中国网络渗透测试联盟

标题: .用友ICC网站客服系统远程代码执行漏洞EXP [打印本页]
作者: admin    时间: 2012-9-13 17:51
标题: .用友ICC网站客服系统远程代码执行漏洞EXP
<?php1 M% L1 a0 u+ h! h9 Z, ^. H0 X
/**
, ^0 ?. [* W5 k+ s * uploadFlash.php$ d2 P2 Z9 u. N7 c+ p
* Flash文件上传.3 ^8 }( r+ z" u, o
*/
, [! B+ D: t! j$ B. l  |  k- L5 {# Orequire_once('../global.inc.php');( N7 c; F9 G; V  j4 @7 P' P2 ]% g7 @
0 l, P9 u1 i0 ?5 X* H; q
//operateId=1 上传,operateId=2 获取地址.
. w6 h, Z1 W2 c$operateId = intval($_REQUEST['operateId']);
" y- k  n4 Y+ R. Aif(empty($operateId)) exit;3 P# o, u/ Q/ P! j
: X3 ]4 u- f6 z! @
if($operateId == 1){
. i( n, [& n5 X  _ $date = date("Ymd");7 Q. w  m8 w- ^
$dest = $CONFIG->basePath."data/files/".$date."/";3 Z, o0 A! i* @3 `3 T
$COMMON->createDir($dest);
& t8 t3 j( H( M: r2 R //if (!is_dir($dest)) mkdir($dest, 0777);
  S4 i* G$ T* o9 u8 H
. H# j8 A/ k  c( D6 g5 G# P $nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
; J5 V8 F3 E  x4 R. V4 K/ a: } : d$ F: b/ i" z# b/ A. t
$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');6 H$ D! I6 z  G3 C% T* Q" `9 B

6 [( c1 R( @: f" s2 E' k if(!in_array($nameExt, $allowedType)){
* s. t1 C0 B) x) k+ |8 o+ Q  $msg = 0;
' G6 ^6 ~0 H5 u5 s2 n9 C }( y5 Q, @; ^( b; A# a+ m  e
if(empty($msg)){5 Z2 w; W! j# J9 C
  $filename = getmicrotime().'.'.$nameExt;: O) l/ U1 N  L1 M
  $file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
: u+ X" A# I; K/ s  + D+ ~) u0 I. e( k! r* u; F) D) T
  $filename = $dest.$filename;
& L; T+ g1 d9 m2 @  if(empty($_FILES['Filedata']['error'])){
. r) |; F7 {0 ~1 ]% O   move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);5 T, B4 x$ E0 x' J
  }
0 T, F' i. C0 i- K# h  1 H% ]3 S* O, }# W  o1 }" l
  if (file_exists($filename)){+ r# K4 ^( G4 `( S/ e: m/ E
   //$msg = 1;
7 U0 _4 J9 T8 }/ f) x0 g: x1 v   $msg = $file_url;
6 q. _/ m/ r, j7 M4 B3 Z  y   @chmod($filename, 0444);
# L) P* t  ?2 n' L4 Z! e* M0 s  }else{5 n( H, f; \9 @
   $msg = 0;7 R% `9 H1 J2 v/ |
  }. ~/ t' a$ f0 V. E- W
}, B/ e; S( _  |5 d
$outMsg = "fileUrl=".$msg;2 R9 _' E0 O) N0 k* E0 a% R
$_SESSION["eoutmsg"] = $outMsg;7 u* @( z/ M2 b% f8 u* k) `
exit;
* F" d. w* \& o* b3 W3 O  a3 l% c& ]}else if($operateId == 2){8 u. P/ h1 t9 _- D/ \& M8 r
$outMsg = $_SESSION["eoutmsg"];
4 b* ~; @$ ]/ k% [2 O3 X$ R+ [5 c if(!empty($outMsg)){
; j8 D) ^1 M1 g$ @* X9 o% S3 w  session_unregister("eoutmsg");
  X3 P0 C/ R  S0 [( X' B  echo '&'.$outMsg;* J& U6 J+ _# n( ^# Y
  exit;
% S5 _9 D$ ^+ e# H9 l% V+ j }else{
5 Z5 n) \; ]; F( t; J- L9 x  echo "&fileUrl=0";
4 k5 m) C' H" j& E  exit;: h: u/ D0 k/ v. W- l
}
6 Z6 X* @/ b4 {$ m}# E! @) c2 O9 D! n6 j1 Z6 n: I

4 }5 G% c& a6 g3 D5 D' _6 Dfunction getmicrotime(){ 3 Z: I1 v6 ^; O) i4 n" l3 R
    list($usec, $sec) = explode(" ",microtime()); & B+ W0 N' s8 ~- L
    return ((float)$usec + (float)$sec); 8 l7 H  {, R9 I9 [# c2 H
}6 D! i. e7 e$ Y: C5 x$ C

/ I5 `- I# `2 i?>- |3 m0 A+ v* B8 p9 K* S' n1 l




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2