中国网络渗透测试联盟
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
[打印本页]
作者:
admin
时间:
2012-9-13 17:51
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
<?php
* M! D+ |) N/ _ p" s
/**
5 o; `/ H8 ^6 {8 R+ T: ^! O% r. i
* uploadFlash.php
6 Q2 Y" E9 @) i9 f. k6 `0 \9 q
* Flash文件上传.
$ ~. i) V, U6 K4 z
*/
) m" w" F# I' H- S
require_once('../global.inc.php');
( O; Z: H8 m: d0 o/ q& o3 ?
" h2 z: T4 i4 q0 `4 A. A1 V
//operateId=1 上传,operateId=2 获取地址.
% d0 K/ Z. Q1 p1 w. E1 E! c
$operateId = intval($_REQUEST['operateId']);
4 @! D5 w# S) I4 j+ Y3 R
if(empty($operateId)) exit;
% {% [, \' }7 l6 C/ |
4 v2 I5 D3 K" A
if($operateId == 1){
# y' \7 v! T0 {1 A+ G
$date = date("Ymd");
1 \. Q- i/ M! m( O% d( I
$dest = $CONFIG->basePath."data/files/".$date."/";
+ @1 g2 k5 j+ M- {! J! R) p
$COMMON->createDir($dest);
7 i* c* L8 ]5 f1 G/ Z
//if (!is_dir($dest)) mkdir($dest, 0777);
; C3 }( X4 e( s
$ P! U, E4 J1 ?2 z+ E; l! h. N
$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
- \6 r+ j' F- |# a) f; Q
- K5 K. ~2 w4 V2 b/ l
$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');
6 ^, E! m0 ~( C$ T
) R- D$ s4 V N; z v+ L. [
if(!in_array($nameExt, $allowedType)){
3 i$ c v" i6 h
$msg = 0;
4 `4 @/ I. l1 o- @3 a, }
}
. G7 n$ y: D+ z! H+ k$ l
if(empty($msg)){
& D3 d& j" n8 ~: j& `+ K
$filename = getmicrotime().'.'.$nameExt;
8 U6 o3 p: e2 V" b% z6 p& Z. k- E0 x
$file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
$ E. S0 g0 H' H3 N7 K5 S' X
5 F& {# ^! B4 E4 U: n& P9 Q/ P
$filename = $dest.$filename;
( [+ ?9 }9 k* S, |
if(empty($_FILES['Filedata']['error'])){
! O9 t- s" B# u
move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
* b; X% M K8 ^: R6 x& k
}
6 ?$ z( @3 l2 D# h$ Q5 k
% ~1 ?7 H4 ?8 Y. t8 X$ |. g0 a, ]
if (file_exists($filename)){
$ R/ c, L5 X+ E3 f
//$msg = 1;
/ ]% U9 G9 `2 p3 Z
$msg = $file_url;
" S! q+ _0 h: ~9 w
@chmod($filename, 0444);
% s% v! B3 w& I% D4 |
}else{
3 l* `( w$ ]9 w( g# F' H. ?% T
$msg = 0;
! b& O; X( Z: H
}
7 ?# U+ l' U7 x
}
; ?3 K) C, Y0 A
$outMsg = "fileUrl=".$msg;
3 V9 V9 H" z2 w, W) s
$_SESSION["eoutmsg"] = $outMsg;
- Q+ Z3 T% A8 D4 C9 V
exit;
, {2 d& o' V1 U+ U6 H6 {
}else if($operateId == 2){
* W8 u2 X9 k" z4 L5 a! k/ r" T. J- d4 T" ^
$outMsg = $_SESSION["eoutmsg"];
- L% j/ A4 G! G2 H$ R
if(!empty($outMsg)){
8 ~2 |5 n; h7 e- J4 p: s Y
session_unregister("eoutmsg");
5 x& P! ] I3 F. t+ F
echo '&'.$outMsg;
( U$ K+ R& S" x2 S. Q; {: p7 n
exit;
4 [+ Y) r! ~1 d$ I7 K$ S; |6 E
}else{
* }5 y }! R: U5 H L4 q( @
echo "&fileUrl=0";
+ V* f; g/ {( g8 |9 R
exit;
1 L' l0 B, W2 c3 u7 @/ u5 o
}
1 f- @2 _& g: X$ p2 q
}
2 u0 v& I% E6 d, e
1 F% c d0 i; S) c; Y
function getmicrotime(){
. l9 j, [7 e/ d j6 c0 P. z* p- p
list($usec, $sec) = explode(" ",microtime());
. |7 U5 k( R7 B
return ((float)$usec + (float)$sec);
/ b, H* d. @( Y% K
}
9 b k9 W/ ?/ Z
+ z2 ?& B V- U0 I
?>
" k' u' A4 M7 s, y4 g, j5 K) M6 S. [8 o
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2