酷我音乐某处任意文件上传Getshell | wooyun-2016-0214510| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0214510

漏洞标题：酷我音乐某处任意文件上传Getshell

漏洞作者：路人甲

提交时间：2016-05-30 17:59

修复时间：2016-07-15 09:30

公开时间：2016-07-15 09:30

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-05-30：细节已通知厂商并且等待厂商处理中
2016-05-31：厂商已经确认，细节仅向厂商公开
2016-06-10：细节向核心白帽子及相关领域专家公开
2016-06-20：细节向普通白帽子公开
2016-06-30：细节向实习白帽子公开
2016-07-15：细节向公众公开

简要描述：

酷我音乐某处任意文件上传getshell

详细说明：

对酷我音乐的某个c段进行扫描
然后抓住一处文件上传，无限制

skeylist.kuwo.cn
http://60.28.217.180:8040/ 这个端口任意文件下载
上传一个php文件试试，成功getshell

这样还不够证明酷我音乐，上个脚本把内网扫一扫

Scanning IP 192.168.220.75
Scanning IP 192.168.220.76
Port: 80 is open
Scanning IP 192.168.220.77
Scanning IP 192.168.220.78
Port: 80 is open
Scanning IP 192.168.220.79
Scanning IP 192.168.220.80
Port: 80 is open
Scanning IP 192.168.220.81
Scanning IP 192.168.220.82
Scanning IP 192.168.220.83
Port: 80 is open
Scanning IP 192.168.220.84
Scanning IP 192.168.220.85
Port: 80 is open
Scanning IP 192.168.220.86
Port: 80 is open
Scanning IP 192.168.220.87
Port: 80 is open
Port: 3306 is open
Scanning IP 192.168.220.88
Port: 80 is open
Scanning IP 192.168.220.89
Port: 80 is open
Scanning IP 192.168.220.94
Port: 80 is open
Scanning IP 192.168.220.95
Port: 80 is open
Scanning IP 192.168.220.96
Scanning IP 192.168.220.97
Scanning IP 192.168.220.98
Port: 8888 is open
Scanning IP 192.168.220.99
Port: 8888 is open
Scanning IP 192.168.220.100
Scanning IP 192.168.220.101
Scanning IP 192.168.220.102
Port: 80 is open
Scanning IP 192.168.220.103
Port: 8888 is open
Scanning IP 192.168.220.104
Port: 80 is open
Scanning IP 192.168.220.105
Port: 80 is open
Scanning IP 192.168.220.106
Port: 80 is open
Scanning IP 192.168.0.28
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.29
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.35
Port: 3306 is open
Scanning IP 192.168.0.36
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.37
Port: 80 is open
Scanning IP 192.168.0.38
Scanning IP 192.168.0.39
Port: 80 is open
Scanning IP 192.168.0.42
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.43
Port: 80 is open
Port: 8080 is open
Port: 8888 is open
Scanning IP 192.168.0.44
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.49
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.50
Port: 80 is open
Scanning IP 192.168.0.51
Scanning IP 192.168.0.52
Port: 80 is open
Scanning IP 192.168.0.53
Scanning IP 192.168.0.54
Scanning IP 192.168.0.55
Port: 80 is open
Port: 3306 is open
Scanning IP 192.168.0.56
Port: 80 is open
Scanning IP 192.168.0.57
Port: 80 is open
Scanning IP 192.168.0.80
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.166
Port: 80 is open
Scanning IP 192.168.0.169
Port: 80 is open
Scanning IP 192.168.0.170
Port: 80 is open
Scanning IP 192.168.0.174
Port: 80 is open
Port: 3306 is open
Scanning IP 192.168.0.177
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.178
Scanning IP 192.168.0.179
Port: 80 is open
Scanning IP 192.168.0.180
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.181
Port: 80 is open
Scanning IP 192.168.0.184
Port: 80 is open
Scanning IP 192.168.0.185
Port: 3306 is open
Scanning IP 192.168.0.186
Port: 80 is open
Scanning IP 192.168.0.187
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.188
Port: 80 is open
Scanning IP 192.168.0.189
Port: 3306 is open
Scanning IP 192.168.0.248
Port: 80 is open
Scanning IP 192.168.0.254
Port: 80 is open

代理一下看看
酷我搜索内网地址：192.168.0.161

192.168.0.80
打开乱码，看看源码就知道是酷我的

内网里再发现一枚文件上传

漏洞证明：

对酷我音乐的某个c段进行扫描
然后抓住一处文件上传，无限制

http://60.28.217.180:8040/ 这个端口任意文件下载
上传一个php文件试试，成功getshell

这样还不够证明酷我音乐，上个脚本把内网扫一扫

Scanning IP 192.168.220.75
Scanning IP 192.168.220.76
Port: 80 is open
Scanning IP 192.168.220.77
Scanning IP 192.168.220.78
Port: 80 is open
Scanning IP 192.168.220.79
Scanning IP 192.168.220.80
Port: 80 is open
Scanning IP 192.168.220.81
Scanning IP 192.168.220.82
Scanning IP 192.168.220.83
Port: 80 is open
Scanning IP 192.168.220.84
Scanning IP 192.168.220.85
Port: 80 is open
Scanning IP 192.168.220.86
Port: 80 is open
Scanning IP 192.168.220.87
Port: 80 is open
Port: 3306 is open
Scanning IP 192.168.220.88
Port: 80 is open
Scanning IP 192.168.220.89
Port: 80 is open
Scanning IP 192.168.220.94
Port: 80 is open
Scanning IP 192.168.220.95
Port: 80 is open
Scanning IP 192.168.220.96
Scanning IP 192.168.220.97
Scanning IP 192.168.220.98
Port: 8888 is open
Scanning IP 192.168.220.99
Port: 8888 is open
Scanning IP 192.168.220.100
Scanning IP 192.168.220.101
Scanning IP 192.168.220.102
Port: 80 is open
Scanning IP 192.168.220.103
Port: 8888 is open
Scanning IP 192.168.220.104
Port: 80 is open
Scanning IP 192.168.220.105
Port: 80 is open
Scanning IP 192.168.220.106
Port: 80 is open
Scanning IP 192.168.0.28
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.29
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.35
Port: 3306 is open
Scanning IP 192.168.0.36
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.37
Port: 80 is open
Scanning IP 192.168.0.38
Scanning IP 192.168.0.39
Port: 80 is open
Scanning IP 192.168.0.42
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.43
Port: 80 is open
Port: 8080 is open
Port: 8888 is open
Scanning IP 192.168.0.44
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.49
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.50
Port: 80 is open
Scanning IP 192.168.0.51
Scanning IP 192.168.0.52
Port: 80 is open
Scanning IP 192.168.0.53
Scanning IP 192.168.0.54
Scanning IP 192.168.0.55
Port: 80 is open
Port: 3306 is open
Scanning IP 192.168.0.56
Port: 80 is open
Scanning IP 192.168.0.57
Port: 80 is open
Scanning IP 192.168.0.80
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.166
Port: 80 is open
Scanning IP 192.168.0.169
Port: 80 is open
Scanning IP 192.168.0.170
Port: 80 is open
Scanning IP 192.168.0.174
Port: 80 is open
Port: 3306 is open
Scanning IP 192.168.0.177
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.178
Scanning IP 192.168.0.179
Port: 80 is open
Scanning IP 192.168.0.180
Port: 80 is open
Port: 8080 is open
Port: 3306 is open
Scanning IP 192.168.0.181
Port: 80 is open
Scanning IP 192.168.0.184
Port: 80 is open
Scanning IP 192.168.0.185
Port: 3306 is open
Scanning IP 192.168.0.186
Port: 80 is open
Scanning IP 192.168.0.187
Port: 80 is open
Port: 8080 is open
Scanning IP 192.168.0.188
Port: 80 is open
Scanning IP 192.168.0.189
Port: 3306 is open
Scanning IP 192.168.0.248
Port: 80 is open
Scanning IP 192.168.0.254
Port: 80 is open

代理一下看看
酷我搜索内网地址：192.168.0.161

192.168.0.80
打开乱码，看看源码就知道是酷我的

内网里再发现一枚文件上传

修复方案：

你们懂

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2016-05-31 09:24

厂商回复：

感谢对酷我支持，我们将进行修复！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0214510

漏洞标题：酷我音乐某处任意文件上传Getshell

相关厂商：酷我音乐

漏洞作者：路人甲

提交时间：2016-05-30 17:59

修复时间：2016-07-15 09:30

公开时间：2016-07-15 09:30

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0214510

漏洞标题：酷我音乐某处任意文件上传Getshell

相关厂商：酷我音乐

漏洞作者： 路人甲

提交时间：2016-05-30 17:59

修复时间：2016-07-15 09:30

公开时间：2016-07-15 09:30

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0214510"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云