2015-04-01: 细节已通知厂商并且等待厂商处理中 2015-04-03: 厂商已经确认,细节仅向厂商公开 2015-04-13: 细节向核心白帽子及相关领域专家公开 2015-04-23: 细节向普通白帽子公开 2015-05-03: 细节向实习白帽子公开 2015-05-18: 细节向公众公开
网站为了杀webshell放了一个t00ls出品的webshell扫描器,却因此导致了重大安全问题
1、我在横琴网上放了一个t00ls出品的webshell扫描器,url如下http://wzhq.hengqin.gov.cn/scanner.php,此扫描器为弱密码admin/admin2、进入扫描器后可见网站真实路径
3、此扫描器的源代码是公开的,内容如下
<?php/**************PHP Web木马扫描器************************//* [+] QQ群: 136112330 *//* [+] 版本: v1.0 *//* [+] 功能: web版php木马扫描工具*//* [+] 注意: 扫描出来的文件并不一定就是后门, *//* 请自行判断、审核、对比原文件。*//* 如果你不确定扫出来的文件是否为后门,*//* 欢迎你把该文件发给我进行分析。*//*******************************************************/ob_start();set_time_limit(0);$username = "t00ls"; //设置用户名$password = "t00ls"; //设置密码$md5 = md5(md5($username).md5($password));$version = "PHP Web木马扫描器v1.0";$realpath = realpath('./');$selfpath = $_SERVER['PHP_SELF'];$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));define('REALPATH', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));define('MYFILE', basename(__FILE__));define('MYPATH', str_replace('\', '/', dirname(__FILE__)).'/');define('MYFULLPATH', str_replace('\', '/', (__FILE__)));define('HOST', "http://".$_SERVER['HTTP_HOST']);?><html><head><title><?php echo $version?></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><style>body{margin:0px;}body,td{font: 12px Arial,Tahoma;line-height: 16px;}a {color: #00f;text-decoration:underline;}a:hover{color: #f00;text-decoration:none;}.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}.head td span{font-weight:normal;}</style></head><body><?phpif(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))){echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> 密码: <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陆" /></form>';}elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)){setcookie("t00ls", $md5, time()+60*60*24*365,"/");echo "登陆 www.2cto.com 成功!";header( 'refresh: 1; url='.MYFILE.'?action=scan' );exit();}else{setcookie("t00ls", $md5, time()+60*60*24*365,"/");$setting = getSetting();$action = isset($_GET['action'])?$_GET['action']:""; if($action=="logout"){setcookie ("t00ls", "", time() - 3600);Header("Location: ".MYFILE);exit();}if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!=""){$file = $_GET['file'];ob_clean();if (@file_exists($file)) {header("Content-type: application/octet-stream");header("Content-Disposition: filename="".basename($file).""");echo file_get_contents($file);}exit();}?><table border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="head"><td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td></tr><tr class="alt1"><td><span style="float: right;"><?=date("Y-m-d H:i:s",time())?></span><a href="?action=scan">扫描</a> |<a href="?action=setting">设定</a> |<a href="?action=logout">登出</a></td></tr></tbody></table><br><?phpif($action=="setting"){if(isset($_POST['btnsetting'])){$Ssetting = array();$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");echo "设置完成!";header( 'refresh: 1; url='.MYFILE.'?action=setting' );exit();}?><form name="frmSetting" method="post" action="?action=setting"><FIELDSET style="width:400px"><LEGEND>扫描设定</LEGEND><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td width="60">文件后缀:</td><td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td></tr><tr><td><label for="checkall">所有文件</label></td><td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td></tr><tr><td><label for="checkhta">设置文件</label></td><td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td></tr><tr><td> </td><td><input type="submit" name="btnsetting" id="btnsetting" value="提交"></td></tr></table></fieldset></form><?php}else{$dir = isset($_POST['path'])?$_POST['path']:MYPATH;$dir = substr($dir,-1)!="/"?$dir."/":$dir;?><form name="frmScan" method="post" action=""><table width="100%%" border="0" cellspacing="0" cellpadding="0"><tr><td width="35" style="vertical-align:middle; padding-left:5px;">扫描路径:</td><td width="690"><input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>"> <input type="submit" name="btnScan" id="btnScan" value="开始扫描"></td></tr></table></form><?phpif(isset($_POST['btnScan'])){$start=time();$is_user = array();$is_ext = "";$list = ""; if(trim($setting['user'])!=""){$is_user = explode("|",$setting['user']);if(count($is_user)>0){foreach($is_user as $key=>$value)$is_user[$key]=trim(str_replace("?","(.)",$value));$is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))";}}if($setting['hta']==1){$is_hta=1;$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;$is_ext.="(^.htaccess$)";}if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0)){$is_ext="(.+)";} $php_code = getCode();if(!is_readable($dir))$dir = MYPATH;$count=$scanned=0;scan($dir,$is_ext);$end=time();$spent = ($end - $start);?><div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件| 发现: <?php echo $count?> 可疑文件| 耗时: <?php echo $spent?> 秒</div><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr class="head"><td width="15" align="center">No.</td><td width="48%">文件</td><td width="12%">更新时间</td><td width="10%">原因</td><td width="20%">特征</td><td>动作</td></tr><?php echo $list?></table><?php}}}ob_flush();?></body></html><?phpfunction scan($path = '.',$is_ext){global $php_code,$count,$scanned,$list;$ignore = array('.', '..' );$replace=array(" ","",""," ");$dh = @opendir( $path );while(false!==($file=readdir($dh))){if( !in_array( $file, $ignore ) ){if( is_dir( "$path$file" ) ){scan("$path$file/",$is_ext);} else {$current = $path.$file;if(MYFULLPATH==$current) continue;if(!preg_match("/$is_ext/i",$file)) continue;if(is_readable($current)){$scanned++;$content=file_get_contents($current);$content= str_replace($replace,"",$content);foreach($php_code as $key => $value){if(preg_match("/$value/i",$content)){$count++;$j = $count % 2 + 1;$filetime = date('Y-m-d H:i:s',filemtime($current));$reason = explode("->",$key);$url = str_replace(REALPATH,HOST,$current);preg_match("/$value/i",$content,$arr);$list.="<tr class='alt$j' onmou<a href="http://www.it165.net/admin/" target="_blank" class="keylink">seo</a>ver='this.className="focus";' onmou<a href="http://www.it165.net/admin/" target="_blank" class="keylink">seo</a>ut='this.className="alt$j";'><td>$count</td><td><a href='$url' target='_blank'>$current</a></td><td>$filetime</td><td><font color=red>$reason[0]</font></td><td><font color=#090>$reason[1]</font></td><td><a href='?action=download&file=$current' target='_blank'>下载</a></td></tr>";//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";//echo $path . $file ."<br />";break;}}}}}}closedir( $dh );}function getSetting(){$Ssetting = array();if(isset($_COOKIE['t00ls_s'])){$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;}else{$Ssetting['user']="php | php? | phtml | shtml";$Ssetting['all']=0;$Ssetting['hta']=1;setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");}return $Ssetting;}function getCode(){return array('后门特征->cha88.cn'=>'cha88.cn','后门特征->c99shell'=>'c99shell','后门特征->phpspy'=>'phpspy','后门特征->Scanners'=>'Scanners','后门特征->cmd.php'=>'cmd.php','后门特征->str_rot13'=>'str_rot13','后门特征->webshell'=>'webshell','后门特征->EgY_SpIdEr'=>'EgY_SpIdEr','后门特征->tools88.com'=>'tools88.com','后门特征->SECFORCE'=>'SECFORCE','后门特征->eval("?>'=>'eval(('|")?>','可疑代码特征->system('=>'system(','可疑代码特征->passthru('=>'passthru(','可疑代码特征->shell_exec('=>'shell_exec(','可疑代码特征->exec('=>'exec(','可疑代码特征->popen('=>'popen(','可疑代码特征->proc_open'=>'proc_open','可疑代码特征->eval($'=>'eval(('|"|s*)\$','可疑代码特征->assert($'=>'assert(('|"|s*)\$','危险MYSQL代码->returns string soname'=>'returnsstringsoname','危险MYSQL代码->into outfile'=>'intooutfile','危险MYSQL代码->load_file'=>'select(s+)(.*)load_file','加密后门特征->eval(gzinflate('=>'eval(gzinflate(','加密后门特征->eval(base64_decode('=>'eval(base64_decode(','加密后门特征->eval(gzuncompress('=>'eval(gzuncompress(','加密后门特征->eval(gzdecode('=>'eval(gzdecode(','加密后门特征->eval(str_rot13('=>'eval(str_rot13(','加密后门特征->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(','加密后门特征->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(','一句话后门特征->eval($_'=>'eval(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','一句话后门特征->assert($_'=>'assert(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','一句话后门特征->require($_'=>'require(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','一句话后门特征->require_once($_'=>'require_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','一句话后门特征->include($_'=>'include(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','一句话后门特征->include_once($_'=>'include_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','一句话后门特征->call_user_func("assert"'=>'call_user_func(("|')assert("|')','一句话后门特征->call_user_func($_'=>'call_user_func(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[','一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)\$_(POST|GET|REQUEST|COOKIE)','上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")),('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[','.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication/x-httpd-php','.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file','.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file');}?>
4、注意代码中有个action是download,file参数来自$current参数
<td><a href='?action=download&file=$current' target='_blank'>下载</a></td>
5、$current参数又来自于$path参数和$file参数的组合,代码如下
$current = $path.$file;
$path参数出自于扫描结果,初始值应该为空
function scan($path = '.',$is_ext){global $php_code,$count,$scanned,$list;$ignore = array('.', '..' );$replace=array(" ","",""," ");
$file参数则直接来自于url
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!=""){$file = $_GET['file'];ob_clean();if (@file_exists($file)) {header("Content-type: application/octet-stream");header("Content-Disposition: filename="".basename($file).""");echo file_get_contents($file);}exit();
6、到这里可见file参数是我们可控的,而且遍历整个源代码对file参数并没有做任何限制,于是我们尝试构造file参数看能不能做到任意文件下载 a、下载discuz数据库配置
b、下载linux版本信息
7、尝试下载/etc目录里的东西都不行,但是etc之外的目录都OK,对服务器的危害还是非常巨大的
a、下载discuz数据库配置
1、因为t00ls的这个插件没有防爆破手段,所以还是建议删掉为妙2、使用其他第三方工具前要谨慎
危害等级:高
漏洞Rank:11
确认时间:2015-04-03 18:16
CNVD确认并复现所述情况,已经转由CNCERT下发给相应分中心,由其后续协调网站管理单位处置。
暂无
