大汉网络JCMS又一上传漏洞可被Getshell（需登陆）

### 简要描述： ### 详细说明： 问题出在jcms/setup/opr_upload.jsp中 该功能为导入一个更新包... [<img src="https://images.seebug.org/upload/201405/18233713c6551c8742632768350ae3f36f636880.jpg" alt="}09J$M@544J}4K%NE1W%7$G.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/18233713c6551c8742632768350ae3f36f636880.jpg) ``` CommonUploadFile upload = null; if(request.getMethod().toUpperCase().equals("POST")){ Jcms_UpdaterecordBLF blf = new Jcms_UpdaterecordBLF("1"); Jcms_Update_RecordEntity entity = new Jcms_Update_RecordEntity(); //解压路径 String strFilePath = strSysPath + "/update/"; //zip文件上传的临时目录 String strTemp = strFilePath + "temp/"; Convert.createDirectory(strTemp); //建立上传 upload = new CommonUploadFile( strTemp ,""); try{ //上传zip包 boolean bResult = upload.uploadFile(request); String[] strFileName = upload.getAllFileName(); strBakPath = upload.getFormValue("vc_bakPath"); strBakPath = Convert.getValue(strBakPath); strBakPath = (strBakPath.trim().length() == 0) ? strFilePath : strBakPath; strBakPath = strBakPath.replaceAll("\\\\","/"); if(strBakPath.endsWith("/") || strBakPath.endsWith("\\")) strBakPath = strBakPath.substring(0,strBakPath.length()-1); strBakPath = strBakPath+"/bak/"; //创建备份目录 Convert.createDirectory(strBakPath); ZipFile zip = new ZipFile(); //解压zip包 boolean bl = zip.unzip( true,strTemp + strFileName[0].trim(),strFilePath ); String strDate = DateFormat.getStrCurrentDate(DateFormat.LONG_DATE_TIME); //zip包名 String strZipName = strFileName[0].substring(0,strFileName[0].lastIndexOf(".zip")); if( bResult && bl){ entity.setVc_packagename(strZipName); entity.setVc_spath(strFilePath); entity.setVc_bpath(strBakPath); entity.setC_createtime(strDate); entity.setI_flag(1); entity.setVc_status("未执行"); entity.setB_cancel(0); bl = blf.doInsert(entity); } if( !bl ){ LogWriter.error( "ERROR: mark record!" ); }else{ //删除上传的zip文件 jcms.util.FileUtil.deleteFolder(strTemp); ``` 在导入更新包的，必须是zip包，我们可以将我们的马打包成zip包。。 ``` Jcms_UpdaterecordBLF blf = new Jcms_UpdaterecordBLF("1"); Jcms_Update_RecordEntity entity = new Jcms_Update_RecordEntity(); //解压路径 String strFilePath = strSysPath + "/update/";//最终解压到该目录当中 //zip文件上传的临时目录 String strTemp = strFilePath + "temp/"; ``` 最后会将马解压到目录中update中 [<img src="https://images.seebug.org/upload/201405/18234444bf341f0c216888235bd81e91b89d56d7.jpg" alt="NHPPRA~6%{IU_L7TS6}2CRV.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/18234444bf341f0c216888235bd81e91b89d56d7.jpg) [<img src="https://images.seebug.org/upload/201405/18234654263e42853175bfc299fa887c4cde562c.jpg" alt="IMY0R3XJ5~@R}JJH4LJH0OM.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/18234654263e42853175bfc299fa887c4cde562c.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201405/18234444bf341f0c216888235bd81e91b89d56d7.jpg" alt="NHPPRA~6%{IU_L7TS6}2CRV.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/18234444bf341f0c216888235bd81e91b89d56d7.jpg) [<img src="https://images.seebug.org/upload/201405/18234654263e42853175bfc299fa887c4cde562c.jpg" alt="IMY0R3XJ5~@R}JJH4LJH0OM.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/18234654263e42853175bfc299fa887c4cde562c.jpg)