The old version of the VPN system GETSHELL of wangshen (also affects multiple VPN manufacturers' devices, such as Wangyu Shenzhou, tianrongxin, Xi'an wangying, weishitong, Geda zhengyuan, American concave and convex, and ANIX in Germany)

The old version of the VPN system GETSHELL of wangshen (also affects multiple VPN manufacturers' devices, such as Wangyu Shenzhou, tianrongxin, Xi'an wangying, weishitong, Geda zhengyuan, American concave and convex, and ANIX in Germany)

In the/admin/system/backup_action.php file

if (isset($_REQUEST['cmd']))$cmd = $_REQUEST['cmd'];else$cmd = "NULL";$with_cert = 1;$pass = "";include_once "management/system.php";if ($cmd == $LANG_IMPORT) {if ($_FILES['userfile']) {$file_size = $_FILES['userfile']['size'];$file_type = $_FILES['userfile']['type'];$temp_name = $_FILES['userfile']['tmp_name'];$file_name = $_FILES['userfile']['name'];$file_name = str_replace("\\","",$file_name);$file_name = str_replace("'","",$file_name);$file_name = str_replace(" ","",$file_name);$file_path = $CFG_UPLOAD_PATH."__im_data__.bin";//File Name Checkif ( $file_name == "" ) { echo "Invalid File Name Specified";return;}$result  =  move_uploaded_file($temp_name, $file_path);chmod($file_path, 0777);} else {$msg = "no upload file\n";include "include/error.php";return;}if (isset($_POST['pass_import']))$pass = $_POST['pass_import'];$SM = new SystemManager;$msg = $SM->Import_Export($ticket, $pass, 1, 0);if ($msg == "OK")$msg = $RESTART_MSG;include "include/error.php";return;}if ($cmd == $LANG_EXPORT) {if (isset($_POST['pass_export']))$pass = $_POST['pass_export'];$SM = new SystemManager;$V = $SM->Import_Export($ticket, $pass, 2, $with_cert);$file_name = "/data/upload/__ex_data__.bin";/*header("Pragma: "); header("Cache-Control: "); header("Content-type: application/octet-stream");  header("Content-Length: ".filesize($file_name));header("Content-Disposition: attachment; filename=\"sysbackup.bin\"");readfile($file_name);unlink($file_name); */}?>

 

$result = move_uploaded_file($temp_name, $file_path);

$ File_path controllable
 

$file_path = $CFG_UPLOAD_PATH."__im_data__.bin";

% 00 truncation Arbitrary File Upload !!



EXP: Lost in the test code!
 

Case: info is directly passed to prove the vulnerability, and exp is included in the test code.

**.**.**.**/

**. **/Admin/system/11.php

Https: // **. **/welcome_pop.php

Https: // **. **/admin/system/11.php

**. **/Welcome_pop.php

**. **/Admin/system/11.php

Https: // **. **/welcome_pop.php Beijing Jiao Tong University

Https: // **. **/admin/system/11.php

Https: // **. **/welcome_pop.php Anhui Finance e-government system

Https: // **. **/admin/system/11.php

They all belong to the cyber God, but he has a function that can change the logo on the page. The small logo that looks at the arrow is the logo of the cyber God:

The devices of VPN manufacturers, including Wangyu Shenzhou, tianrongxin, Xi'an wangying, weishitong, Geda zhengyuan, American concave and convex, and ANIX, were tested.