乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-29: 细节已通知厂商并且等待厂商处理中 2016-03-29: 厂商已经确认,细节仅向厂商公开 2016-04-01: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-05-23: 细节向核心白帽子及相关领域专家公开 2016-06-02: 细节向普通白帽子公开 2016-06-12: 细节向实习白帽子公开 2016-06-27: 细节向公众公开
rt
任意文件删除/modules/system/sys_restore_local.be.php:
<?php//require_once('../../validate.php');//add by quentin at 2009-03-19 - modify quentin 2009-05-13require_once("../../mainfile.php");$res=new res_ajax();$action=isset($_POST['action'])?$_POST['action']:(isset($_GET['action'])?$_GET['action']:null);if(is_null($action)) { $res->set_resultcode('-1'); $res->set_resultstr($lang['hackat']); $res->output(); exit;}switch($action) { case 'backup': sys_backup($_POST); break; case 'restore': sys_restore($_POST); break; case 'delete': cfg_delete($_POST); break; case 'initconfig': sys_initconfig($_POST); break; case 'getUSB': sys_getusb($_POST); break;}$res->output();exit;function sys_backup($post) { global $db; global $res; global $lang; $filename=$post['filename']; if($post['rad_dir']=='fs') { $backup_dir=$post['dir_fs']; } else { $backup_dir=$post['dir_u']; } $filename_len = strlen($filename); if($filename_len == 0 || $filename_len > 20 || !preg_match("/^[0-9a-zA-Z_]*$/" , $filename)) { $res->set_resultcode('-2'); $res->set_resultstr($lang['err_filepath']); return; } /*$count=$db->countof('fms_task_info', "execute_status<>'3' and task_name_id='4'"); if($count>0) { $res->set_resultcode('-1'); $res->set_resultstr($lang['tasking']); return; }*/ $cc=$db->countof('fms_local_backup_process', "backup_dir='".$backup_dir."' and filename='".$filename.".cfg'"); if($cc>0) { $res->set_resultcode('-1'); $res->set_resultstr($lang['dupfiles']); return; } /*$sqlb="insert into fms_task_info set task_name_id='4', task_type_id='1', priority_id='1', start_time='".mktime()."', execute_status='1', operator='".$_SESSION['user']."'"; if(!$db->execute($sqlb)) { $db->execute('rollback'); $res->set_resultcode('-4'); $res->set_resultstr($lang['dberr']); return; }*/ //$id=mysql_insert_id(); $id = 0; $sql="insert into fms_local_backup_process set task_serial='".$id."', backup_dir='".$backup_dir."', filename='".$filename.".cfg', system_data='1', log_data='1', process='0', task_status='0'"; $db->execute('start transaction'); if(!$db->execute($sql)) { $db->execute('rollback'); $res->set_resultcode('-4'); $res->set_resultstr($lang['dberr']); return; } $id=mysql_insert_id(); $db->execute("commit"); $res->set_resultcode('0'); $res->set_resultstr($id); $resa = service_action('Backup_Config');}function sys_restore($post) { global $db; global $res; global $lang; $count=$db->countof('fms_task_info', "execute_status<>'3' and task_name_id='5'"); if($count>0) { $res->set_resultcode('-1'); $res->set_resultstr($lang['tasking']); return; } /*$sqlb="insert into fms_task_info set task_name_id='5', task_type_id='1', priority_id='1', start_time='".mktime()."', execute_status='1', operator='".$_SESSION['user']."'"; if(!$db->execute($sqlb)) { $db->execute('rollback'); $res->set_resultcode('-4'); $res->set_resultstr($lang['dberr']); return; } $id=mysql_insert_id();*/ $id = 0; $sqla=array(); $sqla[]="insert into fms_backup_special_file_process set task_serial='".$id."', filename='".$post['hidd_file']."', process='0', task_status='0', operate_mode='0'"; //$sqla[]="update wms_restore_filelist set resume_id='".$id."' where id='".$post['hidd_id']."'"; $db->execute('start transaction'); foreach($sqla as $sqlstr) { if(!$db->execute($sqlstr)) { $db->execute('rollback'); $res->set_resultcode('-4'); $res->set_resultstr($lang['dberr']); return; } } $id=mysql_insert_id(); $db->execute("commit"); $res->set_resultcode('0'); $res->set_resultstr($id); $resa = service_action('Restore_Config');}function cfg_delete($post) { global $res; global $lang; global $db; $filepath=str_replace('//', '/', $post['hid_name']); if(!@unlink($filepath)) { $res->set_resultcode('-4'); $res->set_resultstr($lang['err_delfile']); return; } $sql="delete from wms_restore_filelist where id='".$post['hid_id']."'"; $db->execute('start transaction'); if(!$db->execute($sql)) { $db->execute('rollback'); $res->set_resultcode('-4'); $res->set_resultstr($lang['dberr']); return; } $db->execute("commit"); $res->set_resultcode('0'); $res->set_resultstr($lang['success']);}function sys_initconfig($post) { global $res; $resa=service_action('Restore_FactoryConfig'); $res->set_result($resa[0], $resa[1]);}function sys_getusb($post) { global $res; $resa=service_action('reload_usb_mount'); $res->set_result($resa[0], $resa[1]);}?>
任意命令/modules/system/local_rollback.php
<?phprequire_once('../../validate.php');require_once("../../mainfile.php");$sel_dir = $_GET['sel_dir'];$sql = "select * from lcm_globals where variable='MODULE_VER' and category='system'";$rs = $db->query($sql);while ($data = $db->fetchNextObject($rs)){ $up[$data->variable] = $data->value;}$smarty->assign('ver_system', $up['MODULE_VER']);$command = '/usr/upgrade/'.$sel_dir.'/rollback.sh '. $sel_dir .' &';$actions=array();$actions[]="Action: action_rollback";$actions[]="Command: ".$command;//Add/Mod/Del$result = action_array_cms($actions);echo $command;exit;?>
案例参考http://**.**.**.**/bugs/wooyun-2016-0189550:
**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/**.**.**.**/
你们懂的。
危害等级:高
漏洞Rank:12
确认时间:2016-03-29 15:09
感谢关注~
暂无