当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-033068

漏洞标题:简单CMS Getshell漏洞

相关厂商:简单CMS

漏洞作者: Matt

提交时间:2013-08-01 10:26

修复时间:2013-10-30 10:27

公开时间:2013-10-30 10:27

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-10-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

简单cms getshell

详细说明:

public function saveAvatar() {
session_start ();
define ( 'SD_ROOT', dirname ( __FILE__ ) . '/' );
@header ( "Expires: 0" );
@header ( "Cache-Control: private, post-check=0, pre-check=0, max-age=0", FALSE );
@header ( "Pragma: no-cache" );

// 这里传过来会有两种类型,一先一后, big和small, 保存成功后返回一个json字串,客户端会再次post下一个.
$type = isset ( $_GET ['type'] ) ? trim ( $_GET ['type'] ) : 'tupian';
$orgin_pic_path = $_GET ['photoServer']; // 原始图片地址,备用.//文件名
// $from = $_GET['from'];
// //原始图片地址,备用.
$_path = explode ( '/', $orgin_pic_path );
$num = count ( $_path );
$path = '/';
foreach ( $_path as $k => $v ) {
if (($k + 1) == $num) {
$filename = $v;//赋值
} else {
$path .= $v . '/';
}
}
if ($type == 'big') {
$pic_path = '../../../../Uploads/avatar_big/' . $filename;//文件名
} elseif ($type == 'small') {
$pic_path = '../../../../Uploads/avatar_small/' . $filename;
} else {
$msg = json_encode ( 'error img!' );
echo $msg;
exit ();
}
$new_avatar_path = $pic_path;
$len = file_put_contents ( SD_ROOT . $new_avatar_path, file_get_contents ( "php://input" ) );//写出
$avtar_img = imagecreatefromjpeg ( SD_ROOT . $new_avatar_path );
imagejpeg ( $avtar_img, SD_ROOT . $new_avatar_path, 80 );

// 输出新保存的图片位置, 测试时注意改一下域名路径, 后面的statusText是成功提示信息.
// status 为1 是成功上传,否则为失败.
$d = new pic_data ();
// $d->data->urls[0] = 'http://sns.com/avatar_test/'.$new_avatar_path;
$d->data->urls [0] = $new_avatar_path;
$d->status = 1;
$d->statusText = '上传成功!';

$msg = json_encode ( $d );

echo $msg;
$user_mod = M ( "User" );
$user_mod->where ( "is_del=0 and id=" . $_COOKIE ['id'] )->setField ( 'img', $filename );

@unlink ( SD_ROOT . "../../../../Uploads/avatar_original/" . $_SESSION ['user_img'] );
@unlink ( SD_ROOT . "../../../../Uploads/avatar_big/" . $_SESSION ['user_img'] );
@unlink ( SD_ROOT . "../../../../Uploads/avatar_small/" . $_SESSION ['user_img'] );
}

漏洞证明:

QQ截图20130703183129.png

修复方案:

过滤

版权声明:转载请注明来源 Matt@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝