当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166340

漏洞标题:某联通实名后台管理系统源码泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: 风情万种

提交时间:2016-01-03 22:00

修复时间:2016-02-20 15:48

公开时间:2016-02-20 15:48

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-03: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-20: 细节向公众公开

简要描述:

某联通实名后台管理系统源码泄露

详细说明:

**.**.**.**/
直接列出目录和文件 可下载备份文件

QQ20160103-3@2x.png


<?php
//header("Content-type: text/html; charset=utf-8");
ini_set("error_reporting",E_ALL ^ E_NOTICE);
//获取POST请求的参数
$type = $_GET['type'];//请求类型
//根据type判断是什么操作:;
if ($type=="0") {//type=0表示检测手机号是否允许实名
$tel = $_GET['tel'];//手机号
$deviceid = $_GET['deviceid'];//deviceid
checkUnicomNum($tel,$deviceid);
}
if ($type=="1") {//type=1表示根据iccid获取手机号;
$iccid = $_GET['iccid'];//iccid
//echo $iccid.'<br/>';
$deviceid = $_GET['deviceid'];//deviceid
$num = getUnicomNum($iccid,$deviceid);
print(json_encode(array("result"=>$num)));
}
if($type=="2") {//type=2表示提交实名认证信息;
$tel = $_GET['tel'];//手机号
$name = $_GET['name'];//姓名
$num = $_GET['num'];//身份证号
$addr = $_GET['addr'];//身份证地址
$communicaID = $_GET['communicaID'];//communicaID
$UID = $_GET['UID'];//UID用户id,用来记录提交实名信息的用户
$deviceid = $_GET['deviceid'];//deviceid
submitUnicomNum($tel,$name,$num,$addr,$communicaID,$UID,$deviceid);
//submitUnicomNum('13146033307','段士辉','411503198903243012','北京市昌平区史各庄镇西半壁');
}
if($type == "3"){
$dc = new DesCrypt();
$iccid = $dc->en('981818','sunnada0');//调用DesCrypt的en方法,加密
$iccid = strtoupper($iccid);//字符串转换为大写
echo $iccid.'<br/>';
}
if($type == "4"){
insertTrueName('13146033307','段士辉','411503198903243012','北京市昌平区史各庄镇西半壁');
}
/**
*
*检测手机号是否允许实名
*/
function checkUnicomNum($tel,$deviceid){
$url = "**.**.**.**:8090";
$dc = new DesCrypt();
$ks = $dc->en($tel,'qwertyui');
$ks = strtoupper($ks);

$s='<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:checkTelphone><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>80B73E3132818FFF3FC989A755DCABDF</agentId><telplone>'
.$ks.'</telplone><versionCode>1.1</versionCode><versionName>1.0</versionName><clientType>01</clientType></ns:checkTelphone></SOAP-ENV:Body></SOAP-ENV:Envelope>';
//$s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:checkTelphone><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>935CE99C05CE8E1DE04C47F38CAC04A6</agentId><telplone>'.$ks.'</telplone><versionCode>1.1</versionCode><versionName>1.0</versionName><clientType>01</clientType></ns:checkTelphone></SOAP-ENV:Body></SOAP-ENV:Envelope>';
//echo print($s);
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $s);
$responseText = curl_exec($curl);

curl_close($curl);
//echo $responseText;
//print(json_encode(array("result"=>'success',"communicaID"=>'0000')));
if(strpos($responseText,"<tradeState>0000</tradeState>")>0){
$ret = 'success';
$start = strpos($responseText,"<communicaID>");
$end = strpos($responseText,"</communicaID>");
$communicaIDStr = substr($responseText,$start+13,$end-$start-13);//获取communicaID
print(json_encode(array("result"=>$ret,"communicaID"=>$communicaIDStr)));
return;

}else{

$start = strpos($responseText,"<description>");
$end = strpos($responseText,"</description>");
$ret = substr($responseText,$start+13,$end-$start-13);
print(json_encode(array("result"=>$ret)));
return;
}
//echo "\n";
//echo $responseText;

return;
}
/**
*
*根据uccid获取手机号
*/
function getUnicomNum($iccid,$deviceid){
$url = "**.**.**.**:8090";
$dc = new DesCrypt();
$iccid = $dc->en($iccid,'sunnada0');//调用DesCrypt的en方法,加密
$iccid = strtoupper($iccid);//字符串转换为大写
//echo $iccid."<br/>";
$s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:NetCardFind><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>859381E3E0D4BE3EDB10018AD702FFA9</agentId><iccidnumber>'.$iccid.'</iccidnumber><versionName>1.0</versionName><clientType>01</clientType></ns:NetCardFind></SOAP-ENV:Body></SOAP-ENV:Envelope>';
//$s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:NetCardFind><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>ADA658DD7BCD302965607BBFEE530EEC</agentId><iccidnumber>'.$iccid.'</iccidnumber><versionName>1.0</versionName><clientType>01</clientType></ns:NetCardFind></SOAP-ENV:Body></SOAP-ENV:Envelope>';
//echo $s;
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $s);
$s = curl_exec($curl);
//echo $s.'<br />';
curl_close($curl);

$start = strpos($s,"<cardnumber>");//返回字符串<cardnumber>在另一个字符串$s中第一次出现的位置。
$end = strpos($s,"</cardnumber>");
//echo $start.'<br />';
//echo $end.'<br />';
$num = '';
if( $start>0 && $end>0&&($end-$start-12)>0 ){

$ret = substr($s,$start+12,$end-$start-12);
//echo $ret.'<br />';
$dc = new DesCrypt();
$num = $dc->de( strtolower($ret),'sunnada0' );
$num = trim($num);
}

//echo $num;
return $num;
}
/**
*
*提交实名认证信息
*/
function submitUnicomNum($tel,$name,$num,$addr,$communicaID,$UID,$deviceid){
$url = "**.**.**.**:8090";
$telTemp = $tel;
$nameTemp = $name;
$numTemp = $num;
$addrTemp = $addr;
$dc = new DesCrypt();
$telplone = $dc->en($tel,'qwertyui' );//访问dc对象里边的en方法,并把返回值复制给telphone变量
$telplone = strtoupper($telplone);

$name = $dc->en(iconv('utf-8','gbk',$name),'qwertyui');//iconv('utf-8','gbk//IGNORE',$name),'qwertyui'
$name = strtoupper($name);
$num = $dc->en($num,'qwertyui' );
$num = strtoupper($num);
$addr = $dc->en(iconv('utf-8','gbk',$addr),'qwertyui' );//iconv('utf-8','gbk//IGNORE',$addr)
$addr = strtoupper($addr);

$s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:uploadCertificateInfo><deviceID>3567080483013190</deviceID><communicaID>'.$communicaID.'</communicaID><agentId>80B73E3132818FFF3FC989A755DCABDF</agentId>'.
'<telplone>'.$telplone.'</telplone>'.
'<certificateName>'.$name.'</certificateName>'.
'<certificateType>8D1B6F7327986F7F</certificateType>'.
'<certificateNum>'.$num.'</certificateNum>'.
'<certificateAdd>'.$addr.'</certificateAdd>'.
'<clientType>01</clientType></ns:uploadCertificateInfo></SOAP-ENV:Body></SOAP-ENV:Envelope>';

//echo $s;

$curl = curl_init($url);//// 创建一个新cURL资源
// 设置URL和相应的选项


curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $s);
$responseText = curl_exec($curl);// 抓取URL并把它传递给浏览器
// 关闭cURL资源,并且释放系统资源
curl_close($curl);
echo $responseText;
/* if(strpos($responseText,"<tradeState>0000</tradeState>")>0){
$ret = 'success';

insertTrueName($telTemp,$nameTemp,$numTemp,$addrTemp,$UID);
print(json_encode(array("result"=>$ret)));
return;

}else{

$start = strpos($responseText,"<description>");
$end = strpos($responseText,"</description>");
$ret = substr($responseText,$start+13,$end-$start-13);
print(json_encode(array("result"=>$ret)));
return;
} */

}
function insertTrueName($tel,$name,$num,$addr,$UID){
//Connect to database
mysql_connect('localhost', 'root', 'mysql');
//Select database
ini_set("error_reporting",E_ALL ^ E_NOTICE);
mysql_select_db('hoorayos');
mysql_query("SET NAMES 'utf8'");
mysql_query("SET CHARACTER_SET_CLIENT=utf8");
mysql_query("SET CHARACTER_SET_RESULTS=utf8");
$query = "INSERT INTO tb_truename(tel,name,number,address,datetime,user_id) VALUES ('$tel','$name','$num','$addr',now(),'$UID')";
//echo $query;
//Insert
mysql_query($query);
}
class DesCrypt{
var $key = 'qwertyui';
var $deviceid = '';
var $user = '';
var $lsh = '';
var $cipherText = '';
var $HcipherText = '';
var $decrypted_data ='';

function DesCrypt(){
}
//加密
//加密
function en($str,$key="")
{
$k = $this->key;
if( strlen($key)>0 ){
$k = $key;
}
$cipher = mcrypt_module_open(MCRYPT_DES, '', MCRYPT_MODE_ECB, '');
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_DES,MCRYPT_MODE_ECB), MCRYPT_RAND);

if (mcrypt_generic_init($cipher, substr($k,0,8), $iv) != -1)
{
$this->cipherText = mcrypt_generic($cipher,$this->pad($str));
mcrypt_generic_deinit($cipher);
$this->HcipherText=bin2hex($this->cipherText);
//printf("<p>3DES HexEncrypted:\n%s</p>",$this->HcipherText);
}
mcrypt_module_close($cipher);
return $this->HcipherText;
}
//解密
function de($str , $key="")
{
$k = $this->key;
if( strlen($key)>0 ){
$k = $key;
}
$str = pack('H*', $str);
$cipher = mcrypt_module_open(MCRYPT_DES, '', MCRYPT_MODE_ECB, '');
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_DES,MCRYPT_MODE_ECB), MCRYPT_RAND);
if (mcrypt_generic_init($cipher, substr($k,0,8), $iv) != -1)
{
$this->decrypted_data = mdecrypt_generic($cipher,$str);
mcrypt_generic_deinit($cipher);
}
mcrypt_module_close($cipher);
return $this->decrypted_data;
//return $this->unpad($this->decrypted_data);
}

private function pad ($data)
{
$data = str_replace("\n","",$data);
$data = str_replace("\t","",$data);
$data = str_replace("\r","",$data);
return $data;
}

private function unpad ($text)
{
$pad = ord($text{strlen($text) - 1});
if ($pad > strlen($text)) {
return false;
}
if (strspn($text, chr($pad), strlen($text) - $pad) != $pad) {
return false;
}
return substr($text, 0, - 1 * $pad);

}
};
?>

漏洞证明:

QQ截图20151231104714.png

修复方案:

你懂

版权声明:转载请注明来源 风情万种@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2016-01-08 17:30

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置。

最新状态:

暂无


漏洞评价:

评价