漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0148474
漏洞标题:時間軸高危漏洞涉及多库账号密码/支付密码/读取邮件列表或可引发蝴蝶效应
相关厂商:時間軸科技股份有限公司
漏洞作者: 路人甲
提交时间:2015-10-21 23:18
修复时间:2015-11-23 10:13
公开时间:2015-11-23 10:13
漏洞类型:系统/服务运维配置不当
危害等级:高
自评Rank:16
漏洞状态:厂商已经修复
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-21: 细节已通知厂商并且等待厂商处理中
2015-10-22: 厂商已经确认,细节仅向厂商公开
2015-11-01: 细节向核心白帽子及相关领域专家公开
2015-11-11: 细节向普通白帽子公开
2015-11-21: 细节向实习白帽子公开
2015-11-23: 厂商已经修复漏洞并主动公开,细节向公众公开
简要描述:
我是来找礼物的!
详细说明:
源于官网以及分站99%存在svn泄露:
漏洞证明:
随便下载了几个作为测试,影响很大有木有:
0x01:memcache
0x02:内裤
0x03:敏感信息
0x04:读取到的邮箱(客户还是公司)
0x05:没看懂的一份信息:
<code><?php
/*
MSN class ver 1.8 by Tommy Wu
License: GPL
You can find MSN protocol from this site: http://msnpiki.msnfanatic.com/index.php/Main_Page
This class support both MSNP15 and MSNP9 for send message. The PHP module needed:
MSNP9: curl pcre
MSNP15: curl pcre mhash mcrypt bcmath
Usually, this class will try to use MSNP15 if your system can support it, if your system can't support it,
it will switch to use MSNP9. But if you use MSNP9, it won't support OIM (Offline Messages).
Sameple Code:
$msn = new MSN;
if (!$msn->connect('YOUR_MSN_ID', 'YOUR_MSN_PASSWORD')) {
echo "Error for connect to MSN network\n";
echo "$msn->error\n";
exit;
}
$msn->sendMessage('Now: '.strftime('%m/%d/%y %H:%M:%S')."\nTesting\nSecond Line\n\n\n\nand Empty Line",
array(
'[email protected]',
'[email protected]'
)
);
echo "Done!\n";
exit;
*/
class MSN
{
var $server = 'messenger.hotmail.com';
var $port = 1863;
var $passport_url = 'https://login.live.com/RST.srf';
var $protocol = 'MSNP15';
var $buildver = '8.1.0178';
var $prod_key = 'PK}_A_0N_K%O?A9S';
var $prod_id = 'PROD0114ES4Z%Q5W';
var $login_method = 'SSO';
var $clientid = '';
var $oim_send_url = 'https://ows.messenger.msn.com/OimWS/oim.asmx';
var $oim_sendsoap = 'http://messenger.live.com/ws/2006/09/oim/Store2';
var $oim_maildata_url = 'https://rsi.hotmail.com/rsi/rsi.asmx';
var $oim_maildata_soap = 'http://www.hotmail.msn.com/ws/2004/09/oim/rsi/GetMetadata';
var $oim_read_url = 'https://rsi.hotmail.com/rsi/rsi.asmx';
var $oim_read_soap = 'http://www.hotmail.msn.com/ws/2004/09/oim/rsi/GetMessage';
var $oim_del_url = 'https://rsi.hotmail.com/rsi/rsi.asmx';
var $oim_del_soap = 'http://www.hotmail.msn.com/ws/2004/09/oim/rsi/DeleteMessages';
var $membership_url = 'https://contacts.msn.com/abservice/SharingService.asmx';
var $membership_soap = 'http://www.msn.com/webservices/AddressBook/FindMembership';
var $addmember_url = 'https://contacts.msn.com/abservice/SharingService.asmx';
var $addmember_soap = 'http://www.msn.com/webservices/AddressBook/AddMember';
var $delmember_url = 'https://contacts.msn.com/abservice/SharingService.asmx';
var $delmember_soap = 'http://www.msn.com/webservices/AddressBook/DeleteMember';
var $id;
var $fp = false;
var $error = '';
var $authed = false;
var $user = '';
var $password = '';
var $passport_policy = '';
var $oim_try = 3;
var $oim_ticket = '';
var $contact_ticket = '';
// FIXME: even we login for following site, but... we don't need that now.
var $web_ticket = '';
var $space_ticket = '';
var $storage_ticket = '';
var $debug = false;
var $log_file = '';
var $timeout = 15;
var $stream_timeout = 2;
var $log_path = false;
var $sb;
var $font_fn = 'Arial';
var $font_co = '333333';
var $font_ef = '';
var $windows = false;
var $kill_me = false;
// the message length (include header) is limited (maybe since WLM 8.5 released)
// for WLM: 1664 bytes
// for YIM: 518 bytes
var $max_msn_message_len = 1664;
var $max_yahoo_message_len = 518;
function MSN($protocol = '', $debug = false, $timeout = 15, $client_id = 0x7000800C)
{
if (is_string($debug) && $debug !== '') {
$this->debug = true;
$this->log_file = $debug;
}
else
$this->debug = $debug;
$this->timeout = $timeout;
// check support
if (!function_exists('curl_init')) die("We need curl module!\n");
if (!function_exists('preg_match')) die("We need pcre module!\n");
if ($protocol != 'MSNP9' && $protocol != 'MSNP15')
$protocol = '';
if ($protocol != 'MSNP9' && !function_exists('mhash')) {
if ($protocol == 'MSNP15') die("We need mhash module for $protocol!\n");
$protocol = 'MSNP9';
}
if ($protocol != 'MSNP9' && !function_exists('mcrypt_cbc')) {
if ($protocol == 'MSNP15') die("We need mcrypt module for $protocol!\n");
$protocol = 'MSNP9';
}
if ($protocol != 'MSNP9' && !function_exists('bcmod')) {
if ($protocol == 'MSNP15') die("We need bcmath module for $protocol!\n");
$protocol = 'MSNP9';
}
if ($protocol == 'MSNP9') {
$this->protocol = 'MSNP9';
$this->passport_url = 'https://nexus.passport.com/rdr/pprdr.asp';
$this->buildver = '6.0.0602';
$this->prod_key = 'Q1P7W2E4J9R8U3S5';
$this->prod_id = '[email protected]';
$this->login_method = 'TWN';
}
else {
$this->protocol = 'MSNP15';
$this->passport_url = 'https://login.live.com/RST.srf';
$this->buildver = '8.1.0178';
$this->prod_key = 'PK}_A_0N_K%O?A9S';
$this->prod_id = 'PROD0114ES4Z%Q5W';
$this->login_method = 'SSO';
$this->oim_send_url = 'https://ows.messenger.msn.com/OimWS/oim.asmx';
$this->oim_send_soap = 'http://messenger.live.com/ws/2006/09/oim/Store2';
/*
http://msnpiki.msnfanatic.com/index.php/Client_ID
Client ID for MSN:
normal MSN 8.1 clientid is:
01110110 01001100 11000000 00101100
= 0x764CC02C
we just use following:
* 0x04: Your client can send/receive Ink (GIF format)
* 0x08: Your client can send/recieve Ink (ISF format)
* 0x8000: This means you support Winks receiving (If not set the official Client will warn with 'contact has an older client and is not capable of receiving Winks')
* 0x70000000: This is the value for MSNC7 (WL Msgr 8.1)
= 0x7000800C;
*/
$this->clientid = $client_id;
}
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$this->windows = true;
else
$this->windows = false;
return;
}
function get_passport_ticket($url = '')
{
$user = htmlspecialchars($this->user);
$password = htmlspecialchars($this->password);
if ($url === '')
$passport_url = $this->passport_url;
else
$passport_url = $url;
$XML = '<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc"
xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust">
<Header>
<ps:AuthInfo xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">
<ps:HostingApp>{7108E71A-9926-4FCB-BCC9-9A9D3F32E423}</ps:HostingApp>
<ps:BinaryVersion>4</ps:BinaryVersion>
<ps:UIVersion>1</ps:UIVersion>
<ps:Cookies></ps:Cookies>
<ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams>
</ps:AuthInfo>
<wsse:Security>
<wsse:UsernameToken Id="user">
<wsse:Username>'.$user.'</wsse:Username>
<wsse:Password>'.$password.'</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</Header>
<Body>
<ps:RequestMultipleSecurityTokens xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="RSTS">
<wst:RequestSecurityToken Id="RST0">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>http://Passport.NET/tb</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityToken>
<wst:RequestSecurityToken Id="RST1">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>messengerclear.live.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:PolicyReference URI="'.$this->passport_policy.'"></wsse:PolicyReference>
</wst:RequestSecurityToken>
<wst:RequestSecurityToken Id="RST2">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>messenger.msn.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:PolicyReference URI="?id=507"></wsse:PolicyReference>
</wst:RequestSecurityToken>
<wst:RequestSecurityToken Id="RST3">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>contacts.msn.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:PolicyReference URI="MBI"></wsse:PolicyReference>
</wst:RequestSecurityToken>
<wst:RequestSecurityToken Id="RST4">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>messengersecure.live.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:PolicyReference URI="MBI_SSL"></wsse:PolicyReference>
</wst:RequestSecurityToken>
<wst:RequestSecurityToken Id="RST5">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>spaces.live.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:PolicyReference URI="MBI"></wsse:PolicyReference>
</wst:RequestSecurityToken>
<wst:RequestSecurityToken Id="RST6">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>storage.msn.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:PolicyReference URI="MBI"></wsse:PolicyReference>
</wst:RequestSecurityToken>
</ps:RequestMultipleSecurityTokens>
</Body>
</Envelope>';
$this->debug_message("*** URL: $passport_url");
$this->debug_message("*** Sending SOAP:\n$XML");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $passport_url);
if ($this->debug) curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $XML);
$data = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
$this->debug_message("*** Get Result:\n$data");
if ($http_code != 200) {
// sometimes, rediret to another URL
// MSNP15
//<faultcode>psf:Redirect</faultcode>
//<psf:redirectUrl>https://msnia.login.live.com/pp450/RST.srf</psf:redirectUrl>
//<faultstring>Authentication Failure</faultstring>
if (strpos($data, '<faultcode>psf:Redirect</faultcode>') === false) {
$this->debug_message("*** Can't get passport ticket! http code = $http_code");
return false;
}
preg_match("#<psf\:redirectUrl>(.*)</psf\:redirectUrl>#", $data, $matches);
if (count($matches) == 0) {
$this->debug_message("*** redirect, but can't get redirect URL!");
return false;
}
$redirect_url = $matches[1];
if ($redirect_url == $passport_url) {
$this->debug_message("*** redirect, but redirect to same URL!");
return false;
}
$this->debug_message("*** redirect to $redirect_url");
return $this->get_passport_ticket($redirect_url);
}
// sometimes, rediret to another URL, also return 200
// MSNP15
//<faultcode>psf:Redirect</faultcode>
//<psf:redirectUrl>https://msnia.login.live.com/pp450/RST.srf</psf:redirectUrl>
//<faultstring>Authentication Failure</faultstring>
if (strpos($data, '<faultcode>psf:Redirect</faultcode>') !== false) {
preg_match("#<psf\:redirectUrl>(.*)</psf\:redirectUrl>#", $data, $matches);
if (count($matches) != 0) {
$redirect_url = $matches[1];
if ($redirect_url == $passport_url) {
$this->debug_message("*** redirect, but redirect to same URL!");
return false;
}
$this->debug_message("*** redirect to $redirect_url");
return $this->get_passport_ticket($redirect_url);
}
}
// no Redurect faultcode or URL
// we should get the ticket here
// we need ticket and secret code
// RST1: messengerclear.live.com
// <wsse:BinarySecurityToken Id="Compact1">t=tick&p=</wsse:BinarySecurityToken>
// <wst:BinarySecret>binary secret</wst:BinarySecret>
// RST2: messenger.msn.com
// <wsse:BinarySecurityToken Id="PPToken2">t=tick</wsse:BinarySecurityToken>
// RST3: contacts.msn.com
// <wsse:BinarySecurityToken Id="Compact3">t=tick&p=</wsse:BinarySecurityToken>
// RST4: messengersecure.live.com
// <wsse:BinarySecurityToken Id="Compact4">t=tick&p=</wsse:BinarySecurityToken>
// RST5: spaces.live.com
// <wsse:BinarySecurityToken Id="Compact5">t=tick&p=</wsse:BinarySecurityToken>
// RST6: storage.msn.com
// <wsse:BinarySecurityToken Id="Compact6">t=tick&p=</wsse:BinarySecurityToken>
preg_match("#".
"<wsse\:BinarySecurityToken Id=\"Compact1\">(.*)</wsse\:BinarySecurityToken>(.*)".
"<wst\:BinarySecret>(.*)</wst\:BinarySecret>(.*)".
"<wsse\:BinarySecurityToken Id=\"PPToken2\">(.*)</wsse\:BinarySecurityToken>(.*)".
"<wsse\:BinarySecurityToken Id=\"Compact3\">(.*)</wsse\:BinarySecurityToken>(.*)".
"<wsse\:BinarySecurityToken Id=\"Compact4\">(.*)</wsse\:BinarySecurityToken>(.*)".
"<wsse\:BinarySecurityToken Id=\"Compact5\">(.*)</wsse\:BinarySecurityToken>(.*)".
"<wsse\:BinarySecurityToken Id=\"Compact6\">(.*)</wsse\:BinarySecurityToken>(.*)".
"#",
$data, $matches);
// no ticket found!
if (count($matches) == 0) {
$this->debug_message("*** Can't get passport ticket!");
return false;
}
//$this->debug_message(var_export($matches, true));
// matches[0]: all data
// matches[1]: RST1 (messengerclear.live.com) ticket
// matches[2]: ...
// matches[3]: RST1 (messengerclear.live.com) binary secret
// matches[4]: ...
// matches[5]: RST2 (messenger.msn.com) ticket
// matches[6]: ...
// matches[7]: RST3 (contacts.msn.com) ticket
// matches[8]: ...
// matches[9]: RST4 (messengersecure.live.com) ticket
// matches[10]: ...
// matches[11]: RST5 (spaces.live.com) ticket
// matches[12]: ...
// matches[13]: RST6 (storage.live.com) ticket
// matches[14]: ...
// so
// ticket => $matches[1]
// secret => $matches[3]
// web_ticket => $matches[5]
// contact_ticket => $matches[7]
// oim_ticket => $matches[9]
// space_ticket => $matches[11]
// storage_ticket => $matches[13]
// yes, we get ticket
$aTickets = array(
'ticket' => html_entity_decode($matches[1]),
'secret' => html_entity_decode($matches[3]),
'web_ticket' => html_entity_decode($matches[5]),
'contact_ticket' => html_entity_decode($matches[7]),
'oim_ticket' => html_entity_decode($matches[9]),
'space_ticket' => html_entity_decode($matches[11]),
'storage_ticket' => html_entity_decode($matches[13])
);
//$this->debug_message(var_export($aTickets, true));
return $aTickets;
}
function get_tweener_passport_ticket($nonce)
{
$this->debug_message("*** URL: $this->passport_url");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $this->passport_url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
if ($this->debug) curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_NOBODY, 1);
$data = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
$this->debug_message("*** Get Result:\n$data");
// we need login URL
// DALogin=xxx
preg_match('/DALogin=(.*?),/', $data, $matches);
// no URL found!
if (count($matches) == 0) {
$this->debug_message("*** Can't get passport's URL! http code = $http_code");
return false;
}
$url = 'https://'.$matches[1];
$this->debug_message("*** URL: $url");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
'Authorization: Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in='.$this->user.',pwd='.$this->password.','.$nonce,
'Host: login.passport.com'
));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
if ($this->debug) curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_NOBODY, 1);
$data = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
$this->debug_message("*** Get Result:\n$data");
// we need ticket
// from-PP=xxx
preg_match("/from-PP='(.*?)'/", $data, $matches);
// no URL found!
if (count($matches) == 0) {
$this->debug_message("*** Can't get passport's ticket! http code = $http_code");
return false;
}
return $matches[1];
}
function delMemberFromList($memberID, $email, $network, $list)
{
if ($network != 1 && $network != 32) return true;
if ($memberID === false) return true;
$user = htmlspecialchars($email);
$ticket = htmlspecialchars($this->contact_ticket);
if ($network == 1)
$XML = '<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Header>
<ABApplicationHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ApplicationId>996CDE1E-AA53-4477-B943-2BE802EA6166</ApplicationId>
<IsMigration>false</IsMigration>
<PartnerScenario>ContactMsgrAPI</PartnerScenario>
</ABApplicationHeader>
<ABAuthHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ManagedGroupRequest>false</ManagedGroupRequest>
<TicketToken>'.$ticket.'</TicketToken>
</ABAuthHeader>
</soap:Header>
<soap:Body>
<DeleteMember xmlns="http://www.msn.com/webservices/AddressBook">
<serviceHandle>
<Id>0</Id>
<Type>Messenger</Type>
<ForeignId></ForeignId>
</serviceHandle>
<memberships>
<Membership>
<MemberRole>'.$list.'</MemberRole>
<Members>
<Member xsi:type="PassportMember" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Type>Passport</Type>
<MembershipId>'.$memberID.'</MembershipId>
<State>Accepted</State>
</Member>
</Members>
</Membership>
</memberships>
</DeleteMember>
</soap:Body>
</soap:Envelope>';
else
$XML = '<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Header>
<ABApplicationHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ApplicationId>996CDE1E-AA53-4477-B943-2BE802EA6166</ApplicationId>
<IsMigration>false</IsMigration>
<PartnerScenario>ContactMsgrAPI</PartnerScenario>
</ABApplicationHeader>
<ABAuthHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ManagedGroupRequest>false</ManagedGroupRequest>
<TicketToken>'.$ticket.'</TicketToken>
</ABAuthHeader>
</soap:Header>
<soap:Body>
<DeleteMember xmlns="http://www.msn.com/webservices/AddressBook">
<serviceHandle>
<Id>0</Id>
<Type>Messenger</Type>
<ForeignId></ForeignId>
</serviceHandle>
<memberships>
<Membership>
<MemberRole>'.$list.'</MemberRole>
<Members>
<Member xsi:type="EmailMember" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Type>Email</Type>
<MembershipId>'.$memberID.'</MembershipId>
<State>Accepted</State>
</Member>
</Members>
</Membership>
</memberships>
</DeleteMember>
</soap:Body>
</soap:Envelope>';
$header_array = array(
'SOAPAction: '.$this->delmember_soap,
'Content-Type: text/xml; charset=utf-8',
'User-Agent: MSN Explorer/9.0 (MSN 8.0; TmstmpExt)'
);
$this->debug_message("*** URL: $this->delmember_url");
$this->debug_message("*** Sending SOAP:\n$XML");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $this->delmember_url);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header_array);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
if ($this->debug) curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $XML);
$data = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
$this->debug_message("*** Get Result:\n$data");
if ($http_code != 200) {
preg_match('#<faultcode>(.*)</faultcode><faultstring>(.*)</faultstring>#', $data, $matches);
if (count($matches) == 0) {
$this->log_message("*** can't delete member (network: $network) $email ($memberID) to $list");
return false;
}
$faultcode = trim($matches[1]);
$faultstring = trim($matches[2]);
if (strcasecmp($faultcode, 'soap:Client') || stripos($faultstring, 'Member does not exist') === false) {
$this->log_message("*** can't delete member (network: $network) $email ($memberID) to $list, error code: $faultcode, $faultstring");
return false;
}
$this->log_message("*** delete member (network: $network) $email ($memberID) from $list, not exist");
return true;
}
$this->log_message("*** delete member (network: $network) $email ($memberID) from $list");
return true;
}
function addMemberToList($email, $network, $list)
{
if ($network != 1 && $network != 32) return true;
$ticket = htmlspecialchars($this->contact_ticket);
$user = htmlspecialchars($email);
if ($network == 1)
$XML = '<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Header>
<ABApplicationHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ApplicationId>996CDE1E-AA53-4477-B943-2BE802EA6166</ApplicationId>
<IsMigration>false</IsMigration>
<PartnerScenario>ContactMsgrAPI</PartnerScenario>
</ABApplicationHeader>
<ABAuthHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ManagedGroupRequest>false</ManagedGroupRequest>
<TicketToken>'.$ticket.'</TicketToken>
</ABAuthHeader>
</soap:Header>
<soap:Body>
<AddMember xmlns="http://www.msn.com/webservices/AddressBook">
<serviceHandle>
<Id>0</Id>
<Type>Messenger</Type>
<ForeignId></ForeignId>
</serviceHandle>
<memberships>
<Membership>
<MemberRole>'.$list.'</MemberRole>
<Members>
<Member xsi:type="PassportMember" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Type>Passport</Type>
<State>Accepted</State>
<PassportName>'.$user.'</PassportName>
</Member>
</Members>
</Membership>
</memberships>
</AddMember>
</soap:Body>
</soap:Envelope>';
else
$XML = '<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Header>
<ABApplicationHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ApplicationId>996CDE1E-AA53-4477-B943-2BE802EA6166</ApplicationId>
<IsMigration>false</IsMigration>
<PartnerScenario>ContactMsgrAPI</PartnerScenario>
</ABApplicationHeader>
<ABAuthHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ManagedGroupRequest>false</ManagedGroupRequest>
<TicketToken>'.$ticket.'</TicketToken>
</ABAuthHeader>
</soap:Header>
<soap:Body>
<AddMember xmlns="http://www.msn.com/webservices/AddressBook">
<serviceHandle>
<Id>0</Id>
<Type>Messenger</Type>
<ForeignId></ForeignId>
</serviceHandle>
<memberships>
<Membership>
<MemberRole>'.$list.'</MemberRole>
<Members>
<Member xsi:type="EmailMember" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Type>Email</Type>
<State>Accepted</State>
<Email>'.$user.'</Email>
<Annotations>
<Annotation>
<Name>MSN.IM.BuddyType</Name>
<Value>32:YAHOO</Value>
</Annotation>
</Annotations>
</Member>
</Members>
</Membership>
</memberships>
</AddMember>
</soap:Body>
</soap:Envelope>';
$header_array = array(
'SOAPAction: '.$this->addmember_soap,
'Content-Type: text/xml; charset=utf-8',
'User-Agent: MSN Explorer/9.0 (MSN 8.0; TmstmpExt)'
);
$this->debug_message("*** URL: $this->addmember_url");
$this->debug_message("*** Sending SOAP:\n$XML");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $this->addmember_url);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header_array);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
if ($this->debug) curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $XML);
$data = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
$this->debug_message("*** Get Result:\n$data");
if ($http_code != 200) {
preg_match('#<faultcode>(.*)</faultcode><faultstring>(.*)</faultstring>#', $data, $matches);
if (count($matches) == 0) {
$this->log_message("*** can't add member (network: $network) $email to $list");
return false;
}
$faultcode = trim($matches[1]);
$faultstring = trim($matches[2]);
if (strcasecmp($faultcode, 'soap:Client') || stripos($faultstring, 'Member already exists') === false) {
$this->log_message("*** can't add member (network: $network) $email to $list, error code: $faultcode, $faultstring");
return false;
}
$this->log_message("*** add member (network: $network) $email to $list, already exist!");
return true;
}
$this->log_message("*** add member (network: $network) $email to $list");
return true;
}
function getMembershipList()
{
$ticket = htmlspecialchars($this->contact_ticket);
$XML = '<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Header>
<ABApplicationHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ApplicationId>996CDE1E-AA53-4477-B943-2BE802EA6166</ApplicationId>
<IsMigration>false</IsMigration>
<PartnerScenario>Initial</PartnerScenario>
</ABApplicationHeader>
<ABAuthHeader xmlns="http://www.msn.com/webservices/AddressBook">
<ManagedGroupRequest>false</ManagedGroupRequest>
<TicketToken>'.$ticket.'</TicketToken>
</ABAuthHeader>
</soap:Header>
<soap:Body>
<FindMembership xmlns="http://www.msn.com/webservices/AddressBook">
<serviceFilter>
<Types>
<ServiceType>Messenger</ServiceType>
<ServiceType>Invitation</ServiceType>
<ServiceType>SocialNetwork</ServiceType>
<ServiceType>Space</ServiceType>
<ServiceType>Profile</ServiceType>
</Types>
</serviceFilter>
</FindMembership>
</soap:Body>
</soap:Envelope>';
$header_array = array(
'SOAPAction: '.$this->membership_soap,
'Content-Type: text/xml; charset=utf-8',
'User-Agent: MSN Explorer/9.0 (MSN 8.0; TmstmpExt)'
);
$this->debug_message("*** URL: $this->membership_url");
$this->debug_message("*** Sending SOAP:\n$XML");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $this->membership_url);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header_array);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
if ($this->debug) curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $XML);
$data = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
$this->debug_message("*** Get Result:\n$data");
if ($http_code != 200) return array();
$p = $data;
$aMemberships = array();
while (1) {
//$this->debug_message("search p = $p");
$start = strpos($p, '<Membership>');
$end = strpos($p, '</Membership>');
if ($start === false || $end === false || $start > $end) break;
//$this->debug_message("start = $start, end = $end");
$end += 13;
$sMembership = substr($p, $start, $end - $start);
$aMemberships[] = $sMembership;
//$this->debug_message("add sMembership = $sMembership");
$p = substr($p, $end);
}
//$this->debug_message("aMemberships = ".var_export($aMemberships, true));
$aContactList = array();
foreach ($aMemberships as $sMembership) {
//$this->debug_message("sMembership = $sMembership");
if (isset($matches)) unset($matches);
preg_match('#<MemberRole>(.*)</MemberRole>#', $sMembership, $matches);
if (count($matches) == 0) continue;
$sMemberRole = $matches[1];
//$this->debug_message("MemberRole = $sMemberRole");
if ($sMemberRole != 'Allow' && $sMemberRole != 'Reverse' && $sMemberRole != 'Pending') continue;
$p = $sMembership;
if (isset($aMembers)) unset($aMembers);
$aMembers = array();
while (1) {
//$this->debug_message("search p = $p");
$start = strpos($p, '<Member xsi:type="');
$end = strpos($p, '</Member>');
if ($start === false || $end === false || $start > $end) break;
//$this->debug_message("start = $start, end = $end");
$end += 9;
$sMember = substr($p, $start, $end - $start);
$aMembers[] = $sMember;
//$this->debug_message("add sMember = $sMember");
$p = substr($p, $end);
}
//$this->debug_message("aMembers = ".var_export($aMembers, true));
foreach ($aMembers as $sMember) {
//$this->debug_message("sMember = $sMember");
if (isset($matches)) unset($matches);
preg_match('#<Member xsi\:type="([^"]*)">#', $sMember, $matches);
if (count($matches) == 0) continue;
$sMemberType = $matches[1];
//$this->debug_message("MemberType = $sMemberType");
$network = -1;
preg_match('#<MembershipId>(.*)</MembershipId>#', $sMember, $matches);
if (count($matches) == 0) continue;
$id = $matches[1];
if ($sMemberType == 'PassportMember') {
if (strpos($sMember, '<Type>Passport</Type>') === false) continue;
$network = 1;
preg_match('#<PassportName>(.*)</PassportName>#', $sMember, $matches);
}
else if ($sMemberType == 'EmailMember') {
if (strpos($sMember, '<Type>Email</Type>') === false) continue;
// Value is 32: or 32:YAHOO
preg_match('#<Annotation><Name>MSN.IM.BuddyType</Name><Value>(.*):(.*)</Value></Annotation>#', $sMember, $matches);
if (count($matches) == 0) continue;
if ($matches[1] != 32) continue;
$network = 32;
preg_match('#<Email>(.*)</Email>#', $sMember, $matches);
}
if ($network == -1) continue;
if (count($matches) > 0) {
$email = $matches[1];
@list($u_name, $u_domain) = @explode('@', $email);
if ($u_domain == NULL) continue;
$aContactList[$u_domain][$u_name][$network][$sMemberRole] = $id;
$this->log_message("*** add new contact (network: $network, status: $sMemberRole): $u_name@$u_domain ($id)");
}
}
}
return $aContactList;
}
function connect($user, $password, $redirect_server = '', $redirect_port = 1863)
{
$this->id = 1;
if ($redirect_server === '') {
$this->fp = @fsockopen($this->server, $this->port, $errno, $errstr, 5);
if (!$this->fp) {
$this->error = "Can't connect to $this->server:$this->port, error => $errno, $errstr";
return false;
}
}
else {
$this->fp = @fsockopen($redirect_server, $redirect_port, $errno, $errstr, 5);
if (!$this->fp) {
$this->error = "Can't connect to $redirect_server:$redirect_port, error => $errno, $errstr";
return false;
}
}
stream_set_timeout($this->fp, $this->stream_timeout);
$this->authed = false;
// MSNP9
// NS: >> VER {id} MSNP9 CVR0
// MSNP15
// NS: >>> VER {id} MSNP15 CVR0
$this->writeln("VER $this->id $this->protocol CVR0");
$start_tm = time();
while (!feof($this->fp)) {
$data = $this->readln();
// no data?
if ($data === false) {
if ($this->timeout > 0) {
$now_tm = time();
$used_time = ($now_tm >= $start_tm) ? $now_tm - $start_tm : $now_tm;
if ($used_time > $this->timeout) {
// logout now
// NS: >>> OUT
$this->writeln("OUT");
fclose($this->fp);
$this->error = 'Timeout, maybe protocol changed!';
$this->debug_message("*** $this->error");
return false;
}
}
continue;
}
$code = substr($data, 0, 3);
$start_tm = time();
switch ($code) {
case 'VER':
// MSNP9
// NS: <<< VER {id} MSNP9 CVR0
// NS: >>> CVR {id} 0x0409 winnt 5.1 i386 MSMSGS 6.0.0602 msmsgs {user}
// MSNP15
// NS: <<< VER {id} MSNP15 CVR0
// NS: >>> CVR {id} 0x0409 winnt 5.1 i386 MSMSGS 8.1.0178 msmsgs {user}
$this->writeln("CVR $this->id 0x0409 winnt 5.1 i386 MSMSGS $this->buildver msmsgs $user");
break;
case 'CVR':
// MSNP9
// NS: <<< CVR {id} {ver_list} {download_serve} ....
// NS: >>> USR {id} TWN I {user}
// MSNP15
// NS: <<< CVR {id} {ver_list} {download_serve} ....
// NS: >>> USR {id} SSO I {user}
$this->writeln("USR $this->id $this->login_method I $user");
break;
case 'USR':
// already login for passport site, finish the login process now.
// NS: <<< USR {id} OK {user} {verify} 0
if ($this->authed) return true;
$this->user = $user;
$this->password = urlencode($password);
if ($this->protocol == 'MSNP15') {
// NS: <<< USR {id} SSO S {policy} {nonce}
@list(/* USR */, /* id */, /* SSO */, /* S */, $policy, $nonce,) = @explode(' ', $data);
$this->passport_policy = $policy;
$aTickets = $this->get_passport_ticket();
if (!$aTickets || !is_array($aTickets)) {
// logout now
// NS: >>> OUT
$this->writeln("OUT");
fclose($this->fp);
$this->error = 'Passport authenticated fail!';
$this->debug_message("*** $this->error");
return false;
}
$ticket = $aTickets['ticket'];
$secret = $aTickets['secret'];
$this->oim_ticket = $aTickets['oim_ticket'];
$this->contact_ticket = $aTickets['contact_ticket'];
$this->web_ticket = $aTickets['web_ticket'];
$this->space_ticket = $aTickets['space_ticket'];
$this->storage_ticket = $aTickets['storage_ticket'];
$login_code = $this->generateLoginBLOB($secret, $nonce);
// NS: >>> USR {id} SSO S {ticket} {login_code}
$this->writeln("USR $this->id $this->login_method S $ticket $login_code");
}
else {
// NS: <<< USR {id} TWN S {nonce}
@list(/* USR */, /* id */, /* TWN */, /* S */, $nonce,) = @explode(' ', $data);
$ticket = $this->get_tweener_passport_ticket($nonce);
if (!$ticket) {
// logout now
// NS: >>> OUT
$this->writeln("OUT");
fclose($this->fp);
$this->error = 'Passport authenticated fail!';
$this->debug_message("*** $this->error");
return false;
}
// NS: >>> USR {id} TWN S {ticket}
$this->writeln("USR $this->id $this->login_method S $ticket");
}
$this->authed = true;
break;
case 'XFR':
// main login server will redirect to anther NS after USR command
// MSNP9
// NS: <<< XFR {id} NS {server} 0 {server}
// MSNP15
// NS: <<< XFR {id} NS {server} U D
@list(/* XFR */, /* id */, /* NS */, $server, /* ... */) = @explode(' ', $data);
@list($ip, $port) = @explode(':', $server);
// this connection will close after XFR
fclose($this->fp);
$this->fp = @fsockopen($ip, $port, $errno, $errstr, 5);
if (!$this->fp) {
$this->error = "Can't connect to $ip:$port, error => $errno, $errstr";
$this->debug_message("*** $this->error");
return false;
}
stream_set_timeout($this->fp, $this->stream_timeout);
// MSNP9
// NS: >> VER {id} MSNP9 CVR0
// MSNP15
// NS: >>> VER {id} MSNP15 CVR0
$this->writeln("VER $this->id $this->protocol CVR0");
break;
case 'GCF':
// return some policy data after 'USR {id} SSO I {user}' command
// NS: <<< GCF 0 {size}
@list(/* GCF */, /* 0 */, $size,) = @explode(' ', $data);
// we don't need the data, just read it and drop
if (is_numeric($size) && $size > 0)
$this->readdata($size);
break;
default:
// we'll quit if got any error
if (is_numeric($code)) {
// logout now
// NS: >>> OUT
$this->writeln("OUT");
修复方案:
我是来找礼物的!
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-10-22 10:23
厂商回复:
感謝通報
最新状态:
2015-11-23:部分服務為公司早期服務且未來將暫停維運,目前已完成下線作業,再次感謝漏洞回報,以後將會持續加強內部管理流程