当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0179441

漏洞标题:某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

相关厂商:I-SDN

漏洞作者: YY-2012

提交时间:2016-02-29 12:00

修复时间:2016-06-02 19:30

公开时间:2016-06-02 19:30

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-29: 细节已通知厂商并且等待厂商处理中
2016-03-04: 厂商已经确认,细节仅向厂商公开
2016-03-07: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-28: 细节向核心白帽子及相关领域专家公开
2016-05-08: 细节向普通白帽子公开
2016-05-18: 细节向实习白帽子公开
2016-06-02: 细节向公众公开

简要描述:

十几万的设备你敢买吗?

详细说明:

第一处注入/analytics/bal/bal_chart_line_status.php

//********************************************流量上行和下行统计**********************************************//
	if($_GET["act"]=="hours"){
		//按小时统计上行平均流量和下行平均流量,每分钟一笔数据
		$value=$_GET["val"];
		$date=$_GET["date"];
		if($value != "all"){
			//查询条件不为空,查询域名的访问量
			$and=" and app_name = '".$value."' ";
		}
		if($date==""){
			$sql="select host_ip,date_format(curr_time,'%H:%i') tm,round(sum(aver_tx)/1024,2) txcount,round(sum(aver_rx)/1024,2) rxcount from t_tjbal_host where 
				curr_time between date_format(date_add(now(),interval -1 hour),'%Y-%m-%d %H:%i:00') 
				and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and."  group by date_format(curr_time,'%H:%i'),host_ip 
				order by host_ip asc,curr_time asc ";
		}else{
			$sql="select host_ip,date_format(curr_time,'%H:%i') tm,round(sum(aver_tx)/1024,2) txcount,round(sum(aver_rx)/1024,2) rxcount from t_tjbal_host where 
				curr_time between date_format('".$date."','%Y-%m-%d %H:%i:00') 
				and date_format(date_add('".$date."',interval +1 hour),'%Y-%m-%d %H:%i:59') ".$and."  
				group by date_format(curr_time,'%H:%i'),host_ip order by host_ip asc,curr_time asc ";
		}
//		print $sql;


第二处注入/analytics/analytics_firewall.php

if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchFirewall"){
		$serchtype = $_POST["serchType"];
		$serchname = $_POST["serchinput"];
	}else{
		$serchtype = "type0";
		//分页提交
		if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){
			$page = $_POST["p"];
			$serchtype = $_POST["ptype"];
			$serchname = $_POST["pname"];
		}
		
		if ( isset ( $_GET["p"] )){
			$page = $_GET["p"];
			$serchtype = $_GET["serchType"];
			$serchname = $_GET["serchinput"];
		}
	}
	
	$db = new dbBase();
	//数据库连接
	$iRetCon = $db -> dbConnect();
	if($iRetCon!=1)
	{
		print "数据连接失败!";
		return "";
	}
	$and="";
	if($serchname!=""){
		if($serchtype == "type0"){
			//源地址
			$and = " and src_ip like '%".$serchname."%' ";
		}else if($serchtype == "type1"){
			//目标地址
			$and = " and dst_ip like '%".$serchname."%' ";
		}else if($serchtype == "type2"){
			//规则
			$and = " and fire_wall_name like '%".$serchname."%' ";
		}else if($serchtype == "type3"){
			//网口
			$and = " and network_card like '%".$serchname."%' ";
		}
	}
	$sql="select a.host_name,left(a.fire_wall_name,(LENGTH(a.fire_wall_name)-2)) wallname,**.**.**.**work_card,a.src_mac,a.dst_mac,
		a.src_ip,a.dst_ip,a.data_len,a.protocol,a.src_port,a.dst_port,
		a.log_time logtime ,right(fire_wall_name,1) stat 
		from t_log_firewall a  where 1=1 ".$and." order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;
//	print $sql;


第三处注入/analytics/bal/bal_chart_line.php

if($_GET["act"]=="hours"){
		//按小时对bal总数量进行统计及单个域名的访问量
		$value=$_GET["val"];
		if($value != "all"){
			//查询条件不为空,查询域名的访问量
			$and=" and application_name = '".$value."' ";
		}
		$sql="select date_format(log_time,'%H:%i') time,sum(app_count) dcount from t_tjbal_time_minute where 
			log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
			and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";
		$arrFi = every5Minute();
		$datajson = lineJson($sql,$arrFi);
		print $datajson;
	}else if($_GET["act"]=="day"){
		//按天对bal总数量进行统计及单个域名的访问量
		$value=$_GET["val"];
		if($value != "all"){
			//查询条件不为空,查询域名的访问量
			$and = " and application_name = '".$value."' ";
		}
		$sql="select concat(date_format(date_add(log_time,interval -2 minute),'%H'),':00') time ,sum(app_count) dcount from t_tjbal_time_minute where 
			date_add(log_time,interval -2 minute) between date_format(date_add(now(),interval -1 day),'%Y-%m-%d %H:00:00')
			and date_format(date_add(now(),interval -1 hour),'%Y-%m-%d %H:59:59')".$and." 
			group by date_format(date_add(log_time,interval -2 minute),'%H') order by log_time asc ";
		$arrFi = every1Hours();
		$datajson = lineJson($sql,$arrFi);
		print $datajson;
	}else if($_GET["act"]=="week"){
		//按周对bal总数量进行统计及单个域名的访问量


第四处注入/analytics/bal/bal_chart_map.php

if($_GET["act"]=="hours"){
		$value=$_GET["val"];
		balMapMinute($value);
	}else if($_GET["act"]=="day"){
		$value=$_GET["val"];
		balLineDays($value);
	}else if($_GET["act"]=="week"){
		$value=$_GET["val"];	
		balLineWeeks($value);
	}else if($_GET["act"]=="month"){
		$value=$_GET["val"];
		balLineMonth($value);
	}else if($_GET["act"]=="year"){
		$value=$_GET["val"];
		balLineYears($value);
	}
	/**
	 * 实时查询bal的总数(按照区域查询)实时查询
	 */
	function balMapMinute($value){
		$db = new dbBase();
		//数据库连接
		$iRetCon = $db -> dbConnect();
		if($iRetCon!=1){
			print "数据连接失败!";
			return;
		}
		//查询全球地图信息
		$worldArea = getWorldMapDict($db);
		//查询世界的数据(各个区域所有的域名数量)
		if($value != "all"){
			//查询条件不为空,查询域名的访问量
			$and=" and application_name = '".$value."' ";
		}
		$sql="select remark ,sum(app_count) dnum from t_sys_dict a ,t_tjbal_time_minute b
			where  area!='-' and area!='' and remark!='' and a.short_name=substring_index(b.area,'-',1) and
			log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
			and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by remark";
		$worldData = getWorldMapData($db,$sql);
		
		//查询中国的信息
		$sqlc = "select full_name,sum(app_count) dnum from t_sys_dict a ,t_tjbal_time_minute b where 
			a.code like '%ZG%' and code!='ZG' and substring_index(b.area,'-',1)='CN' and a.short_name=substring(b.area,4) and
			log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
			and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by full_name ";
		$chinaData = getChinaMapData($db,$sqlc);


第五处注入/analytics/analytics_bal.php

if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchBal"){
		$serchtype = $_POST["serchType"];
		$serchname = $_POST["serchinput"];
		$timestat =  $_POST["serchStart"];
		$timeend =  $_POST["serchEnd"];
	}else{
		$serchtype = "type0";
	}
//	print "=====>".$_POST["action"]."<========";
	
	//分页post提交
	if ( isset ( $_POST["action"]) && $_POST["action"]=="GO"){
		$page = $_POST["p"];
		$serchtype = $_POST["ptype"];
		$serchname = $_POST["pname"];
		$timestat =  $_POST["pStart"];
		$timeend =  $_POST["pEnd"];
//		print "==>".$serchtype."==>".$serchname."==>".$timestat."==>".$timeend;
	}
	//分页get
	if ( isset ( $_GET["p"] )){
		$page = $_GET["p"];
		$serchtype = $_GET["serchType"];
		$serchname = $_GET["serchinput"];
		$timestat = $_GET["stime"];
		$timeend = $_GET["etime"];
	}
	$db = new dbBase();
	//数据库连接
	$iRetCon = $db -> dbConnect();
	if($iRetCon!=1)
	{
		print "数据连接失败!";
		return "";
	}
	$and="";
	if($serchname!=""){
		if($serchtype == "type0"){
			//策略名称
			$and .= " and application_name like '%".$serchname."%' ";
		}else if($serchtype == "type1"){
			//源地址
			$and .= " and src_ip like '%".$serchname."%' ";
		}else if($serchtype == "type2"){
			//目标地址
			$and .= " and server_name like '%".$serchname."%' ";
		}else if($serchtype == "type3"){
			//状态
			$and .= " and status like '%".$serchname."%' ";
		}
	}
	if($timestat!=""){
		$and .= " and log_time >= date_format('".$timestat."','%Y-%m-%d %H:%i:00') ";
	}
	if ($timeend!=""){
		$and .= " and log_time <= date_format('".$timeend."','%Y-%m-%d %H:%i:59') ";
	}
	
	
	$sql="select host_name,application_name,server_name,src_ip,src_port,action,access_target,datalen,dealtime,status,
		log_time logtime,case when length(access_target)>40 then concat(substr(access_target,1,40),'......') else access_target end netar 
		from t_log_load a where 1=1 ".$and."
		order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;
	
//	print $sql."<br/>";
	
	$arrlist = $db->querySqlArray($sql);
	
	
	//查询总页数
	$sqlcou = "select count(1) cou from t_log_load a  where 1=1 ".$and;
	
//	print $sqlcou."<br/>";


第六处注入/analytics/dns/dns_chart_line.php

if($_GET["act"]=="hours"){
		/**
		 * 按小时对dns总数量进行统计及单个域名的访问量
		 */
		$value=$_GET["val"];
		if($value != ""){
			//查询条件不为空,查询域名的访问量
			$and=" and domain_name like '%".$value."' ";
		}
//		$sql="select date_format(log_time,'%H:%i') time,sum(domain_count) dcount from t_tjdns_time_minute where 
//			date_format(log_time,'%Y-%m-%d %H:%i') between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i') 
//			and date_format(now(),'%Y-%m-%d %H:%i') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";
		$sql="select date_format(log_time,'%H:%i') time,sum(domain_count) dcount from t_tjdns_time_minute where 
			log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
			and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";
		$arrFi = every5Minute();
		$rsjson = lineJson($sql,$arrFi);
		print $rsjson;


第七处注入/analytics/analytics_dns_log.php

<?php 
	include_once "./dbcon/dbBase.php";
	include_once "./dns/time.php";
	date_default_timezone_set('Asia/Shanghai');
	
	$serchname = "";
	$and="";
	if(isset ( $_GET["act"] )){
		//折线图加载log
		$serchname = $_GET["dns"];
		$strtime = getTime($_GET["act"],$_GET["date"]);
		$arrTime = explode("#",$strtime);
		$timestat = $arrTime[0];
		$timeend = $arrTime[1];
	}else if(isset ( $_GET["mapact"] ) && $_GET["mapact"] =="maplog"){
		//地图加载log日志
		$country = $_GET["cy"];
		//print $country."<=======";
		$dnsname = $_GET["dname"];
		$timttype = $_GET["time"];
		$serchname = $dnsname;
		$arrMapTime = explode("#",getMapTime($timttype));
		$timestat = $arrMapTime[0];
		$timeend = $arrMapTime[1];
//		if($country == "中国"){
//			$and .=" and substring_index(substr(client_ip_ctname,4), '-', 1) = (select short_name from t_sys_dict a where full_name='".$country."') ";
//		}else{
//			$and .=" and substring_index(client_ip_ctname, '-', 1) = (select short_name from t_sys_dict a where full_name='".$country."') ";
//		}
	}else{
		$timestat = date("Y-m-d")." 00:00";
		$timeend =  date("Y-m-d H:i") ;
	}
	
	$page= 1;
	$pageSize = 20;
	if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchDns"){
		$serchtype = $_POST["serchType"];
		$serchname = $_POST["serchinput"];
		$timestat = $_POST["serchStart"];
		$timeend =  $_POST["serchEnd"];
		$country = $_POST["country"];
	}else{
//		if($dnsname!=""){
//			$serchtype = "type1";
//		}else{
//			$serchtype = "type0";
//		}
		$serchtype = "type0";
		//分页提交点击GO
		if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){
			$page = $_POST["p"];
			$serchtype = $_POST["ptype"];
			$serchname = $_POST["pname"];
			$timestat = $_POST["pStart"];
			$timeend =  $_POST["pEnd"];
			$country =  $_POST["cy"];
		}
		//点击翻页
		if ( isset ( $_GET["p"] )){
			$page = $_GET["p"];
			$serchtype = $_GET["serchType"];
			$serchname = $_GET["serchinput"];
			$timestat = $_GET["stime"];
			$timeend =  $_GET["etime"];
			$country =  $_GET["cy"];
		}
	}
	
	$db = new dbBase();
	//数据库连接
	$iRetCon = $db -> dbConnect();
	if($iRetCon!=1)
	{
		print "数据连接失败!";
		return "";
	}
	
	if($serchname!=""){
		if($serchtype == "type0"){
			//域名
			$and .= " and domain_name like '%".$serchname."%' ";
		}else if($serchtype == "type1"){
			//来源地址
			$and .= " and client_ip like '%".$serchname."%' ";
		}
	}
	
	if($country!=""){
		$sqlcy = "select short_name from t_sys_dict a where full_name='".$country."'";
		$arrCy = $db->querySqlArray($sqlcy);
		if(strlen($arrCy[0]["short_name"])>2){
			$and .=" and substring_index(substr(client_ip_ctname,4), '-', 1) = '".$arrCy[0]["short_name"]."' ";
		}else if(strlen($arrCy[0]["short_name"])==2){
			$and .=" and substring_index(client_ip_ctname, '-', 1) = '".$arrCy[0]["short_name"]."' ";
		}
	}


以上注入针对I-SDN负载均衡器
案例:

**.**.**.**/
**.**.**.**/


一处getshell 地址/test/progressbar/target.php

<?php
if($_SERVER['REQUEST_METHOD']=='POST') {
  move_uploaded_file($_FILES["test_file"]["tmp_name"], "c:\\sw\\wamp\\www\\" . $_FILES["test_file"]["name"]);
  echo "<p>File uploaded.  Thank you!</p>";
}
?>


以上getshell针对I-SDN流控设备&I-SDN负载均衡器
案例:

**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/test/

漏洞证明:

随便选取三处作验证:
/analytics/bal/bal_chart_line_status.php?act=hours&val=1&date=1

aaaaaaaaaaaaaaa111111111111111111111111.jpg


/analytics/analytics_firewall.php?p=&serchType=type0&serchinput=1

aaaaaaaaaaaaaaaaa2222222222222222222222.jpg


/analytics/bal/bal_chart_map.php?act=hours&val=1

aaaaaaaaaaaaaaaaaa333333333333333333333.jpg


GETSHELL地址/test/progressbar/target.php:

aaaaaaaaaaaaaaaa444444444444444444.jpg


qqqqqqqqqqqqqq55555555555555555555.jpg


aaaaaaaaaaaaaaaaaa55555555555555555.jpg


aaaaaaaaaaaaaaaa66666666666666666666.jpg


整设备目录遍历导致多处敏感信息泄漏:

aaaaaaaaaaaaaa7777777777777777777.jpg


aaaaaaaaaaaaaaaaaa88888888888888888888888.jpg


aaaaaaaaaaaaaaaaaaa999999999999999999999999.jpg


aaaaaaaaaaaaaaa00000000000000000000.jpg


以上目录遍历针对I-SDN流控设备&I-SDN负载均衡器
案例:

**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/test/


还有部分版本存在任意文件修改&目录遍历(AjaXplorer功能为未授权访问导致)

qqqqqqqqqqqqqqqqqq444444444444444444.jpg


针对以上案例:

**.**.**.**/exploer/#0
**.**.**.**/exploer/#0
**.**.**.**/exploer/#0
**.**.**.**/exploer/#0
**.**.**.**/exploer/#0

修复方案:

联系厂商

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2016-03-04 19:29

厂商回复:

CNVD未直接复现所述漏洞情况,暂未建立与软件生产厂商或网站管理单位的直接处置渠道,待认领。

最新状态:

2016-03-04:正尝试建立与软件生产厂商上海驾驭网络科技有限公司的联系机制,待处置.