2016-01-03: 细节已通知厂商并且等待厂商处理中 2016-01-08: 厂商已经确认,细节仅向厂商公开 2016-01-18: 细节向核心白帽子及相关领域专家公开 2016-01-28: 细节向普通白帽子公开 2016-02-07: 细节向实习白帽子公开 2016-02-20: 细节向公众公开
某联通实名后台管理系统源码泄露
**.**.**.**/直接列出目录和文件 可下载备份文件
<?php//header("Content-type: text/html; charset=utf-8");ini_set("error_reporting",E_ALL ^ E_NOTICE);//获取POST请求的参数$type = $_GET['type'];//请求类型//根据type判断是什么操作:;if ($type=="0") {//type=0表示检测手机号是否允许实名 $tel = $_GET['tel'];//手机号 $deviceid = $_GET['deviceid'];//deviceid checkUnicomNum($tel,$deviceid);}if ($type=="1") {//type=1表示根据iccid获取手机号; $iccid = $_GET['iccid'];//iccid //echo $iccid.'<br/>'; $deviceid = $_GET['deviceid'];//deviceid $num = getUnicomNum($iccid,$deviceid); print(json_encode(array("result"=>$num)));}if($type=="2") {//type=2表示提交实名认证信息; $tel = $_GET['tel'];//手机号 $name = $_GET['name'];//姓名 $num = $_GET['num'];//身份证号 $addr = $_GET['addr'];//身份证地址 $communicaID = $_GET['communicaID'];//communicaID $UID = $_GET['UID'];//UID用户id,用来记录提交实名信息的用户 $deviceid = $_GET['deviceid'];//deviceid submitUnicomNum($tel,$name,$num,$addr,$communicaID,$UID,$deviceid); //submitUnicomNum('13146033307','段士辉','411503198903243012','北京市昌平区史各庄镇西半壁');}if($type == "3"){ $dc = new DesCrypt(); $iccid = $dc->en('981818','sunnada0');//调用DesCrypt的en方法,加密 $iccid = strtoupper($iccid);//字符串转换为大写echo $iccid.'<br/>';}if($type == "4"){ insertTrueName('13146033307','段士辉','411503198903243012','北京市昌平区史各庄镇西半壁');}/****检测手机号是否允许实名*/function checkUnicomNum($tel,$deviceid){ $url = "**.**.**.**:8090"; $dc = new DesCrypt(); $ks = $dc->en($tel,'qwertyui'); $ks = strtoupper($ks); $s='<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:checkTelphone><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>80B73E3132818FFF3FC989A755DCABDF</agentId><telplone>' .$ks.'</telplone><versionCode>1.1</versionCode><versionName>1.0</versionName><clientType>01</clientType></ns:checkTelphone></SOAP-ENV:Body></SOAP-ENV:Envelope>'; //$s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:checkTelphone><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>935CE99C05CE8E1DE04C47F38CAC04A6</agentId><telplone>'.$ks.'</telplone><versionCode>1.1</versionCode><versionName>1.0</versionName><clientType>01</clientType></ns:checkTelphone></SOAP-ENV:Body></SOAP-ENV:Envelope>'; //echo print($s); $curl = curl_init($url); curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POSTFIELDS, $s); $responseText = curl_exec($curl); curl_close($curl); //echo $responseText; //print(json_encode(array("result"=>'success',"communicaID"=>'0000'))); if(strpos($responseText,"<tradeState>0000</tradeState>")>0){ $ret = 'success'; $start = strpos($responseText,"<communicaID>"); $end = strpos($responseText,"</communicaID>"); $communicaIDStr = substr($responseText,$start+13,$end-$start-13);//获取communicaID print(json_encode(array("result"=>$ret,"communicaID"=>$communicaIDStr))); return; }else{ $start = strpos($responseText,"<description>"); $end = strpos($responseText,"</description>"); $ret = substr($responseText,$start+13,$end-$start-13); print(json_encode(array("result"=>$ret))); return; } //echo "\n"; //echo $responseText; return;}/****根据uccid获取手机号*/function getUnicomNum($iccid,$deviceid){ $url = "**.**.**.**:8090"; $dc = new DesCrypt(); $iccid = $dc->en($iccid,'sunnada0');//调用DesCrypt的en方法,加密 $iccid = strtoupper($iccid);//字符串转换为大写 //echo $iccid."<br/>"; $s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:NetCardFind><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>859381E3E0D4BE3EDB10018AD702FFA9</agentId><iccidnumber>'.$iccid.'</iccidnumber><versionName>1.0</versionName><clientType>01</clientType></ns:NetCardFind></SOAP-ENV:Body></SOAP-ENV:Envelope>'; //$s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:NetCardFind><deviceID>3567080483013190</deviceID><communicaID>FFFF</communicaID><agentId>ADA658DD7BCD302965607BBFEE530EEC</agentId><iccidnumber>'.$iccid.'</iccidnumber><versionName>1.0</versionName><clientType>01</clientType></ns:NetCardFind></SOAP-ENV:Body></SOAP-ENV:Envelope>'; //echo $s; $curl = curl_init($url); curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POSTFIELDS, $s); $s = curl_exec($curl); //echo $s.'<br />'; curl_close($curl); $start = strpos($s,"<cardnumber>");//返回字符串<cardnumber>在另一个字符串$s中第一次出现的位置。 $end = strpos($s,"</cardnumber>"); //echo $start.'<br />'; //echo $end.'<br />'; $num = ''; if( $start>0 && $end>0&&($end-$start-12)>0 ){ $ret = substr($s,$start+12,$end-$start-12); //echo $ret.'<br />'; $dc = new DesCrypt(); $num = $dc->de( strtolower($ret),'sunnada0' ); $num = trim($num); } //echo $num; return $num;}/****提交实名认证信息*/function submitUnicomNum($tel,$name,$num,$addr,$communicaID,$UID,$deviceid){ $url = "**.**.**.**:8090"; $telTemp = $tel; $nameTemp = $name; $numTemp = $num; $addrTemp = $addr; $dc = new DesCrypt(); $telplone = $dc->en($tel,'qwertyui' );//访问dc对象里边的en方法,并把返回值复制给telphone变量 $telplone = strtoupper($telplone); $name = $dc->en(iconv('utf-8','gbk',$name),'qwertyui');//iconv('utf-8','gbk//IGNORE',$name),'qwertyui' $name = strtoupper($name); $num = $dc->en($num,'qwertyui' ); $num = strtoupper($num); $addr = $dc->en(iconv('utf-8','gbk',$addr),'qwertyui' );//iconv('utf-8','gbk//IGNORE',$addr) $addr = strtoupper($addr); $s = '<SOAP-ENV:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance"xmlns:xsd="http://**.**.**.**/2001/XMLSchema"xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/"xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"xmlns:ns="urn:SmsWBS"><SOAP-ENV:Body><ns:uploadCertificateInfo><deviceID>3567080483013190</deviceID><communicaID>'.$communicaID.'</communicaID><agentId>80B73E3132818FFF3FC989A755DCABDF</agentId>'. '<telplone>'.$telplone.'</telplone>'. '<certificateName>'.$name.'</certificateName>'. '<certificateType>8D1B6F7327986F7F</certificateType>'. '<certificateNum>'.$num.'</certificateNum>'. '<certificateAdd>'.$addr.'</certificateAdd>'. '<clientType>01</clientType></ns:uploadCertificateInfo></SOAP-ENV:Body></SOAP-ENV:Envelope>'; //echo $s; $curl = curl_init($url);//// 创建一个新cURL资源 // 设置URL和相应的选项 curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POSTFIELDS, $s); $responseText = curl_exec($curl);// 抓取URL并把它传递给浏览器 // 关闭cURL资源,并且释放系统资源 curl_close($curl); echo $responseText; /* if(strpos($responseText,"<tradeState>0000</tradeState>")>0){ $ret = 'success'; insertTrueName($telTemp,$nameTemp,$numTemp,$addrTemp,$UID); print(json_encode(array("result"=>$ret))); return; }else{ $start = strpos($responseText,"<description>"); $end = strpos($responseText,"</description>"); $ret = substr($responseText,$start+13,$end-$start-13); print(json_encode(array("result"=>$ret))); return; } */ }function insertTrueName($tel,$name,$num,$addr,$UID){ //Connect to database mysql_connect('localhost', 'root', 'mysql'); //Select database ini_set("error_reporting",E_ALL ^ E_NOTICE); mysql_select_db('hoorayos'); mysql_query("SET NAMES 'utf8'"); mysql_query("SET CHARACTER_SET_CLIENT=utf8"); mysql_query("SET CHARACTER_SET_RESULTS=utf8"); $query = "INSERT INTO tb_truename(tel,name,number,address,datetime,user_id) VALUES ('$tel','$name','$num','$addr',now(),'$UID')"; //echo $query; //Insert mysql_query($query);}class DesCrypt{ var $key = 'qwertyui'; var $deviceid = ''; var $user = ''; var $lsh = ''; var $cipherText = ''; var $HcipherText = ''; var $decrypted_data =''; function DesCrypt(){ } //加密 //加密 function en($str,$key="") { $k = $this->key; if( strlen($key)>0 ){ $k = $key; } $cipher = mcrypt_module_open(MCRYPT_DES, '', MCRYPT_MODE_ECB, ''); $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_DES,MCRYPT_MODE_ECB), MCRYPT_RAND); if (mcrypt_generic_init($cipher, substr($k,0,8), $iv) != -1) { $this->cipherText = mcrypt_generic($cipher,$this->pad($str)); mcrypt_generic_deinit($cipher); $this->HcipherText=bin2hex($this->cipherText); //printf("<p>3DES HexEncrypted:\n%s</p>",$this->HcipherText); } mcrypt_module_close($cipher); return $this->HcipherText; } //解密 function de($str , $key="") { $k = $this->key; if( strlen($key)>0 ){ $k = $key; } $str = pack('H*', $str); $cipher = mcrypt_module_open(MCRYPT_DES, '', MCRYPT_MODE_ECB, ''); $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_DES,MCRYPT_MODE_ECB), MCRYPT_RAND); if (mcrypt_generic_init($cipher, substr($k,0,8), $iv) != -1) { $this->decrypted_data = mdecrypt_generic($cipher,$str); mcrypt_generic_deinit($cipher); } mcrypt_module_close($cipher); return $this->decrypted_data; //return $this->unpad($this->decrypted_data); } private function pad ($data) { $data = str_replace("\n","",$data); $data = str_replace("\t","",$data); $data = str_replace("\r","",$data); return $data; } private function unpad ($text) { $pad = ord($text{strlen($text) - 1}); if ($pad > strlen($text)) { return false; } if (strspn($text, chr($pad), strlen($text) - $pad) != $pad) { return false; } return substr($text, 0, - 1 * $pad); } }; ?>
你懂
危害等级:中
漏洞Rank:7
确认时间:2016-01-08 17:30
CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置。
暂无
