2016-03-07: 细节已通知厂商并且等待厂商处理中 2016-03-11: 厂商已经确认,细节仅向厂商公开 2016-03-14: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-05-05: 细节向核心白帽子及相关领域专家公开 2016-05-15: 细节向普通白帽子公开 2016-05-25: 细节向实习白帽子公开 2016-06-09: 细节向公众公开
任意命令执行漏洞&存储型XSS(只需登录系统立刻触发)
任意命令执行/manager/radius/server_ping.php
<?if (!isset($ip) || $ip == "" || !isset($id) || $id == "") exit;$cmd = "ping -c 2 -s 65 $ip";$fp = popen($cmd, "r");$getString = "";if ($fp) { while (($line = fgets($fp, 512))) { $getString .= trim($line); } pclose($fp); }if (strstr($getString, "2 received, 0%")) { echo "<html><body><script language=\"javascript\">\n"; echo "parent.doTestResult('$id', 'ok');\n"; echo "</script></body></html>\n";} else { echo "<html><body><script language=\"javascript\">\n"; echo "parent.doTestResult('$id', 'no');\n"; echo "</script></body></html>\n";}?>
模板功能设置页面/language.php未授权访问,能任意修改系统功能名称导致存储型XSS跨站漏洞。
<?/* 功能:添加语言文字页面mysql> desc T_Lang;+-----------+--------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+-----------+--------------+------+-----+---------+----------------+| SerialID | int(16) | NO | PRI | NULL | auto_increment | | LangID | varchar(128) | NO | | | | | LangName | varchar(255) | NO | | | | | LangEName | varchar(255) | YES | | | | | LangType | varchar(64) | NO | | | | +-----------+--------------+------+-----+---------+----------------+mysql> desc T_LangMenu; +----------+--------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+----------+--------------+------+-----+---------+----------------+| SerialID | int(16) | NO | PRI | NULL | auto_increment | | MenuName | varchar(128) | NO | | | | +----------+--------------+------+-----+---------+----------------+*/include_once ("mysql.php");$dblang = new newDB();$showResult = "";if (!isset($SerialID)) $SerialID = "";if (!isset($LangType)) $LangType = "";if (!isset($LangID)) $LangID = "";if (!isset($LangName)) $LangName = "";if (!isset($LangEName)) $LangEName = "";if (!isset($Type)) $Type = "";if (!isset($Flag)) $Flag = "";if (!isset($Search)) $Search = "";if (!isset($TitleList)) $TitleList = "";if (!isset($Lately)) $Lately = "";if (!isset($doWrite)) $doWrite = "";if (!isset($EditStatus)) $EditStatus = "";if (!isset($doAddMenu)) $doAddMenu = "";if (!isset($MenuName)) $MenuName = "";$LangID = str_replace("'", "", $LangID);$LangName = str_replace("'", "", $LangName);$LangEName = str_replace("'", "''", $LangEName);$LangName = str_replace("\\t", "", $LangName);$LangEName = str_replace("\\t", "", $LangEName);$Search = str_replace("'", "", $Search);$MenuName = str_replace("'", "", $MenuName);if (strcasecmp($doWrite, "ok") == 0) { $cn_file = "/usr/eflow/hibos/include/lang_cn.php"; $en_file = "/usr/eflow/hibos/include/lang_en.php"; $get_string_cn = "<?\n/*\n * 功能:简体中文语言\n */\n\n\$CHARSET = \"GB2312\";\n\$lang = array\n(\n"; $get_string_en = "<?\n/*\n * 功能:英文语言\n */\n\n\$CHARSET = \"UTF-8\";\n\$lang = array\n(\n"; $title_stats = ""; $sqlcmd = "select LangID, LangName, LangEName, LangType from T_Lang order by LangType, LangID ASC"; $result = $dblang->query($sqlcmd); while ($result && ($row = $dblang->fetch_row($result)) != false) { if ($row[3] != $title_stats) { $get_string_cn .= "\t//".$row[3]."\n"; $get_string_en .= "\t//".$row[3]."\n"; $title_stats = $row[3]; } $get_string_cn .= "\t'".$row[0]."' => '".str_replace("'", "\\'", $row[1])."',\n"; $get_string_en .= "\t'".$row[0]."' => '".str_replace("'", "\\'", $row[2])."',\n"; } $get_string_cn .= "'');\n\n?>"; $get_string_en .= "'');\n\n?>"; $result_cn = 0; $cnfd = fopen($cn_file, 'w'); if ($cnfd) { $result_cn = 1; fputs($cnfd, $get_string_cn); fclose($cnfd); } $result_en = 0; $enfd = fopen($en_file, 'w'); if ($enfd) { $result_en = 1; fputs($enfd, $get_string_en); fclose($enfd); } echo "<html>\n"; echo "<body>\n"; echo "<script language=\"JavaScript\">\n"; if ($result_cn && $result_en) { echo "alert('写文件成功!');\n"; } else { echo "alert('写文件失败!');\n"; } echo "</script>\n"; echo "</body>\n"; echo "</html>\n"; exit;}if (strcasecmp($doAddMenu, "ok") == 0) { if ($MenuName != "") { $sqlcmd = "insert into T_LangMenu (MenuName) values ('$MenuName')"; $result = $dblang->query($sqlcmd); } else $result = 0; if ($result) $showResult = "标示位置添加成功!"; else $showResult = "标示位置添加失败!";}if (isset($UID) && $UID == "add") { //添加 $sqlcmd = "select LangName from T_Lang where LangID='$LangID'"; $result = $dblang->query($sqlcmd); if ($result && $dblang->num_rows($result) > 0) { $showResult = "下标ID已经存在!"; } else { $sqlcmd = "insert into T_Lang(LangID,LangName,LangEName,LangType)"; $sqlcmd .= "values('$LangID','$LangName','$LangEName','$LangType')"; if ($dblang->query($sqlcmd) != false) { $showResult = "$LangID => $LangName 已添加完成!"; $LangID = ""; $LangName = ""; $LangEName = ""; $LangType = ""; } else { $showResult = "$LangID => $LangName 添加失败!"; } }} else if (isset($Flag) && $Flag == "edit") { $sqlcmd = "select LangID, LangName, LangEName, LangType, SerialID from T_Lang where LangID='$id'"; $result = $dblang->query($sqlcmd); if ($result && ($row = $dblang->fetch_row($result)) != false) { $LangID = $row[0]; $LangName = $row[1]; $LangEName = $row[2]; $LangType = $row[3]; $SerialID = $row[4]; } else { $Flag = ""; }} else if (isset($UID) && $UID == "edit" && $SerialID != "") { $sqlcmd = "update T_Lang set LangID='$LangID', LangName='$LangName', LangEName='$LangEName', LangType='$LangType' where SerialID='$SerialID'"; if ($dblang->query($sqlcmd) != false) { $showResult = "$LangID => $LangName 已修改完成!"; $LangID = ""; $LangName = ""; $LangEName = ""; $LangType = ""; } else { $showResult = "$LangID => $LangName 修改失败!"; }} else if (isset($UID) && $UID == "del") { $sqlcmd = "delete from T_Lang where LangID='$id'"; if ($dblang->query($sqlcmd) != false) { $showResult = "$id 已删除完成!"; } else { $showResult = "$id 删除失败!"; }}?><html><title>语言管理</title><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><link REL="STYLESHEET" TYPE="text/css" HREF="/script/style.css"><script language="JavaScript" src="/script/string.js"></script><script language="JavaScript" src="/script/flybar.js"></script><script language="JavaScript"> function docheck(form){ form.LangID.value = trim(form.LangID.value); if (form.LangID.value == "") { alert("下标ID不允许空"); form.LangID.focus(); return false; } form.LangName.value = trim(form.LangName.value); if (form.LangName.value == "") { alert("中文语言内容不允许空"); form.LangName.focus(); return false; } form.LangEName.value = trim(form.LangEName.value); if (form.LangEName.value == "") { alert("英文语言内容不允许空"); form.LangEName.focus(); return false; } if (form.LangType.value == "") { alert("请选择标示位置"); return false; } return true;}function doWriteLang(){ var ifr = document.createElement("IFRAME"); ifr.frameBorder = 0; ifr.scrolling = "no"; ifr.width = 0; ifr.height = 0; ifr.src = "language.php?doWrite=OK"; document.body.appendChild(ifr);}function addMenuName(){ var getNamestr = trim(document.getElementById('MenuName').value); if (getNamestr == "") { alert("标示位置不允许空!"); return; } document.getElementById('divBar').style.visibility = "hidden"; var ifr = document.createElement("IFRAME"); ifr.frameBorder = 0; ifr.scrolling = "no"; ifr.width = 0; ifr.height = 0; ifr.src = "language.php?doAddMenu=OK&MenuName=" + getNamestr; document.body.appendChild(ifr);}</script><body><br><center><form action="language.php" method="post"><input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>"><table width="750" height="35" border="1" cellpadding="0" cellspacing="0" style="margin:7px"> <tr><td width="100%" height="35" align="left" style="padding-left:20px"><b>语言内容查找(中英):</b> <input type="text" name="Search" value="" size="30"> <input type="submit" name="submit2" value=" 查 找 "> <span style="width:30px"> </span> <input type="button" name="btn_lately" value="最新记录" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&Lately=ok'"> <input type="button" name="btn_title" value="列标题" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&TitleList=ok'"> <input type="button" name="btn_title" value="写文件" onclick="doWriteLang();"></table></form><form action="language.php" method="post" onsubmit="return docheck(this)"><input type="hidden" name="UID" value="<? if ($Flag != "") echo "edit"; else echo "add"; ?>"><input type="hidden" name="Type" value="<? echo $Type ?>"><input type="hidden" name="SerialID" value="<? echo $SerialID ?>"><input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>"><input type="hidden" name="Search" value="<? echo $Search ?>"><input type="hidden" name="Lately" value="<? echo $Lately ?>"><table width="750" height="200" border="1" cellpadding="0" cellspacing="0" style="margin:7px"> <tr><td width="32%" height="200" align="left" style="padding-left:10px"><b>标示位置<?if($TitleList=="" && $Type==""){?>[<a href="javascript:void(0);" onclick="divBar.style.visibility='visible';">增</a>]<?}?>:</b><br> <select name="LangType" size="20" style="width:200px;height:180px"><? if ($Type != "" && $Flag == "") {?> <option value="<? echo $Type ?>" selected><? echo $Type ?></option><? } else { $sqlcmd = "select MenuName from T_LangMenu order by MenuName ASC"; $result2 = $dblang->query($sqlcmd); while ($result2 && ($row2 = $dblang->fetch_row($result2)) != false) {?> <option value="<? echo $row2[0] ?>"<? if ($Flag != "" && $LangType == $row2[0]) echo " selected"; ?>><? echo $row2[0] ?></option><? } //while end } //if end?> </select><font color="#CC0000">*</font> </td> <td width="53%" align="left" style="padding-left:20px"> <b>下标ID:</b><br> <input type="text" name="LangID" value="<? echo $LangID ?>" maxlength="127" size="36" onBlur="this.value=trim(this.value)" <? if ($EditStatus == "" && $Flag != "") echo "style='background-color:#EFEFEF' readonly"; ?>><font color="#CC0000">*</font> <br><p> <b>语言内容(中文):</b><br> <input type="text" name="LangName" value="<? echo $LangName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font> <br><p> <b>语言内容(英文):</b><br> <input type="text" name="LangEName" value="<? echo $LangEName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font> </td> <td width="15%" align="center"><input type="submit" name="submit" value=" <? if ($Flag != "") echo "修 改"; else echo "添 加"; ?> "></td></tr></table></form></center><p><div align="left"><?$lang = array();$show_string = "";$sqlcmdlang = "select LangID, LangName, LangType, LangEName from T_Lang where 1=1 ";if ($Type != "") $sqlcmdlang .= "and LangType='$Type' ";if ($Search != "") $sqlcmdlang .= "and (LangName like '%$Search%' or LangEName like '%$Search%') ";if ($Lately != "") { $sqlmax = "select Max(SerialID) from T_Lang"; $resultn = $dblang->query($sqlmax); $nmax = 0; if ($resultn && ($rowl = $dblang->fetch_row($resultn)) != false) { $nmax = $rowl[0] ? $rowl[0] : 0; } $sqlcmdlang .= "and SerialID>'".($nmax > 0 ? ($nmax-300) : 0)."' order by LangType, SerialID desc";} else $sqlcmdlang .= "order by LangType, SerialID";$resultlang = $dblang->query($sqlcmdlang);while ($resultlang && ($rowlang = $dblang->fetch_row($resultlang)) != false) { if (!isset($lang[$rowlang[2]])) { $lang[$rowlang[2]] = $rowlang[2]; $show_string .= "<br><b><span style='padding-left:15px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$rowlang[2]'>$rowlang[2]</a>]</span></b><br>\n"; } $cstrlang = str_replace("<", "<", $rowlang[1]); $cstrlang = str_replace(">", ">", $cstrlang); $estrlang = str_replace("<", "<", $rowlang[3]); $estrlang = str_replace(">", ">", $estrlang); $show_string .= "<span style='padding-left:40px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Flag=edit&id=${rowlang[0]}&Search=$Search'>改</a>]"; if ($EditStatus != "") { $show_string .= " [<a href=\"javascript:if(confirm('确定删除下标为$rowlang[0]的记录吗?')) location='language.php?Lately=$Lately&EditStatus=$EditStatus&UID=del&Type=$Type&id=${rowlang[0]}&Search=$Search';\">删</a>]"; } $show_string .= " <font color='#CC0000' size='2'>'$rowlang[0]'</font> => <font color='#00CC00' size='2'>'$cstrlang'</font> => <font color='#00CC00' size='2'>'$estrlang'</font></span><br>\n";}if ($Type == "" && $Flag == "") { echo "<div align=\"left\" style=\"margin:0px 10px;\">"; $last_str = ""; while (list($key, $value) = each($lang)) { if (substr($value, 0, 2) != $last_str) { echo "<br>"; $last_str = substr($value, 0, 2); } echo " [<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$key'><b>$value</b></a>] "; } echo "</div><br>";}if ($TitleList == "ok") { echo "</div>\n</body>\n</html>\n"; exit;}if ($Flag == "") { echo $show_string;}?></div><br><? if ($showResult != "") {?><script language="JavaScript"> alert("<? echo $showResult ?>");</script><? } if ($Flag != "") { echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=\"location='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Search=$Search'\"></center>\n"; } else if ($Type != "") { echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=\"location='language.php?Lately=$Lately&EditStatus=$EditStatus'\"></center>\n"; }?><br><div id="divBar" style='position:absolute;top:90px;left:200px;visibility:hidden;z-index:100'><table cellspacing="0" cellpadding="0" border="1" width="360" height="60"> <tr><td valign="top"> <table border="0" width="100%" height="100%" cellpadding="0" cellspacing="0"> <tr> <td class="bg2 text-right" width="70%" height="100%"><input type="text" name="MenuName" value="" maxlength="120" size="35"></td> <td class="bg2 text-left" width="30%" height="100%" style="padding-left:5px;"><input type="button" name="addbtn" value="添加" onclick="addMenuName()"> <input type="button" name="closebtn" value="关闭" onclick="divBar.style.visibility='hidden';"></td> </tr> </table> </td></tr></table></div></body></html>
任意命令执行:
存储型XSS(只需登录系统立刻触发)
案例:
**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**:8443/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php**.**.**.**/manager/login.php
联系厂商
危害等级:高
漏洞Rank:16
确认时间:2016-03-11 18:09
CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。
暂无
这个屌
@一只猿 你怎么知道的?
