乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-19: 细节已通知厂商并且等待厂商处理中 2014-05-20: 厂商已经确认,细节仅向厂商公开 2014-05-23: 细节向第三方安全合作伙伴开放 2014-07-14: 细节向核心白帽子及相关领域专家公开 2014-07-24: 细节向普通白帽子公开 2014-08-03: 细节向实习白帽子公开 2014-08-17: 细节向公众公开
问题出在jcms/setup/opr_upload.jsp中该功能为导入一个更新包...
CommonUploadFile upload = null; if(request.getMethod().toUpperCase().equals("POST")){ Jcms_UpdaterecordBLF blf = new Jcms_UpdaterecordBLF("1"); Jcms_Update_RecordEntity entity = new Jcms_Update_RecordEntity(); //解压路径 String strFilePath = strSysPath + "/update/"; //zip文件上传的临时目录 String strTemp = strFilePath + "temp/"; Convert.createDirectory(strTemp); //建立上传 upload = new CommonUploadFile( strTemp ,""); try{ //上传zip包 boolean bResult = upload.uploadFile(request); String[] strFileName = upload.getAllFileName(); strBakPath = upload.getFormValue("vc_bakPath"); strBakPath = Convert.getValue(strBakPath); strBakPath = (strBakPath.trim().length() == 0) ? strFilePath : strBakPath; strBakPath = strBakPath.replaceAll("\\\\","/"); if(strBakPath.endsWith("/") || strBakPath.endsWith("\\")) strBakPath = strBakPath.substring(0,strBakPath.length()-1); strBakPath = strBakPath+"/bak/"; //创建备份目录 Convert.createDirectory(strBakPath); ZipFile zip = new ZipFile(); //解压zip包 boolean bl = zip.unzip( true,strTemp + strFileName[0].trim(),strFilePath ); String strDate = DateFormat.getStrCurrentDate(DateFormat.LONG_DATE_TIME); //zip包名 String strZipName = strFileName[0].substring(0,strFileName[0].lastIndexOf(".zip")); if( bResult && bl){ entity.setVc_packagename(strZipName); entity.setVc_spath(strFilePath); entity.setVc_bpath(strBakPath); entity.setC_createtime(strDate); entity.setI_flag(1); entity.setVc_status("未执行"); entity.setB_cancel(0); bl = blf.doInsert(entity); } if( !bl ){ LogWriter.error( "ERROR: mark record!" ); }else{ //删除上传的zip文件 jcms.util.FileUtil.deleteFolder(strTemp);
在导入更新包的,必须是zip包,我们可以将我们的马打包成zip包。。
Jcms_UpdaterecordBLF blf = new Jcms_UpdaterecordBLF("1"); Jcms_Update_RecordEntity entity = new Jcms_Update_RecordEntity(); //解压路径 String strFilePath = strSysPath + "/update/";//最终解压到该目录当中 //zip文件上传的临时目录 String strTemp = strFilePath + "temp/";
最后会将马解压到目录中update中
危害等级:中
漏洞Rank:10
确认时间:2014-05-20 10:25
感谢关注
暂无