当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-017491

漏洞标题:空中网分站可直接获取webshell

相关厂商:空中网

漏洞作者: BlAck.Eagle

提交时间:2013-01-18 14:59

修复时间:2013-03-04 15:00

公开时间:2013-03-04 15:00

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-01-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-03-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

由于网站列目录,并且存在FCK,可以直接获取webshell,并可渗透同段主机

详细说明:

漏洞证明:

shell地址:

1.JPG


config.php:

<?php
// database type
$db_type = "mysql";
// database host
$db_host = "localhost";
// database name
$db_name = "kongzhong_shequ";
// database username
$db_user = "root";
// database password
$db_pass = 'pwd@mysql@root';
$timezone = "Asia/Chongqing";
$cookie_path = "/";
$cookie_domain = "";
$session = "1440";
$upload_pic_dir="upload/temppic";
$html_dir = "html";
$data_dir = "data";
$if_html = 1;
$shtml_cache_time ="2";
$config['BASE_URL']="http://shequ.kongzhong.com";
$config['now_time'] =time();
$config['cookie_path'] ="/";
$config['cookie_domain']="";
$config['atturl']='/ATTACHMENT/fck/';
$config['attdir']=$_SERVER['DOCUMENT_ROOT'].$config['atturl'];
$config['cacheurl']='/data/cache/';
$config['cachedir']=$_SERVER['DOCUMENT_ROOT'].$config['cacheurl'];
// table prefix
$prefix = "w3c_";
$table_admin =$prefix."admin";
$table_ads =$prefix."ads";
$table_ads_position =$prefix."ads_position";
$table_activity =$prefix."activity";
$table_activity_mm =$prefix."activity_mm";
$table_mmm_pic =$prefix."mmm_pic";
$table_comment =$prefix."comment";
$table_config =$prefix."config";
$table_icate =$prefix."icate";
$table_goods =$prefix."goods";
$table_goods_pic =$prefix."goods_pic";
$table_city =$prefix."city";
$table_area =$prefix."area";
$table_website =$prefix."website";
$table_rating =$prefix."rating";
$table_article =$prefix."article";
$table_articles =$prefix."articles";
$table_article_poll =$prefix."article_poll";
$table_category =$prefix."category";
$table_weblinks =$prefix."weblinks";
$table_member =$prefix."member";
$table_netshop =$prefix."netshop";
$table_video =$prefix."video";
$table_dl =$prefix."dl";
$table_dl_attachment =$prefix."dl_attachment";
$table_brand =$prefix."brand";
$table_case =$prefix."case";
$table_knowledge =$prefix."knowledge";
$table_special =$prefix."special";
$table_designer =$prefix."designer";
$table_tower=$prefix."tower";
$table_tower_home=$prefix."tower_home";
$table_tower_pic=$prefix."tower_pic";
$table_shop=$prefix."shop";
$table_freeinfo=$prefix."freeinfo";
$table_game=$prefix."game";
$table_award=$prefix."award";
$table_award_record=$prefix."award_record";
$table_award_code=$prefix."award_code";
$table_credit_record=$prefix."credit_record";
$table_poll =$prefix."poll";
$table_poll_option =$prefix."poll_option";
$table_gift=$prefix."gift";
$table_mmm_gift_record=$prefix."mmm_gift_record";
$table_feed=$prefix."feed";
$table_login_log=$prefix."login_log";
$table_lottery_log=$prefix."lottery_log";
$table_faces=$prefix."faces";
//print_r($arr_gcolor);
//奖项分类
$arr_award_category=array(
1=>array('id'=>'1','name'=>'实物奖品'),
2=>array('id'=>'2','name'=>'虚拟奖品')
);
//兑奖来源
$arr_awardfrom=array(
1=>array('id'=>'1','name'=>'奖品兑换'),
2=>array('id'=>'2','name'=>'积分抽奖')
);
//积分记录方式
$arr_creditMethod=array(
11=>array('id'=>'11','name'=>'登录奖励积分'),
12=>array('id'=>'12','name'=>'小游戏奖励积分'),
13=>array('id'=>'13','name'=>'留言奖励积分'),
21=>array('id'=>'21','name'=>'兑奖扣除积分'),
22=>array('id'=>'22','name'=>'抽奖扣除积分'),
);
?>

修复方案:

1、禁止列目录
2、修复FCK

版权声明:转载请注明来源 BlAck.Eagle@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝