中国网络渗透测试联盟
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
[打印本页]
作者:
admin
时间:
2012-9-13 17:51
标题:
.用友ICC网站客服系统远程代码执行漏洞EXP
<?php
$ C, C! v1 e% ~6 p/ Z ~, d8 \; s& k
/**
9 R) W/ o$ U* ~7 }: g
* uploadFlash.php
0 Q# q2 y3 ?) l; V, n
* Flash文件上传.
2 M% [9 H+ U+ w
*/
1 m1 O/ S# E) _5 o/ v% L3 T. x
require_once('../global.inc.php');
$ P: f9 `3 t. T1 }
; J5 s' p' k* ?# ~' O6 |
//operateId=1 上传,operateId=2 获取地址.
* V, x4 J! _* T- M+ ^" D
$operateId = intval($_REQUEST['operateId']);
& z+ F m8 V5 p$ A
if(empty($operateId)) exit;
* D, ?8 N) V6 u( U# |& ~
! J2 [" |0 `. `" I, q& S9 O R
if($operateId == 1){
; C4 o' c% l0 p6 n; A
$date = date("Ymd");
" |/ V4 s0 I8 @/ B0 Q
$dest = $CONFIG->basePath."data/files/".$date."/";
6 Q$ h2 `1 G4 o; q1 O
$COMMON->createDir($dest);
4 @# ?* k; J1 O* m1 h5 m7 b, |# g
//if (!is_dir($dest)) mkdir($dest, 0777);
# \6 a& L [* i% h0 q8 `
4 i% s. A3 f: E& @% q4 J
$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
* H. |0 Y, r9 k5 b
2 {0 f: O5 m% x5 U9 k ]4 _
$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');
! Z9 {; b4 v3 f. y
$ d+ |; X2 x6 F/ L" R
if(!in_array($nameExt, $allowedType)){
. ]' o$ v4 N; b7 R. b$ P! p
$msg = 0;
( } U L- T2 o- w8 i* G' c
}
' v: e9 }, _; L' f
if(empty($msg)){
" u) Q* k7 G3 I! w7 B+ T- d
$filename = getmicrotime().'.'.$nameExt;
3 M. j% U& |3 t/ W$ ?8 _
$file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
, _# P2 G9 H. a2 B7 R
" r5 M7 c: Y5 ~! f) |+ l& w
$filename = $dest.$filename;
9 [( R3 [/ |; p# j4 H. |. z: p
if(empty($_FILES['Filedata']['error'])){
5 y" \7 ]. z2 R+ Y
move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
* P6 v- C; X" L3 ?8 ~: K! |& L
}
; V0 ]" C- u. _$ X/ j1 w. k
) @5 S" u; P8 F% |* N9 g2 _
if (file_exists($filename)){
$ j1 B; z: m5 S* M: C3 u" J% H- n0 `/ m% v
//$msg = 1;
5 N8 c# N: `' L5 O4 ]
$msg = $file_url;
2 A8 I9 {6 L1 _- _7 l; z5 ~
@chmod($filename, 0444);
* q2 w& A6 U6 f6 @8 X
}else{
8 n4 R8 s( o/ h+ \1 P
$msg = 0;
0 e/ v1 f# G' e# ^8 Q/ }/ \
}
& B6 ~$ ]5 o3 w! j6 o
}
5 R1 P! g8 f/ P8 g, ~
$outMsg = "fileUrl=".$msg;
# ]3 p/ o1 x/ e3 Z; c9 Q( r
$_SESSION["eoutmsg"] = $outMsg;
, f. ]7 R& T& a% ?/ d% p! l: g
exit;
7 D. x6 }5 C7 [" f# N( z2 m# g
}else if($operateId == 2){
! Q* T& g, H1 X& a" R5 Q+ [, s9 q" v; R
$outMsg = $_SESSION["eoutmsg"];
" |4 n0 a' x4 y# F: F2 y- Y
if(!empty($outMsg)){
% M9 V* H% L" N4 @( N, S
session_unregister("eoutmsg");
d4 K/ [$ v [% D; ]$ o
echo '&'.$outMsg;
* L, Z$ s, q' Q E0 C
exit;
: Z. {$ Q, |5 Y/ T/ o; n
}else{
9 G4 m) C3 b6 z, a" Q( Q9 f8 L
echo "&fileUrl=0";
, f4 B q. H" n0 }: B
exit;
* J3 N: H# H( m* `" b' B! t5 {
}
- K0 ^ ]4 \/ L6 t$ j- j/ v) a5 u1 ~
}
l& g3 Z6 N. M7 S( A) o6 ~
2 Q6 s( b P0 i& d. U) Y6 l; t8 I
function getmicrotime(){
" h: B! i5 V! E/ K) h
list($usec, $sec) = explode(" ",microtime());
; o% j. F$ P, Q! `1 z# ~
return ((float)$usec + (float)$sec);
9 }) R8 N4 R* T( m9 I4 b. Y, @
}
" l- \! B+ L+ |3 C: S7 N
1 ?, q4 W5 z6 a7 p* X$ C2 [, x
?>
6 k1 x. g4 Y! R( J. ^
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2