### 简要描述: 最近公司也买了这系统,对系统测试了下发现存在漏洞,官网demo同样存在这漏洞。 财务系统如果对外了被拿权限了确实很麻烦。 ### 详细说明: 漏洞地址 ``` http://**.**.**.**/k3cloud/ ``` 漏洞代码如下 ``` public void ProcessRequest(HttpContext context) { try { context.Response.ContentType = "text/plain"; string physicalPath = context.Request.Headers["filefolder"]; if (string.IsNullOrEmpty(physicalPath)) { physicalPath = context.Server.MapPath("UploadFiles"); } else { physicalPath = PathUtils.GetPhysicalPath(physicalPath); } if (!Directory.Exists(physicalPath)) { Directory.CreateDirectory(physicalPath); } HttpFileCollection files = context.Request.Files; int count = files.Count; if (count > 0) { for (int i = 0; i < count; i++) { HttpPostedFile file = files[i]; if ((file != null) && (file.ContentLength > 0)) { string filename = physicalPath + "/" + file.FileName; file.SaveAs(filename); } } context.Response.Write("0"); } else { string str3 = context.Request.Headers["Name"].ToString(); if (string.IsNullOrWhiteSpace(str3)) { str3 = "null"; } FileStream...
### 简要描述: 最近公司也买了这系统,对系统测试了下发现存在漏洞,官网demo同样存在这漏洞。 财务系统如果对外了被拿权限了确实很麻烦。 ### 详细说明: 漏洞地址 ``` http://**.**.**.**/k3cloud/ ``` 漏洞代码如下 ``` public void ProcessRequest(HttpContext context) { try { context.Response.ContentType = "text/plain"; string physicalPath = context.Request.Headers["filefolder"]; if (string.IsNullOrEmpty(physicalPath)) { physicalPath = context.Server.MapPath("UploadFiles"); } else { physicalPath = PathUtils.GetPhysicalPath(physicalPath); } if (!Directory.Exists(physicalPath)) { Directory.CreateDirectory(physicalPath); } HttpFileCollection files = context.Request.Files; int count = files.Count; if (count > 0) { for (int i = 0; i < count; i++) { HttpPostedFile file = files[i]; if ((file != null) && (file.ContentLength > 0)) { string filename = physicalPath + "/" + file.FileName; file.SaveAs(filename); } } context.Response.Write("0"); } else { string str3 = context.Request.Headers["Name"].ToString(); if (string.IsNullOrWhiteSpace(str3)) { str3 = "null"; } FileStream stream = new FileStream(physicalPath + "/" + str3, FileMode.Append); context.Request.InputStream.CopyTo(stream); stream.Flush(); stream.Close(); context.Response.Write("1"); } } catch (Exception exception) { context.Response.Write("-1"); throw exception; } } ``` 没有对上传文件类型进行判断。 ### 漏洞证明: 随便找了个网站 ``` http://**.**.**.**/k3cloud ``` [<img src="https://images.seebug.org/upload/201512/0419511748fa839a1a068e4ff9adb767b304b9d0.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/0419511748fa839a1a068e4ff9adb767b304b9d0.png) [<img src="https://images.seebug.org/upload/201512/041951408d063a7b79df1999a6078de2759e6d24.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/041951408d063a7b79df1999a6078de2759e6d24.png) [<img src="https://images.seebug.org/upload/201512/0419515209dfb8bead1834d394e08c395db43c88.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/0419515209dfb8bead1834d394e08c395db43c88.png) 官网demo [<img src="https://images.seebug.org/upload/201512/04195319988a05dde7356f833d50a4a6154e4c24.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/04195319988a05dde7356f833d50a4a6154e4c24.png) [<img src="https://images.seebug.org/upload/201512/04195335124afe538d8a4e80659055454b3c79e9.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/04195335124afe538d8a4e80659055454b3c79e9.png)
