当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0181444

漏洞标题:安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&存储型XSS

相关厂商:安美世纪(北京)科技有限公司

漏洞作者: YY-2012

提交时间:2016-03-07 12:50

修复时间:2016-06-09 18:10

公开时间:2016-06-09 18:10

漏洞类型:命令执行

危害等级:中

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-07: 细节已通知厂商并且等待厂商处理中
2016-03-11: 厂商已经确认,细节仅向厂商公开
2016-03-14: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

简要描述:

任意命令执行漏洞&存储型XSS(只需登录系统立刻触发)

详细说明:

任意命令执行/manager/radius/server_ping.php

<?
if (!isset($ip) || $ip == "" || !isset($id) || $id == "") exit;
$cmd = "ping -c 2 -s 65 $ip";
$fp = popen($cmd, "r");
$getString = "";
if ($fp) {
while (($line = fgets($fp, 512))) {
$getString .= trim($line);
}
pclose($fp);

}
if (strstr($getString, "2 received, 0%")) {
echo "<html><body><script language=\"javascript\">\n";
echo "parent.doTestResult('$id', 'ok');\n";
echo "</script></body></html>\n";
} else {
echo "<html><body><script language=\"javascript\">\n";
echo "parent.doTestResult('$id', 'no');\n";
echo "</script></body></html>\n";
}
?>


模板功能设置页面/language.php未授权访问,能任意修改系统功能名称导致存储型XSS跨站漏洞。

<?
/*
功能:添加语言文字页面
mysql> desc T_Lang;
+-----------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+----------------+
| SerialID | int(16) | NO | PRI | NULL | auto_increment |
| LangID | varchar(128) | NO | | | |
| LangName | varchar(255) | NO | | | |
| LangEName | varchar(255) | YES | | | |
| LangType | varchar(64) | NO | | | |
+-----------+--------------+------+-----+---------+----------------+
mysql> desc T_LangMenu;
+----------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+----------------+
| SerialID | int(16) | NO | PRI | NULL | auto_increment |
| MenuName | varchar(128) | NO | | | |
+----------+--------------+------+-----+---------+----------------+
*/
include_once ("mysql.php");
$dblang = new newDB();
$showResult = "";
if (!isset($SerialID)) $SerialID = "";
if (!isset($LangType)) $LangType = "";
if (!isset($LangID)) $LangID = "";
if (!isset($LangName)) $LangName = "";
if (!isset($LangEName)) $LangEName = "";
if (!isset($Type)) $Type = "";
if (!isset($Flag)) $Flag = "";
if (!isset($Search)) $Search = "";
if (!isset($TitleList)) $TitleList = "";
if (!isset($Lately)) $Lately = "";
if (!isset($doWrite)) $doWrite = "";
if (!isset($EditStatus)) $EditStatus = "";
if (!isset($doAddMenu)) $doAddMenu = "";
if (!isset($MenuName)) $MenuName = "";
$LangID = str_replace("'", "", $LangID);
$LangName = str_replace("'", "", $LangName);
$LangEName = str_replace("'", "''", $LangEName);
$LangName = str_replace("\\t", "", $LangName);
$LangEName = str_replace("\\t", "", $LangEName);
$Search = str_replace("'", "", $Search);
$MenuName = str_replace("'", "", $MenuName);
if (strcasecmp($doWrite, "ok") == 0) {
$cn_file = "/usr/eflow/hibos/include/lang_cn.php";
$en_file = "/usr/eflow/hibos/include/lang_en.php";
$get_string_cn = "<?\n/*\n * 功能:简体中文语言\n */\n\n\$CHARSET = \"GB2312\";\n\$lang = array\n(\n";
$get_string_en = "<?\n/*\n * 功能:英文语言\n */\n\n\$CHARSET = \"UTF-8\";\n\$lang = array\n(\n";
$title_stats = "";
$sqlcmd = "select LangID, LangName, LangEName, LangType from T_Lang order by LangType, LangID ASC";
$result = $dblang->query($sqlcmd);
while ($result && ($row = $dblang->fetch_row($result)) != false) {
if ($row[3] != $title_stats) {
$get_string_cn .= "\t//".$row[3]."\n";
$get_string_en .= "\t//".$row[3]."\n";
$title_stats = $row[3];
}
$get_string_cn .= "\t'".$row[0]."' => '".str_replace("'", "\\'", $row[1])."',\n";
$get_string_en .= "\t'".$row[0]."' => '".str_replace("'", "\\'", $row[2])."',\n";
}
$get_string_cn .= "'');\n\n?>";
$get_string_en .= "'');\n\n?>";
$result_cn = 0;
$cnfd = fopen($cn_file, 'w');
if ($cnfd) {
$result_cn = 1;
fputs($cnfd, $get_string_cn);
fclose($cnfd);
}
$result_en = 0;
$enfd = fopen($en_file, 'w');
if ($enfd) {
$result_en = 1;
fputs($enfd, $get_string_en);
fclose($enfd);
}
echo "<html>\n";
echo "<body>\n";
echo "<script language=\"JavaScript\">\n";
if ($result_cn && $result_en) {
echo "alert('写文件成功!');\n";
} else {
echo "alert('写文件失败!');\n";
}
echo "</script>\n";
echo "</body>\n";
echo "</html>\n";
exit;
}
if (strcasecmp($doAddMenu, "ok") == 0) {
if ($MenuName != "") {
$sqlcmd = "insert into T_LangMenu (MenuName) values ('$MenuName')";
$result = $dblang->query($sqlcmd);
} else
$result = 0;
if ($result)
$showResult = "标示位置添加成功!";
else
$showResult = "标示位置添加失败!";
}
if (isset($UID) && $UID == "add") {
//添加
$sqlcmd = "select LangName from T_Lang where LangID='$LangID'";
$result = $dblang->query($sqlcmd);
if ($result && $dblang->num_rows($result) > 0) {
$showResult = "下标ID已经存在!";
} else {
$sqlcmd = "insert into T_Lang(LangID,LangName,LangEName,LangType)";
$sqlcmd .= "values('$LangID','$LangName','$LangEName','$LangType')";
if ($dblang->query($sqlcmd) != false) {
$showResult = "$LangID => $LangName 已添加完成!";
$LangID = "";
$LangName = "";
$LangEName = "";
$LangType = "";
} else {
$showResult = "$LangID => $LangName 添加失败!";
}
}
} else if (isset($Flag) && $Flag == "edit") {
$sqlcmd = "select LangID, LangName, LangEName, LangType, SerialID from T_Lang where LangID='$id'";
$result = $dblang->query($sqlcmd);
if ($result && ($row = $dblang->fetch_row($result)) != false) {
$LangID = $row[0];
$LangName = $row[1];
$LangEName = $row[2];
$LangType = $row[3];
$SerialID = $row[4];
} else {
$Flag = "";
}
} else if (isset($UID) && $UID == "edit" && $SerialID != "") {
$sqlcmd = "update T_Lang set LangID='$LangID', LangName='$LangName', LangEName='$LangEName', LangType='$LangType' where SerialID='$SerialID'";
if ($dblang->query($sqlcmd) != false) {
$showResult = "$LangID => $LangName 已修改完成!";
$LangID = "";
$LangName = "";
$LangEName = "";
$LangType = "";
} else {
$showResult = "$LangID => $LangName 修改失败!";
}
} else if (isset($UID) && $UID == "del") {
$sqlcmd = "delete from T_Lang where LangID='$id'";
if ($dblang->query($sqlcmd) != false) {
$showResult = "$id 已删除完成!";
} else {
$showResult = "$id 删除失败!";
}
}
?>
<html>
<title>语言管理</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link REL="STYLESHEET" TYPE="text/css" HREF="/script/style.css">
<script language="JavaScript" src="/script/string.js"></script>
<script language="JavaScript" src="/script/flybar.js"></script>
<script language="JavaScript">
function docheck(form)
{
form.LangID.value = trim(form.LangID.value);
if (form.LangID.value == "") {
alert("下标ID不允许空");
form.LangID.focus();
return false;
}
form.LangName.value = trim(form.LangName.value);
if (form.LangName.value == "") {
alert("中文语言内容不允许空");
form.LangName.focus();
return false;
}
form.LangEName.value = trim(form.LangEName.value);
if (form.LangEName.value == "") {
alert("英文语言内容不允许空");
form.LangEName.focus();
return false;
}
if (form.LangType.value == "") {
alert("请选择标示位置");
return false;
}
return true;
}
function doWriteLang()
{
var ifr = document.createElement("IFRAME");
ifr.frameBorder = 0;
ifr.scrolling = "no";
ifr.width = 0;
ifr.height = 0;
ifr.src = "language.php?doWrite=OK";
document.body.appendChild(ifr);
}
function addMenuName()
{
var getNamestr = trim(document.getElementById('MenuName').value);
if (getNamestr == "") {
alert("标示位置不允许空!");
return;
}
document.getElementById('divBar').style.visibility = "hidden";
var ifr = document.createElement("IFRAME");
ifr.frameBorder = 0;
ifr.scrolling = "no";
ifr.width = 0;
ifr.height = 0;
ifr.src = "language.php?doAddMenu=OK&MenuName=" + getNamestr;
document.body.appendChild(ifr);
}
</script>
<body>
<br>
<center>
<form action="language.php" method="post">
<input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>">
<table width="750" height="35" border="1" cellpadding="0" cellspacing="0" style="margin:7px">
<tr><td width="100%" height="35" align="left" style="padding-left:20px"><b>语言内容查找(中英):</b> <input type="text" name="Search" value="" size="30"> <input type="submit" name="submit2" value=" 查 找 ">
&nbsp;&nbsp;<span style="width:30px">&nbsp;</span> <input type="button" name="btn_lately" value="最新记录" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&Lately=ok'">&nbsp;&nbsp;
<input type="button" name="btn_title" value="列标题" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&TitleList=ok'">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<input type="button" name="btn_title" value="写文件" onclick="doWriteLang();">
</table>
</form>
<form action="language.php" method="post" onsubmit="return docheck(this)">
<input type="hidden" name="UID" value="<? if ($Flag != "") echo "edit"; else echo "add"; ?>">
<input type="hidden" name="Type" value="<? echo $Type ?>">
<input type="hidden" name="SerialID" value="<? echo $SerialID ?>">
<input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>">
<input type="hidden" name="Search" value="<? echo $Search ?>">
<input type="hidden" name="Lately" value="<? echo $Lately ?>">
<table width="750" height="200" border="1" cellpadding="0" cellspacing="0" style="margin:7px">
<tr><td width="32%" height="200" align="left" style="padding-left:10px"><b>标示位置<?if($TitleList=="" && $Type==""){?>[<a href="javascript:void(0);" onclick="divBar.style.visibility='visible';">增</a>]<?}?>:</b><br>
<select name="LangType" size="20" style="width:200px;height:180px">
<?
if ($Type != "" && $Flag == "") {
?>
<option value="<? echo $Type ?>" selected><? echo $Type ?></option>
<?
} else {
$sqlcmd = "select MenuName from T_LangMenu order by MenuName ASC";
$result2 = $dblang->query($sqlcmd);
while ($result2 && ($row2 = $dblang->fetch_row($result2)) != false) {
?>
<option value="<? echo $row2[0] ?>"<? if ($Flag != "" && $LangType == $row2[0]) echo " selected"; ?>><? echo $row2[0] ?></option>
<?
} //while end
} //if end
?>
</select><font color="#CC0000">*</font>
</td>
<td width="53%" align="left" style="padding-left:20px">
<b>下标ID:</b><br>
<input type="text" name="LangID" value="<? echo $LangID ?>" maxlength="127" size="36" onBlur="this.value=trim(this.value)" <? if ($EditStatus == "" && $Flag != "") echo "style='background-color:#EFEFEF' readonly"; ?>><font color="#CC0000">*</font>
<br><p>
<b>语言内容(中文):</b><br>
<input type="text" name="LangName" value="<? echo $LangName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font>
<br><p>
<b>语言内容(英文):</b><br>
<input type="text" name="LangEName" value="<? echo $LangEName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font>
</td>
<td width="15%" align="center"><input type="submit" name="submit" value=" <? if ($Flag != "") echo "修 改"; else echo "添 加"; ?> "></td></tr>
</table>
</form>
</center>
<p>
<div align="left">
<?
$lang = array();
$show_string = "";
$sqlcmdlang = "select LangID, LangName, LangType, LangEName from T_Lang where 1=1 ";
if ($Type != "") $sqlcmdlang .= "and LangType='$Type' ";
if ($Search != "") $sqlcmdlang .= "and (LangName like '%$Search%' or LangEName like '%$Search%') ";
if ($Lately != "") {
$sqlmax = "select Max(SerialID) from T_Lang";
$resultn = $dblang->query($sqlmax);
$nmax = 0;
if ($resultn && ($rowl = $dblang->fetch_row($resultn)) != false) {
$nmax = $rowl[0] ? $rowl[0] : 0;
}
$sqlcmdlang .= "and SerialID>'".($nmax > 0 ? ($nmax-300) : 0)."' order by LangType, SerialID desc";
} else
$sqlcmdlang .= "order by LangType, SerialID";
$resultlang = $dblang->query($sqlcmdlang);
while ($resultlang && ($rowlang = $dblang->fetch_row($resultlang)) != false) {
if (!isset($lang[$rowlang[2]])) {
$lang[$rowlang[2]] = $rowlang[2];
$show_string .= "<br><b><span style='padding-left:15px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$rowlang[2]'>$rowlang[2]</a>]</span></b><br>\n";
}
$cstrlang = str_replace("<", "&lt;", $rowlang[1]);
$cstrlang = str_replace(">", "&gt;", $cstrlang);
$estrlang = str_replace("<", "&lt;", $rowlang[3]);
$estrlang = str_replace(">", "&gt;", $estrlang);
$show_string .= "<span style='padding-left:40px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Flag=edit&id=${rowlang[0]}&Search=$Search'>改</a>]";
if ($EditStatus != "") {
$show_string .= " [<a href=\"javascript:if(confirm('确定删除下标为$rowlang[0]的记录吗?')) location='language.php?Lately=$Lately&EditStatus=$EditStatus&UID=del&Type=$Type&id=${rowlang[0]}&Search=$Search';\">删</a>]";
}
$show_string .= " &nbsp; <font color='#CC0000' size='2'>'$rowlang[0]'</font> => <font color='#00CC00' size='2'>'$cstrlang'</font> => <font color='#00CC00' size='2'>'$estrlang'</font></span><br>\n";
}
if ($Type == "" && $Flag == "") {
echo "<div align=\"left\" style=\"margin:0px 10px;\">";
$last_str = "";
while (list($key, $value) = each($lang)) {
if (substr($value, 0, 2) != $last_str) {
echo "<br>";
$last_str = substr($value, 0, 2);
}
echo "&nbsp;[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$key'><b>$value</b></a>]&nbsp;&nbsp;";
}
echo "</div><br>";
}
if ($TitleList == "ok") {
echo "</div>\n</body>\n</html>\n";
exit;
}
if ($Flag == "") {
echo $show_string;
}
?>
</div>
<br>
<?
if ($showResult != "") {
?>
<script language="JavaScript">
alert("<? echo $showResult ?>");
</script>
<?
}
if ($Flag != "") {
echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=\"location='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Search=$Search'\"></center>\n";
} else if ($Type != "") {
echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=\"location='language.php?Lately=$Lately&EditStatus=$EditStatus'\"></center>\n";
}
?>
<br>
<div id="divBar" style='position:absolute;top:90px;left:200px;visibility:hidden;z-index:100'>
<table cellspacing="0" cellpadding="0" border="1" width="360" height="60">
<tr><td valign="top">
<table border="0" width="100%" height="100%" cellpadding="0" cellspacing="0">
<tr>
<td class="bg2 text-right" width="70%" height="100%"><input type="text" name="MenuName" value="" maxlength="120" size="35"></td>
<td class="bg2 text-left" width="30%" height="100%" style="padding-left:5px;"><input type="button" name="addbtn" value="添加" onclick="addMenuName()">&nbsp;&nbsp;&nbsp;&nbsp;<input type="button" name="closebtn" value="关闭" onclick="divBar.style.visibility='hidden';"></td>
</tr>
</table>
</td></tr>
</table>
</div>
</body>
</html>

漏洞证明:

任意命令执行:

aaaaaaaaaaaaaaaaaaaa666666666666666666.jpg


aaaaaaaaaaaaaaaaaaa999999999999999999999.jpg


存储型XSS(只需登录系统立刻触发)

aaaaaaaaaaaaaaaaaaaa00000000000000000000000.jpg


aaaaaaaaaaaaaaaaaaa7777777777777777777777.jpg


aaaaaaaaaaaaaaaaaaaa888888888888888888888.jpg


案例:

**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**:8443/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php

修复方案:

联系厂商

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2016-03-11 18:09

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-03-07 14:49 | 一只猿 ( 普通白帽子 | Rank:546 漏洞数:96 | 硬件与无线通信研究方向)

    这个屌

  2. 2016-03-07 14:51 | YY-2012 ( 核心白帽子 | Rank:3814 漏洞数:726 | 意淫,是《红楼梦》原创的词汇,但后来演变...)

    @一只猿 你怎么知道的?