乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-16: 细节已通知厂商并且等待厂商处理中 2014-04-21: 厂商已经主动忽略漏洞,细节向公众公开
#1.某信息发布系统某个上传页面没有过滤任何文件类型导致任意文件上传:例如:
上传地址:http://jwc.gzhmc.edu.cn/editor_new/upload.jsp
上传脚本文件后源码:
<script language=javascript>config.attachSeq=-1;parent.UploadSaved('/UploadFile/f/5/58d1b755259686908bb63a98810e075f.jsp');var obj=parent.dialogArguments.dialogArguments;if (!obj) obj=parent.dialogArguments;try{obj.addUploadFile('JSPAword.jsp', '58d1b755259686908bb63a98810e075f.jsp', '/UploadFile/f/5/58d1b755259686908bb63a98810e075f.jsp');} catch(e){};history.back()</script>
返回了shell地址:
2.再例如:
http://www.kygl-training.com/editor_new/upload.jsp
返回的地址:
<script language=javascript>config.attachSeq=3760;parent.UploadSaved('/UploadFile/6/1/74104f04ce773d4ed233228874d8b916.jsp');var obj=parent.dialogArguments.dialogArguments;if (!obj) obj=parent.dialogArguments;try{obj.addUploadFile('1.jsp', '74104f04ce773d4ed233228874d8b916.jsp', '/UploadFile/6/1/74104f04ce773d4ed233228874d8b916.jsp');} catch(e){};history.back()</script>
#3.再例如:
http://210.38.57.70:8083/editor_new/upload.jsp
返回源代码中:
<script language=javascript>config.attachSeq=4296;parent.UploadSaved('/UploadFile/c/f/f5aab7f5b12789c98c85f2331b1224fc.jsp');var obj=parent.dialogArguments.dialogArguments;if (!obj) obj=parent.dialogArguments;try{obj.addUploadFile('JSPAword.jsp', 'f5aab7f5b12789c98c85f2331b1224fc.jsp', '/UploadFile/c/f/f5aab7f5b12789c98c85f2331b1224fc.jsp');} catch(e){};history.back()</script>
危害等级:无影响厂商忽略
忽略时间:2014-04-21 17:46
暂无