当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-033068

漏洞标题:简单CMS Getshell漏洞

相关厂商:简单CMS

漏洞作者: Matt

提交时间:2013-08-01 10:26

修复时间:2013-10-30 10:27

公开时间:2013-10-30 10:27

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-10-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

简单cms getshell

详细说明:

public function saveAvatar() {
		session_start ();
		define ( 'SD_ROOT', dirname ( __FILE__ ) . '/' );
		@header ( "Expires: 0" );
		@header ( "Cache-Control: private, post-check=0, pre-check=0, max-age=0", FALSE );
		@header ( "Pragma: no-cache" );
		
		// 这里传过来会有两种类型,一先一后, big和small, 保存成功后返回一个json字串,客户端会再次post下一个.
		$type = isset ( $_GET ['type'] ) ? trim ( $_GET ['type'] ) : 'tupian';
		$orgin_pic_path = $_GET ['photoServer']; // 原始图片地址,备用.//文件名
		                                         // $from = $_GET['from'];
		                                         // //原始图片地址,备用.
		$_path = explode ( '/', $orgin_pic_path );
		$num = count ( $_path );
		$path = '/';
		foreach ( $_path as $k => $v ) {
			if (($k + 1) == $num) {
				$filename = $v;//赋值
			} else {
				$path .= $v . '/';
			}
		}
		if ($type == 'big') {
			$pic_path = '../../../../Uploads/avatar_big/' . $filename;//文件名
		} elseif ($type == 'small') {
			$pic_path = '../../../../Uploads/avatar_small/' . $filename;
		} else {
			$msg = json_encode ( 'error img!' );
			echo $msg;
			exit ();
		}
		$new_avatar_path = $pic_path;
		$len = file_put_contents ( SD_ROOT . $new_avatar_path, file_get_contents ( "php://input" ) );//写出
		$avtar_img = imagecreatefromjpeg ( SD_ROOT . $new_avatar_path );
		imagejpeg ( $avtar_img, SD_ROOT . $new_avatar_path, 80 );
		
		// 输出新保存的图片位置, 测试时注意改一下域名路径, 后面的statusText是成功提示信息.
		// status 为1 是成功上传,否则为失败.
		$d = new pic_data ();
		// $d->data->urls[0] = 'http://sns.com/avatar_test/'.$new_avatar_path;
		$d->data->urls [0] = $new_avatar_path;
		$d->status = 1;
		$d->statusText = '上传成功!';
		
		$msg = json_encode ( $d );
		
		echo $msg;
		$user_mod = M ( "User" );
		$user_mod->where ( "is_del=0 and id=" . $_COOKIE ['id'] )->setField ( 'img', $filename );
		
		@unlink ( SD_ROOT . "../../../../Uploads/avatar_original/" . $_SESSION ['user_img'] );
		@unlink ( SD_ROOT . "../../../../Uploads/avatar_big/" . $_SESSION ['user_img'] );
		@unlink ( SD_ROOT . "../../../../Uploads/avatar_small/" . $_SESSION ['user_img'] );
	}

漏洞证明:

QQ截图20130703183129.png

修复方案:

过滤

版权声明:转载请注明来源 Matt@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝