中国网络渗透测试联盟

标题: .用友ICC网站客服系统远程代码执行漏洞EXP [打印本页]
作者: admin    时间: 2012-9-13 17:51
标题: .用友ICC网站客服系统远程代码执行漏洞EXP
<?php0 K% n1 u. Q, c6 E. b6 B, P
/**& T2 C3 E1 D) `0 _
* uploadFlash.php
, u" A/ F2 K" R$ t) s+ e3 P3 \ * Flash文件上传.
- ^1 I) K5 H2 J* o* Y$ g */
5 M3 D, m% z2 A) U+ Urequire_once('../global.inc.php');# B; _& Y% G* i3 P+ S2 W2 K+ [
4 r8 [# h+ @$ M+ c- I
//operateId=1 上传,operateId=2 获取地址.
* M# i. B% g+ \9 T* s$operateId = intval($_REQUEST['operateId']);: s/ C3 }, }9 {
if(empty($operateId)) exit;
9 a* n/ C7 S0 P" |( y
1 }& p9 b; n! l" y2 S8 fif($operateId == 1){/ [" m. e& X6 g4 a" `8 F$ `* _
$date = date("Ymd");! K; y" v" [% H  g) }
$dest = $CONFIG->basePath."data/files/".$date."/";
* a5 e6 W0 z, t( b  u3 B! y/ K $COMMON->createDir($dest);
+ y, ^8 _8 ?# P5 W+ O //if (!is_dir($dest)) mkdir($dest, 0777);: z3 V( }7 J' t! Q* ~
* a; u8 _, S( n  V* |+ z
$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
: [% \' `6 X1 t( X, R6 Y$ ] 5 C" A% ]' o- @4 ?2 ]# I4 q
$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');
3 m2 R, K5 U- ?; e9 |
1 l' j! `0 _, L; t" Z if(!in_array($nameExt, $allowedType)){
$ P3 Q9 [. G2 Z  $msg = 0;
; l- B" e- E6 n- G7 o }( P. M/ v7 s% A. q
if(empty($msg)){  Z/ \. p- _' E; l7 V1 ]0 S
  $filename = getmicrotime().'.'.$nameExt;
9 s  @/ K% C/ A2 |  $file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);+ y# u; ~+ g( d0 g5 N! G9 O7 A: Y
  8 ]. m! ^4 u: x$ q' O- {5 O
  $filename = $dest.$filename;
* Z& G$ u4 S. S' N* ]8 W" [) |  if(empty($_FILES['Filedata']['error'])){3 F: H; D$ o3 z, o, I2 y
   move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
8 E1 k4 x" _+ Z$ p6 g8 s# n# S/ e" o  }
& Q4 Z+ {+ Y* l$ b9 k% |6 v  
" k, O" o% E4 D" }  if (file_exists($filename)){4 |  j6 A' g4 V
   //$msg = 1;
" J- s9 [" G* G8 w4 ^   $msg = $file_url;$ D  ?" ?8 s( K  s
   @chmod($filename, 0444);" V, u! u3 N' ^# s6 ^
  }else{
! R9 i: r2 R$ |9 O6 {$ f% b0 W9 I   $msg = 0;; m8 |9 j' g1 e* J: x! z( I+ h
  }% m! v  L9 O3 }; ^; g, L) y' r! K
}/ s2 X" s( n! J. F3 R: b
$outMsg = "fileUrl=".$msg;
4 `' A8 j7 i; V7 W; C. }3 K $_SESSION["eoutmsg"] = $outMsg;
8 ^- L" n) [+ n exit;3 @( p7 P2 U, Y6 l0 r
}else if($operateId == 2){6 e+ C* G' z4 Z( w+ h
$outMsg = $_SESSION["eoutmsg"];
& z7 u! t8 D0 ^+ P( Z0 G5 B6 X if(!empty($outMsg)){
/ g: u) k1 q: U$ T  session_unregister("eoutmsg");
5 g3 h4 }4 O, ?9 v) W4 G' Y1 ^  echo '&'.$outMsg;% S4 s  J) q6 {; g+ h) F! @) f
  exit;. W# Z* t9 ]0 M
}else{( R2 r& o; |5 b/ v
  echo "&fileUrl=0";
2 _. k. Y0 Q4 e3 p  exit;# V$ a3 H( ]7 t- D: e5 [2 @) F3 ^
}( M: i9 z( O! w( R8 C3 P* [
}
1 L# \7 Y4 c0 ^0 w% E) C8 q* y; E6 V, u" q0 l" {% Z5 O/ s# `1 j
function getmicrotime(){
4 v. l6 q, h" E2 F. R& `& _    list($usec, $sec) = explode(" ",microtime());
" [1 t! `0 I8 |/ `, f* d( U    return ((float)$usec + (float)$sec); 9 y; r1 x% I/ I3 i( p5 Z7 S1 j
}
5 ?7 c* o/ U- @4 F
6 _: A, ~+ ]0 L* \  c9 A?>
6 h- o3 _+ g8 A7 z' W7 E. V



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2