中国网络渗透测试联盟
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
[打印本页]
作者:
admin
时间:
2012-9-13 17:51
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
<?php
8 u; r- t. w% o1 g& o
/**
, P: L! D- i$ ?1 o! [3 H
* uploadFlash.php
# y; ~8 i; M+ }) K& i+ u) E
* Flash文件上传.
4 {' m3 P2 A2 E* [( w4 B% U2 A) c+ m! T
*/
" J) n. [1 D: V( G* s4 Y9 c9 R% T, n
require_once('../global.inc.php');
0 a5 C) q2 T/ p9 r$ N: [
& H2 {" p/ h6 {
//operateId=1 上传,operateId=2 获取地址.
- f; u+ T3 v$ h- W) m) w
$operateId = intval($_REQUEST['operateId']);
- P) g# D; f8 D) @! h( J8 z
if(empty($operateId)) exit;
$ k- ]$ d& r8 {
$ s! }& E6 e; c0 i/ {
if($operateId == 1){
' I0 B3 T) E- P! f' T+ f- h7 j& E H
$date = date("Ymd");
$ |9 V( V1 Y; W4 k( e& @
$dest = $CONFIG->basePath."data/files/".$date."/";
2 I* @# o5 P% f
$COMMON->createDir($dest);
9 `7 E* t, |& N: ]7 U. _. x1 e
//if (!is_dir($dest)) mkdir($dest, 0777);
( c# S! _4 p* k- V7 n6 |) }/ j
1 b) r0 ` P* g1 J( u( A0 p
$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
2 p' Q. S9 e2 Q, z5 w- `. C
/ O! K4 l" {, J+ y1 F
$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');
1 v- i0 l2 t! O' @+ k, w4 L7 E7 O
/ w) f9 z S6 e7 P) w, N
if(!in_array($nameExt, $allowedType)){
z4 c$ c0 X8 n& c( `5 j
$msg = 0;
7 z; Z7 Q3 q& m! E
}
! F' ^3 y( c/ G7 t( A/ h
if(empty($msg)){
- F* }2 A7 O! l" f
$filename = getmicrotime().'.'.$nameExt;
; @/ [; G/ W( X4 S- g
$file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
K: N8 l [2 o7 [
2 p! B- } ]% K; W- H# a4 e* o, i* G
$filename = $dest.$filename;
; M) \5 Z$ H: R9 H: x% A( `
if(empty($_FILES['Filedata']['error'])){
& f# z' L) Y4 q
move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
8 p- Q! f b3 p6 w
}
S; @) }7 k! f( `
+ P1 a6 U$ S. b$ w/ x
if (file_exists($filename)){
& U; I* A+ N4 H3 c! U, w/ w- q! J
//$msg = 1;
! t- x2 v* O* x. d# `. d! s. L. C
$msg = $file_url;
& f; Z" Z5 J8 E; D+ ]$ z! P5 w
@chmod($filename, 0444);
7 ~7 y- {+ p( H. M8 `8 L
}else{
. D1 S4 P, ^* R& d: v4 B
$msg = 0;
& Q( R+ Q7 l3 y* ?$ e" J! _+ `0 ]
}
& l3 k) T0 Y3 j% F
}
8 Z; b$ ^# L% e4 c# I2 \' m
$outMsg = "fileUrl=".$msg;
3 _% {& A7 {6 o0 u F
$_SESSION["eoutmsg"] = $outMsg;
. i/ i; z# o: k3 e$ M
exit;
: ~! C) a: W; l$ \& s+ S: E
}else if($operateId == 2){
' Z6 e0 Y1 l2 F+ M
$outMsg = $_SESSION["eoutmsg"];
" _% C$ H o/ q/ o5 N8 t! z7 d6 l7 \
if(!empty($outMsg)){
# a B8 F; f, r3 \' `3 m
session_unregister("eoutmsg");
+ f8 J) T( S* n7 ?
echo '&'.$outMsg;
# W0 x3 |) C4 A* ?7 @
exit;
. N+ R% t* ~ U4 U/ P8 C
}else{
u& O2 Z" B' q" S7 x
echo "&fileUrl=0";
1 J8 M( u0 D" i. H" h
exit;
; L8 ?8 g7 }: U: q* _+ U
}
# Q8 |& X1 [/ t5 H# K$ u# I: y
}
' Q( e/ [- f. Z3 S& o: T
) S4 ]+ s- p. F- `
function getmicrotime(){
7 w3 H5 Z" U* u
list($usec, $sec) = explode(" ",microtime());
+ ^2 g8 b* \) B) _1 J" y: a9 z
return ((float)$usec + (float)$sec);
0 e d; E7 {, i# e
}
6 ~! z4 Q' J9 Y& h$ O' [3 t
* a( t9 N4 P- n$ ^. t+ C
?>
& J5 J1 G1 t2 T7 | K7 T: A: P9 D
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2