乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-12: 细节已通知厂商并且等待厂商处理中 2015-03-16: 厂商已经确认,细节仅向厂商公开 2015-03-19: 细节向第三方安全合作伙伴开放 2015-05-10: 细节向核心白帽子及相关领域专家公开 2015-05-20: 细节向普通白帽子公开 2015-05-30: 细节向实习白帽子公开 2015-06-14: 细节向公众公开
.
类型并不算是文件上传导致的代码执行,应该是任意写文件操作,无奈没找到对应选项,请不要扣我分。涉及案例:
1.http://**.**.**2.http://**.**.**3.http://**.**.**4.http://**.**.**5.http://**.**.**6.http://**.**.**7.http://**.**.**8.http://**.**.**9.http://**.**.**10.http://**.**.**
等等,先列举10个案例,若需要更多案例,可私信。漏洞文件:edittheme1.php
<?phpfunction str2js1( $_obfuscate_R2_b ){ $_obfuscate_R2_b = str_replace( "\\", "\\\\", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_replace( "\"", "\\\"", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_replace( "\r", "", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_replace( "\n", "\\n", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_replace( "\\v", "\\v", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_replace( "\t", "", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_ireplace( "?>", "?>", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_ireplace( "<?", "<?", $_obfuscate_R2_b ); $_obfuscate_R2_b = str_ireplace( "<?php ", "<?php ", $_obfuscate_R2_b ); return $_obfuscate_R2_b;}$op = $_GET['op'];if ( empty( $op ) ){ $op = $_POST['op'];}include( "../common.php" ); //伪全局变量注册机制,比如下面的atc_content变量则默认可以由gp来传递if ( empty( $siteid ) ){ exit( "error" );}$v = $block_s;if ( $op == "update" ){ $atc_content = stripslashes( $atc_content );//act_content可控 $string = $atc_content; $patterns = "/(http\\:\\/\\/)([0-9a-z-]*)(\\.pt\\.17oh\\.com\\/)/siU"; $patterns1 = "/(http\\:\\/\\/)([0-9a-z-]*)(\\.jy\\.17oh\\.com\\/)/siU"; $patterns2 = "/(http\\:\\/\\/)([0-9a-z-]*)(\\.qy\\.17oh\\.com\\/)/siU"; $patterns3 = "/(http\\:\\/\\/)([0-9a-z-]*)(\\.zf\\.17oh\\.com\\/)/siU"; $string = preg_replace( $patterns, "", $string ); $string = preg_replace( $patterns1, "", $string ); $string = preg_replace( $patterns2, "", $string ); $string = preg_replace( $patterns3, "", $string ); $string = str_replace( $_config_rooturl, "", $string ); $atc_content = str2js1( $string );//这个函数对html标签进行了html转义,对漏洞利用没有影响 $cat1 = str_replace( "f_con", "", $blockid );//blockid可控 if ( $cat1 == "2" ) { $cat = "99"; } else { $cat = $cat1; } $filename = SITE_CACHE."/tmp_".$mod."_".$cat1.".php";//mod可控 $h_bg = "<?\n"; $h_bg .= "\$fcon[".$cat."]=\"".$atc_content."\";\n"; $h_bg .= "?>"; file_put_contents( $filename, $h_bg );}?>
由于有伪全局变量注册机制,所以变量h_bg部分可控,且首尾有php标签,filename也是部分可控,所以最后的file_put_contents写入文件没有任何阻碍,可成功getshell,只是利用方式会有一点点绕,具体可见测试代码区。
随便选取一处案例写入phpinfo测试,未做破坏:写入一句话木马的原理一样,厂商若需要,可以私信联系。http://www.thxga.gov.cn
危害等级:高
漏洞Rank:17
确认时间:2015-03-16 11:35
验证确认所描述的问题,已通知其修复。
暂无