大汉网络JCMS又一上传漏洞可被Getshell(需登陆)

2014-05-19T00:00:00
ID SSV:93848
Type seebug
Reporter Root
Modified 2014-05-19T00:00:00

Description

简要描述:

详细说明:

问题出在jcms/setup/opr_upload.jsp中 该功能为导入一个更新包...

<img src="https://images.seebug.org/upload/201405/18233713c6551c8742632768350ae3f36f636880.jpg" alt="}09J$M@544J}4K%NE1W%7$G.jpg" width="600" onerror="javascript:errimg(this);">

CommonUploadFile upload = null; if(request.getMethod().toUpperCase().equals("POST")){ Jcms_UpdaterecordBLF blf = new Jcms_UpdaterecordBLF("1"); Jcms_Update_RecordEntity entity = new Jcms_Update_RecordEntity(); //解压路径 String strFilePath = strSysPath + "/update/"; //zip文件上传的临时目录 String strTemp = strFilePath + "temp/"; Convert.createDirectory(strTemp); //建立上传 upload = new CommonUploadFile( strTemp ,""); try{ //上传zip包 boolean bResult = upload.uploadFile(request); String[] strFileName = upload.getAllFileName(); strBakPath = upload.getFormValue("vc_bakPath"); strBakPath = Convert.getValue(strBakPath); strBakPath = (strBakPath.trim().length() == 0) ? strFilePath : strBakPath; strBakPath = strBakPath.replaceAll("\\\\","/"); if(strBakPath.endsWith("/") || strBakPath.endsWith("\\")) strBakPath = strBakPath.substring(0,strBakPath.length()-1); strBakPath = strBakPath+"/bak/"; //创建备份目录 Convert.createDirectory(strBakPath); ZipFile zip = new ZipFile(); //解压zip包 boolean bl = zip.unzip( true,strTemp + strFileName[0].trim(),strFilePath ); String strDate = DateFormat.getStrCurrentDate(DateFormat.LONG_DATE_TIME); //zip包名 String strZipName = strFileName[0].substring(0,strFileName[0].lastIndexOf(".zip")); if( bResult && bl){ entity.setVc_packagename(strZipName); entity.setVc_spath(strFilePath); entity.setVc_bpath(strBakPath); entity.setC_createtime(strDate); entity.setI_flag(1); entity.setVc_status("未执行"); entity.setB_cancel(0); bl = blf.doInsert(entity); } if( !bl ){ LogWriter.error( "ERROR: mark record!" ); }else{ //删除上传的zip文件 jcms.util.FileUtil.deleteFolder(strTemp);

在导入更新包的,必须是zip包,我们可以将我们的马打包成zip包。。

Jcms_UpdaterecordBLF blf = new Jcms_UpdaterecordBLF("1"); Jcms_Update_RecordEntity entity = new Jcms_Update_RecordEntity(); //解压路径 String strFilePath = strSysPath + "/update/";//最终解压到该目录当中 //zip文件上传的临时目录 String strTemp = strFilePath + "temp/";

最后会将马解压到目录中update中

<img src="https://images.seebug.org/upload/201405/18234444bf341f0c216888235bd81e91b89d56d7.jpg" alt="NHPPRA~6%{IU_L7TS6}2CRV.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201405/18234654263e42853175bfc299fa887c4cde562c.jpg" alt="IMY0R3XJ5~@R}JJH4LJH0OM.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201405/18234444bf341f0c216888235bd81e91b89d56d7.jpg" alt="NHPPRA~6%{IU_L7TS6}2CRV.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201405/18234654263e42853175bfc299fa887c4cde562c.jpg" alt="IMY0R3XJ5~@R}JJH4LJH0OM.jpg" width="600" onerror="javascript:errimg(this);">