当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-017491

漏洞标题:空中网分站可直接获取webshell

相关厂商:空中网

漏洞作者: BlAck.Eagle

提交时间:2013-01-18 14:59

修复时间:2013-03-04 15:00

公开时间:2013-03-04 15:00

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-01-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-03-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

由于网站列目录,并且存在FCK,可以直接获取webshell,并可渗透同段主机

详细说明:

漏洞证明:

shell地址:

1.JPG


config.php:

<?php
// database type
$db_type   = "mysql";
// database host
$db_host   = "localhost";
// database name
$db_name   = "kongzhong_shequ";
// database username
$db_user   = "root";
// database password
$db_pass   = 'pwd@mysql@root';
$timezone    = "Asia/Chongqing";
$cookie_path    = "/";
$cookie_domain    = "";
$session = "1440";
$upload_pic_dir="upload/temppic";
$html_dir	= "html";
$data_dir	= "data";
$if_html	= 1;
$shtml_cache_time ="2";
$config['BASE_URL']="http://shequ.kongzhong.com";
$config['now_time']		=time();
$config['cookie_path']	="/";
$config['cookie_domain']="";
$config['atturl']='/ATTACHMENT/fck/';
$config['attdir']=$_SERVER['DOCUMENT_ROOT'].$config['atturl'];
$config['cacheurl']='/data/cache/';
$config['cachedir']=$_SERVER['DOCUMENT_ROOT'].$config['cacheurl'];
// table prefix
$prefix    = "w3c_";
$table_admin	=$prefix."admin";
$table_ads	=$prefix."ads";
$table_ads_position	=$prefix."ads_position";
$table_activity	=$prefix."activity";
$table_activity_mm	=$prefix."activity_mm";
$table_mmm_pic	=$prefix."mmm_pic";
$table_comment	=$prefix."comment";
$table_config	=$prefix."config";
$table_icate	=$prefix."icate";
$table_goods	=$prefix."goods";
$table_goods_pic	=$prefix."goods_pic";
$table_city		=$prefix."city";
$table_area		=$prefix."area";
$table_website	=$prefix."website";
$table_rating	=$prefix."rating";
$table_article	=$prefix."article";
$table_articles	=$prefix."articles";
$table_article_poll	=$prefix."article_poll";
$table_category	=$prefix."category";
$table_weblinks	=$prefix."weblinks";
$table_member	=$prefix."member";
$table_netshop	=$prefix."netshop";
$table_video	=$prefix."video";
$table_dl	=$prefix."dl";
$table_dl_attachment	=$prefix."dl_attachment";
$table_brand	=$prefix."brand";
$table_case	=$prefix."case";
$table_knowledge	=$prefix."knowledge";
$table_special	=$prefix."special";
$table_designer	=$prefix."designer";
$table_tower=$prefix."tower";
$table_tower_home=$prefix."tower_home";
$table_tower_pic=$prefix."tower_pic";
$table_shop=$prefix."shop";
$table_freeinfo=$prefix."freeinfo";
$table_game=$prefix."game";
$table_award=$prefix."award";
$table_award_record=$prefix."award_record";
$table_award_code=$prefix."award_code";
$table_credit_record=$prefix."credit_record";
$table_poll	=$prefix."poll";
$table_poll_option	=$prefix."poll_option";
$table_gift=$prefix."gift";
$table_mmm_gift_record=$prefix."mmm_gift_record";
$table_feed=$prefix."feed";
$table_login_log=$prefix."login_log";
$table_lottery_log=$prefix."lottery_log";
$table_faces=$prefix."faces";
//print_r($arr_gcolor);
//奖项分类
$arr_award_category=array(
	1=>array('id'=>'1','name'=>'实物奖品'),
	2=>array('id'=>'2','name'=>'虚拟奖品')
);
//兑奖来源
$arr_awardfrom=array(
	1=>array('id'=>'1','name'=>'奖品兑换'),
	2=>array('id'=>'2','name'=>'积分抽奖')
);
//积分记录方式
$arr_creditMethod=array(
	11=>array('id'=>'11','name'=>'登录奖励积分'),
	12=>array('id'=>'12','name'=>'小游戏奖励积分'),
	13=>array('id'=>'13','name'=>'留言奖励积分'),
	21=>array('id'=>'21','name'=>'兑奖扣除积分'),
	22=>array('id'=>'22','name'=>'抽奖扣除积分'),
);
?>

修复方案:

1、禁止列目录
2、修复FCK

版权声明:转载请注明来源 BlAck.Eagle@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论

  1. 2013-01-20 19:49 | sysALong ( 路人 | Rank:19 漏洞数:5 | 电脑里的AV片 永远 和 电脑旁的卫生纸 成 ...)

    @BlAck.Eagle 求点 坦克世界 的 金币呗?》

  2. 2013-01-20 20:15 | BlAck.Eagle ( 路人 | Rank:0 漏洞数:1 | 信息安全工程师)

    哈哈,咱弄不到啊!