中国网络渗透测试联盟
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
[打印本页]
作者:
admin
时间:
2012-9-13 17:51
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
<?php
0 B, c1 e. Z2 j% Z, H
/**
7 G: J& i) g! C H
* uploadFlash.php
1 p( C; {+ r( i: o9 i. K
* Flash文件上传.
+ G6 h5 K! k" e/ d! F
*/
* f+ E$ Y) `6 x& Y1 |
require_once('../global.inc.php');
2 ^0 \* w% g" {: i
2 z% n( @1 ]4 O; f
//operateId=1 上传,operateId=2 获取地址.
) O9 @' X9 z$ u, J9 t
$operateId = intval($_REQUEST['operateId']);
9 P k o! ~$ m& R; I
if(empty($operateId)) exit;
- R3 v) `' ?' i6 s: W; G) V
" k5 Y: G! v) V8 l! a9 B
if($operateId == 1){
8 q( v9 k1 \. s6 X7 O& y
$date = date("Ymd");
8 T5 _& d# x+ V* Z
$dest = $CONFIG->basePath."data/files/".$date."/";
" l. @0 j- C/ \
$COMMON->createDir($dest);
1 C: n$ v6 K- s9 P' N1 }
//if (!is_dir($dest)) mkdir($dest, 0777);
7 u% i( N* I8 c
/ Y- I- |0 m4 `4 r1 G1 F( b
$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
" _) U, x+ w5 m9 I8 Z( j; ?7 n* i3 \
5 \. V. d+ h2 b" t
$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');
! n5 U9 ]0 m4 X& p) C- V- x
- Q4 x; T- q- z% {
if(!in_array($nameExt, $allowedType)){
- Z+ H% i) c2 D k
$msg = 0;
" t, S z4 l! O% L: \6 p
}
' z9 W9 n% W8 Q) P
if(empty($msg)){
! X0 [6 C. n1 ^ t/ G6 L' ?! A
$filename = getmicrotime().'.'.$nameExt;
4 J; e9 e5 Y& V" n0 L$ w
$file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
3 A9 ~2 d3 Z- x/ k5 _2 e5 O8 O4 Q z
$ f: K; u6 k! a+ `0 E
$filename = $dest.$filename;
& v: ]+ J6 i/ m6 K+ l& G6 C; w8 H
if(empty($_FILES['Filedata']['error'])){
6 ?! z% G: D. @1 \* k0 n7 H* y
move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
1 L: n% l6 Z9 z) b# n# u
}
$ i8 e% `* C5 c
: ~: e& h: Z) e' B0 h2 J
if (file_exists($filename)){
: [: k: n. u( M* v
//$msg = 1;
4 [6 w L% j, Q$ H9 K
$msg = $file_url;
8 b( `( K0 c" L k
@chmod($filename, 0444);
5 _/ x6 P+ y- ]/ D) z" P8 A' z
}else{
, ^9 h, X2 T7 S& ^6 w/ ~
$msg = 0;
0 f- h( h$ ~3 L: Y/ {1 J) M: k
}
9 V1 `5 f! j! k6 i* I: Z/ a; O4 q
}
% b) w( ?( A3 a- K; E: @% l
$outMsg = "fileUrl=".$msg;
& y8 i5 M, b4 y x9 o
$_SESSION["eoutmsg"] = $outMsg;
& v2 ~( G$ H# G: b
exit;
& b8 B: q( `1 c8 t/ `# y1 x: p, o
}else if($operateId == 2){
3 ?" @% B" m T: Z6 l# K3 d/ ?3 i
$outMsg = $_SESSION["eoutmsg"];
8 A4 t$ M: B# W+ P
if(!empty($outMsg)){
$ l% q" g5 l) K( X9 c$ \
session_unregister("eoutmsg");
+ ~- i# \9 V. w- u" I. v# Z
echo '&'.$outMsg;
8 B& U$ u1 ?* k6 g) x
exit;
0 K1 w" O/ V% v9 p
}else{
8 Y6 q% H" H, A* n5 }, _- ?3 a
echo "&fileUrl=0";
& t- e/ w$ K5 a1 v# y( O8 `) l
exit;
5 B2 g6 o. o* e$ Y/ ~
}
; f; e$ \4 |8 H. t" S( K) `4 i0 G
}
# Z' D, C$ J9 d$ F3 ^ A/ G
9 F/ k2 D; s% g0 {6 h/ ]# R: C( T
function getmicrotime(){
4 F7 W& F: P* r: i, B2 L& P8 g
list($usec, $sec) = explode(" ",microtime());
( j# G2 ?: o j. l
return ((float)$usec + (float)$sec);
; a7 ~! v/ P4 K8 F: R6 Q
}
7 T8 X5 \9 ~, ?
" S- E p+ S& W w+ K% @
?>
2 ~* l& M* k4 F' e& Z- ]7 C$ I9 P
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2