中国网络渗透测试联盟

标题: .用友ICC网站客服系统远程代码执行漏洞EXP [打印本页]

作者: admin    时间: 2012-9-13 17:51
标题: .用友ICC网站客服系统远程代码执行漏洞EXP
<?php0 B, c1 e. Z2 j% Z, H
/**
7 G: J& i) g! C  H * uploadFlash.php1 p( C; {+ r( i: o9 i. K
* Flash文件上传.
+ G6 h5 K! k" e/ d! F */
* f+ E$ Y) `6 x& Y1 |require_once('../global.inc.php');
2 ^0 \* w% g" {: i2 z% n( @1 ]4 O; f
//operateId=1 上传,operateId=2 获取地址.) O9 @' X9 z$ u, J9 t
$operateId = intval($_REQUEST['operateId']);9 P  k  o! ~$ m& R; I
if(empty($operateId)) exit;
- R3 v) `' ?' i6 s: W; G) V
" k5 Y: G! v) V8 l! a9 Bif($operateId == 1){
8 q( v9 k1 \. s6 X7 O& y $date = date("Ymd");
8 T5 _& d# x+ V* Z $dest = $CONFIG->basePath."data/files/".$date."/";" l. @0 j- C/ \
$COMMON->createDir($dest);1 C: n$ v6 K- s9 P' N1 }
//if (!is_dir($dest)) mkdir($dest, 0777);
7 u% i( N* I8 c / Y- I- |0 m4 `4 r1 G1 F( b
$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
" _) U, x+ w5 m9 I8 Z( j; ?7 n* i3 \
5 \. V. d+ h2 b" t $allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');
! n5 U9 ]0 m4 X& p) C- V- x
- Q4 x; T- q- z% { if(!in_array($nameExt, $allowedType)){- Z+ H% i) c2 D  k
  $msg = 0;
" t, S  z4 l! O% L: \6 p }
' z9 W9 n% W8 Q) P if(empty($msg)){! X0 [6 C. n1 ^  t/ G6 L' ?! A
  $filename = getmicrotime().'.'.$nameExt;
4 J; e9 e5 Y& V" n0 L$ w  $file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
3 A9 ~2 d3 Z- x/ k5 _2 e5 O8 O4 Q  z  
$ f: K; u6 k! a+ `0 E  $filename = $dest.$filename;
& v: ]+ J6 i/ m6 K+ l& G6 C; w8 H  if(empty($_FILES['Filedata']['error'])){
6 ?! z% G: D. @1 \* k0 n7 H* y   move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
1 L: n% l6 Z9 z) b# n# u  }$ i8 e% `* C5 c
  
: ~: e& h: Z) e' B0 h2 J  if (file_exists($filename)){: [: k: n. u( M* v
   //$msg = 1;
4 [6 w  L% j, Q$ H9 K   $msg = $file_url;8 b( `( K0 c" L  k
   @chmod($filename, 0444);
5 _/ x6 P+ y- ]/ D) z" P8 A' z  }else{, ^9 h, X2 T7 S& ^6 w/ ~
   $msg = 0;0 f- h( h$ ~3 L: Y/ {1 J) M: k
  }
9 V1 `5 f! j! k6 i* I: Z/ a; O4 q }
% b) w( ?( A3 a- K; E: @% l $outMsg = "fileUrl=".$msg;
& y8 i5 M, b4 y  x9 o $_SESSION["eoutmsg"] = $outMsg;
& v2 ~( G$ H# G: b exit;& b8 B: q( `1 c8 t/ `# y1 x: p, o
}else if($operateId == 2){3 ?" @% B" m  T: Z6 l# K3 d/ ?3 i
$outMsg = $_SESSION["eoutmsg"];
8 A4 t$ M: B# W+ P if(!empty($outMsg)){
$ l% q" g5 l) K( X9 c$ \  session_unregister("eoutmsg");
+ ~- i# \9 V. w- u" I. v# Z  echo '&'.$outMsg;
8 B& U$ u1 ?* k6 g) x  exit;0 K1 w" O/ V% v9 p
}else{8 Y6 q% H" H, A* n5 }, _- ?3 a
  echo "&fileUrl=0";
& t- e/ w$ K5 a1 v# y( O8 `) l  exit;5 B2 g6 o. o* e$ Y/ ~
}
; f; e$ \4 |8 H. t" S( K) `4 i0 G}# Z' D, C$ J9 d$ F3 ^  A/ G
9 F/ k2 D; s% g0 {6 h/ ]# R: C( T
function getmicrotime(){ 4 F7 W& F: P* r: i, B2 L& P8 g
    list($usec, $sec) = explode(" ",microtime()); ( j# G2 ?: o  j. l
    return ((float)$usec + (float)$sec); ; a7 ~! v/ P4 K8 F: R6 Q
}
7 T8 X5 \9 ~, ?
" S- E  p+ S& W  w+ K% @?>
2 ~* l& M* k4 F' e& Z- ]7 C$ I9 P




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2