### 简要描述:
该漏洞在7月份已经有人在wooyun报了,可修补效果几乎为0。
### 详细说明:
瘦蛟舞 提交的漏洞地址: [WooYun: 万户OA任意文件上传导致代码执行(多处总结)](http://www.wooyun.org/bugs/wooyun-2014-067391)
漏洞还是瘦蛟舞(http://www.wooyun.org/whitehats/%E7%98%A6%E8%9B%9F%E8%88%9E)提交的漏洞。
于是用google搜索:inurl:7001/defaultroot
有324条记录。
[<img src="https://images.seebug.org/upload/201410/31170052402b2db1f8ebbc5ebaa4009e7a65dbbb.png" alt="1031_1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/31170052402b2db1f8ebbc5ebaa4009e7a65dbbb.png)
随便测其中一个上传:
[<img src="https://images.seebug.org/upload/201410/31170311258f1fb76bcea1057f3a508448510620.png" alt="1031_2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/31170311258f1fb76bcea1057f3a508448510620.png)
被改名的文件名直接返回到页面:
[<img src="https://images.seebug.org/upload/201410/31170435ab794da7974d5ab12166b93158ed8191.png" alt="1031_3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/31170435ab794da7974d5ab12166b93158ed8191.png)
然后访问:
/defaultroothttps://images.seebug.org/upload/information/2014103116504631259116856.jsp
[<img src="https://images.seebug.org/upload/201410/311705522310458b01532c7648879d8288296ec7.png" alt="1031_4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/311705522310458b01532c7648879d8288296ec7.png)
上面是getshell大致过程。
一下是多个企业和政府的shell:
OA办公 - 金寨人民政府网
http://www.ahjinzhai.gov.cn:7001/defaultroothttps://images.seebug.org/upload/information/2014103011135554941375673.jsp
OA办公系统(楚源水电投资集团)
http://58.20.50.94:7001/defaultroothttps://images.seebug.org/upload/information/2014103017374132828399603.jsp
OA办公 - 九华山旅游门户网
http://218.22.212.148:7001/defaultroothttps://images.seebug.org/upload/information/2014103019333478480357773.jsp
Wanhu ezOFFICE
http://222.178.221.54:7001/defaultroothttps://images.seebug.org/upload/information/2014103019095309431976265.jsp
员工办公入口 - Wanhu ezOFFICE - 红豆集团
http://oa.hongdou.com:7001/defaultroothttps://images.seebug.org/upload/information/2014103019214550025117683.jsp
后台管理 - 中国蚌埠政府网站
http://www.bengbu.gov.cn:7001/defaultroothttps://images.seebug.org/upload/information/2014103111045738020322036.jsp
党政OA系统 - 宁国市党政机关办公平台
http://220.179.251.131:7001/defaultroothttps://images.seebug.org/upload/information/2014103116063901683581994.jsp
固镇县党政办公室
http://211.141.165.226:7001/defaultroothttps://images.seebug.org/upload/information/2014103116155469073216513.jsp
运达集团协同办公系统
http://oa.yundagroup.com:7001/defaultroothttps://images.seebug.org/upload/information/2014103116271633750509356.jsp
上海市精神卫生中心
http://211.144.121.189:7001/defaultroothttps://images.seebug.org/upload/information/2014103116445923450268822.jsp
....
只是测了google的前两页结果,还有后面很多页都没有测试。
[<img src="https://images.seebug.org/upload/201410/31171747349d79add18515112cae13f9ef031740.png" alt="1031_5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/31171747349d79add18515112cae13f9ef031740.png)
[<img src="https://images.seebug.org/upload/201410/311718470b8e07e45e4389f3ebe820637c0ac8ca.png" alt="1031_6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/311718470b8e07e45e4389f3ebe820637c0ac8ca.png)
[<img src="https://images.seebug.org/upload/201410/311719293bd958039da31ef4d5186d7beceb4ad0.png" alt="1031_7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/311719293bd958039da31ef4d5186d7beceb4ad0.png)
[<img src="https://images.seebug.org/upload/201410/3117201290988a87fd1ef422bcc45903d36f76e5.png" alt="1031_8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/3117201290988a87fd1ef422bcc45903d36f76e5.png)
。。。
申明:所有测试均无破坏。。。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201410/31172206870a36c82985f18906d78e79ef118773.png" alt="1031_9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/31172206870a36c82985f18906d78e79ef118773.png)
http://218.22.212.148:7001/defaultroothttps://images.seebug.org/upload/information/2014103019333478480357773.jsp
http://222.178.221.54:7001/defaultroothttps://images.seebug.org/upload/information/2014103019095309431976265.jsp
http://oa.hongdou.com:7001/defaultroothttps://images.seebug.org/upload/information/2014103019214550025117683.jsp
http://www.bengbu.gov.cn:7001/defaultroothttps://images.seebug.org/upload/information/2014103111045738020322036.jsp
http://220.179.251.131:7001/defaultroothttps://images.seebug.org/upload/information/2014103116063901683581994.jsp
http://211.141.165.226:7001/defaultroothttps://images.seebug.org/upload/information/2014103116155469073216513.jsp
http://oa.yundagroup.com:7001/defaultroothttps://images.seebug.org/upload/information/2014103116271633750509356.jsp
http://211.144.121.189:7001/defaultroothttps://images.seebug.org/upload/information/2014103116445923450268822.jsp
京公网安备 11010502034610号
暂无评论