当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156210

漏洞标题:天融信TopScanner存在任意命令执行&文件遍历(无需登录)

相关厂商:天融信

漏洞作者: YY-2012

提交时间:2015-11-27 11:20

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-27: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

rt

详细说明:

天融信脆弱性扫描与管理系统简称TopScanner
产品简介http://**.**.**.**/aqcp/aqgl/ldsmglxttopscanner/

aaaaaaaaaaaaaaaaaaaaa11111111111111111111.jpg


原因出自CommandsPolling.php文件,详情请看源代码:

{"type":"event","name":"message","data":["finished","<?php\ninclude_once 'command\/CCmdsPolling.php';\n\n$command = isset($_POST['command'])?$_POST['command']:\"\";\n$saveFile = isset($_POST['filename'])?$_POST['filename']:\"\";\n$cmdParam = isset($_POST['cmdParam'])?$_POST['cmdParam']:\"\";\n$cmdParam = trim($cmdParam);\n$faultStr = json_encode(array('type'=>'event', 'name'=>'message', 'data'=>array(\"exception\", \"\", \"\") ));\n\n\/\/command is null\nif(empty($command)){  \n    echo $faultStr;\n    exit();\n}\n\n\/\/exec and get result\n$result = array();\n$pollingObj = new CCmdsPolling();\nif($command == \"ping\") {\n    $result = $pollingObj->getPingInfo($cmdParam, $saveFile);\n} else if ($command == \"traceroute\") {\n    $result = $pollingObj->getTracerouteInfo($cmdParam, $saveFile);\n} else {\n    echo $faultStr;\n    exit();\n}\n\n\/\/analyse result state and return\nif($result['state'] == \"exception\") {\t\n    echo $faultStr;\n} else if($result['state'] == \"starting\") {\t\t   \n       $re_file=$result['result'];\n       $filename=$result['filename'];\n       $finished=false;\n       echo json_encode(array(\n                         'type'=>'event',\n                         'name'=>'message',\n                         'data'=>array(\"starting\", $re_file, $filename)\n                        )); \n} else if($result['state'] == \"dealing\") {\n       $re_file=$result['result'];\n       $filename=$result['filename'];\n       echo json_encode(array(\n                         'type'=>'event',\n                         'name'=>'message',\n                         'data'=>array(\"dealing\", $re_file, $filename)\n                        )); \n} else if($result['state'] == \"finished\") {\n     $re_file=$result['result'];\n     echo json_encode(array(\n                        'type'=>'event',\n                        'name'=>'message',\n                        'data'=>array(\"finished\", $re_file, \"\")\n                        ));\n} else {\n     echo json_encode(array(\n                        'type'=>'event',\n                        'name'=>'message',\n                        'data'=>array(\"unknown\", \"\", \"\")\n                        ));\n}\n\n?> \n",""]}


无需登录下可直接任意命令执行&任意文件遍历

漏洞证明:

如下利用方式:

aaaaaaaaaaaaaaaaaaaaa3333333333333333333333.jpg


aaaaaaaaaaaaaaaaaaa4444444444444444444444.jpg


这台license试用已过期,照样能执行啊。。

aaaaaaaaaaaaaaaaaa222222222222222222222222.jpg


aaaaaaaaaaaaaaaaaaaa555555555555555555555.jpg


任意命令执行(简单的证明一下能够命令执行以wget命令为例):

aaaaaaaaaaaaaaaaaaaaa6666666666666666666666.jpg

修复方案:

过滤
添加验证权限

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-27 12:19

厂商回复:

已确认,感谢提交!

最新状态:

暂无