =<\/span> 'tpl'<\/span>) { <\/span><\/span> if<\/span> (!<\/span>class_exists<\/span>('ZipArchive'<\/span>, FALSE<\/span>)) { <\/span><\/span> return<\/span> 3<\/span>; <\/span><\/span> } <\/span><\/span> $zip =<\/span> new<\/span> ZipArchive<\/span>(); <\/span><\/span> if<\/span> (@<\/span>$zip-><\/span>open<\/span>($zipfile) !==<\/span> TRUE<\/span>) { <\/span><\/span> return<\/span> 2<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> $r =<\/span> explode<\/span>('\/'<\/span>, $zip-><\/span>getNameIndex<\/span>(0<\/span>), 2<\/span>); <\/span><\/span> $dir =<\/span> isset<\/span>($r[0<\/span>]) ?<\/span> $r[0<\/span>] .<\/span> '\/'<\/span> :<\/span> ''<\/span>; <\/span><\/span> <\/span><\/span> switch<\/span> ($type) { <\/span><\/span> case<\/span> 'plugin'<\/span>:<\/span> <\/span><\/span> $plugin_name =<\/span> substr<\/span>($dir, 0<\/span>, -<\/span>1<\/span>); <\/span><\/span> $re =<\/span> $zip-><\/span>getFromName<\/span>($dir .<\/span> $plugin_name .<\/span> '.php'<\/span>); <\/span><\/span> if<\/span> (false<\/span> ===<\/span> $re) { <\/span><\/span> return<\/span> -<\/span>1<\/span>; <\/span><\/span> } <\/span><\/span> break<\/span>; <\/span><\/span> \/\/ 其他 case 省略... <\/span><\/span><\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (true<\/span> ===<\/span> @<\/span>$zip-><\/span>extractTo<\/span>($path)) { <\/span><\/span> $zip-><\/span>close<\/span>(); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span> } <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞原理<\/h2> 上传流程<\/strong>：<\/p> 系统仅检查上传文件是否为 ZIP 格式<\/li> 调用 emUnZip 函数解压 ZIP 文件到插件目录<\/li> <\/ul> <\/li> 关键缺陷<\/strong>：<\/p> 检查机制不完善：仅验证 ZIP 中是否存在目录名\/目录名.php<\/code> 文件<\/li> 目录遍历：未对 ZIP 文件中的目录结构进行安全过滤<\/li> <\/ul> <\/li> 绕过方法<\/strong>：<\/p> 构造 ZIP 文件，使其包含一个目录和同名 PHP 文件<\/li> 例如：malicious\/malicious.php<\/code><\/li> <\/ul> <\/li> <\/ol> 漏洞利用步骤<\/h2> 构造恶意 ZIP<\/strong>：<\/p> \/malicious\/ ├── malicious.php (包含恶意代码) <\/code><\/pre> <\/li> 上传流程<\/strong>：<\/p> 登录后台<\/li> 访问插件管理页面<\/li> 上传构造的恶意 ZIP 文件<\/li> <\/ul> <\/li> 访问路径<\/strong>：<\/p> 上传成功后，文件将解压到 \/content\/plugins\/malicious\/malicious.php<\/code><\/li> 直接访问该路径即可执行恶意代码<\/li> <\/ul> <\/li> <\/ol> 影响范围<\/h2> 确认受影响版本：emlog 2.5.3 和 2.5.4<\/li> 需要后台管理员权限<\/li> 可导致任意代码执行<\/li> <\/ul> 修复建议<\/h2> 临时解决方案<\/strong>：<\/p> 禁用插件上传功能（设置 APP_UPLOAD_FORBID 为 true）<\/li> <\/ul> <\/li> 长期修复<\/strong>：<\/p> 对 ZIP 文件中的目录名和文件名进行严格过滤<\/li> 增加文件类型白名单验证<\/li> 限制解压路径，防止目录遍历<\/li> <\/ul> <\/li> <\/ol> 漏洞验证<\/h2> 验证 2.5.4 版本<\/strong>：确认该漏洞在 2.5.4 版本中仍然存在<\/li> 利用方式与 2.5.3 完全相同<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 该漏洞源于对上传 ZIP 文件内容检查不严格，结合 PHP 的 ZipArchive 类特性，导致攻击者可上传任意 PHP 文件。虽然需要管理员权限，但对于已获取后台权限的攻击者来说危害较大，可完全控制网站服务器。<\/p>

emlog 2.5.3\/2.5.4 后台文件上传漏洞分析报告<\/h1>

漏洞概述<\/h2> 本报告详细分析 emlog 2.5.3 及 2.5.4 版本中存在的后台文件上传漏洞，该漏洞允许经过认证的攻击者通过插件上传功能上传恶意 ZIP 文件，最终导致任意代码执行。<\/p>

漏洞定位<\/h2> 漏洞位于插件上传功能，相关文件为 \/admin\/plugin.php<\/code><\/p>

总结<\/h2> 该漏洞源于对上传 ZIP 文件内容检查不严格，结合 PHP 的 ZipArchive 类特性，导致攻击者可上传任意 PHP 文件。虽然需要管理员权限，但对于已获取后台权限的攻击者来说危害较大，可完全控制网站服务器。<\/p>

漏洞概述<\/h2>
本报告详细分析 emlog 2.5.3 及 2.5.4 版本中存在的后台文件上传漏洞，该漏洞允许经过认证的攻击者通过插件上传功能上传恶意 ZIP 文件，最终导致任意代码执行。<\/p>

漏洞定位<\/h2>
漏洞位于插件上传功能，相关文件为 `\/admin\/plugin.php<\/code><\/p>`

总结<\/h2>
该漏洞源于对上传 ZIP 文件内容检查不严格，结合 PHP 的 ZipArchive 类特性，导致攻击者可上传任意 PHP 文件。虽然需要管理员权限，但对于已获取后台权限的攻击者来说危害较大，可完全控制网站服务器。<\/p>