神刀安全网

漏洞标题: Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

漏洞详情

披露状态:

2016-03-04: 细节已通知厂商并且等待厂商处理中
2016-03-08: 厂商已经确认,细节仅向厂商公开
2016-03-11: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

详细说明:

官网案例:http://**.**.**.**/html/solution/success_case/2014/0903/82.html

可以看到此厂商面对的客户都是一些运营商 高校 企业 小区 网吧规模是非常大

第一处

/Flow/ipsegtrend.php

code 区域
<?php
set_time_limit(0);
date_default_timezone_set('PRC');
$doc = $_SERVER['DOCUMENT_ROOT'];
include("$doc/common.php");

$devid = $_GET['devid'];
$ip = $_GET['ip'];
$strstart = $_GET['tmstart'];
$strend = $_GET['tmend'];
$dis_type = $_GET['type'];

$longstart = strtotime($strstart);
$longend = strtotime($strend);

$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts)-360*60;
$elong = $longend;
$tables = $slong."/".$elong;

$i = 0;
$arr = array();
$json = array();
exec(DOCROOT."//bin//logeye.exe ipsegtrend $devid $ip $longstart $longend $tables $dis_type", $output, $return);
foreach($output as $val){
$ds = explode(' ', $val);

$arr[$i]['x'] = (int)$ds[1]*1000;
$arr[$i]['y'] = (int)$ds[2];

$i++;
}

$json['result'] = $arr;
echo json_encode($json);
?>

参数devid ip tmstart tmend type

直接进入exec()函数 造成命令执行

第二处

/Flow/ipapplist.php

code 区域
<?php
set_time_limit(0);
date_default_timezone_set('PRC');
$doc = $_SERVER['DOCUMENT_ROOT'];
include("$doc/common.php");

$devid = $_GET['devid'];
$ip = ($_GET['ip']);
$strstart = $_GET['tmstart'];
$strend = $_GET['tmend'];
$dis_type = $_GET['type'];
$appid = $_GET['appid'];
$errfile = _CHECKING_STATUS_F.'/'.$_GET['errname'];

$longstart = strtotime($strstart);
$longend = strtotime($strend);

$tables = $longstart."/".$longend;

$minutes = ($longend - $longstart) / 60;
$tablefile = "/var/tmp/session_table_".date("YmdHis").".txt";
$fp = fopen($tablefile, "w");
for ($i = 0; $i < $minutes; $i++){
if (date("i", $longstart-300+$i*60) % 5 == 0)
fwrite($fp, "session".date("Ymd", $longstart+$i*60).".sess".date("YmdHi", $longstart+$i*60)."00/n");
}
fclose($fp);

$arr = array();
$json = array();

$cmd = LOGDPATH."/bin/logeye iptoapp $devid $ip $longstart $longend $tablefile $dis_type $errfile $appid";
exec($cmd, $output, $return);

$fp = fopen("/var/tmp/apptofile_content_apply.txt", "w");
foreach($output as $val){
$ds = explode(' ', $val);

fwrite($fp, $val."/n");

array_push($arr, array("name"=>$ds[0], "cname"=>iconv('gb2312','utf-8', $ds[1]),
"upbytes"=>(double)$ds[2], "downbytes"=>(double)$ds[3]));
}
fclose($fp);

$json['rows'] = $arr;
echo json_encode($json);
?>

参数devid ip tmstart tmend type appid

直接进入赋值给$cmd $cmd进入exec()函数 造成命令执行

第三处

/Flow/iptop.php

code 区域
<?php
set_time_limit(0);
date_default_timezone_set('PRC');
$doc = $_SERVER['DOCUMENT_ROOT'];
include("$doc/common.php");

$devid = $_GET['devid'];
$ip = $_GET['ip'];
$strstart = $_GET['tmstart'];
$strend = $_GET['tmend'];
$topip = $_GET['topip'];
$dis_type = $_GET['type'];
$errfile = _CHECKING_STATUS_F.'/'.$_GET['errname'];

if ($ip == "") $ip = "**.**.**.**-**.**.**.**";

$longstart = strtotime($strstart);
$longend = strtotime($strend);

$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts)-360*60;
$elong = $longend;
$tables = $slong."/".$elong;

$i = 0;
$arr = array();
$arrxaxis = array();
$arrxyaxis = array();
$json = array();

$tablefile = php_getiptable($strstart, $strend, $devid);

exec(LOGDPATH."/bin/logeye iptop $devid $ip $longstart $longend $tablefile $topip $dis_type $errfile", $output, $return);
foreach($output as $val){
$ds = explode(' ', $val);

if ($ds[0] == "**.**.**.**") continue;

$arrxaxis[$i] = sprintf("%s", $ds[0]);
$arr[$i]['ip'] = sprintf("%s", $ds[0]);

if ($dis_type == "up")
$arrxyaxis[$i] = (double)$ds[2];
else if ($dis_type == "down")
$arrxyaxis[$i] = (double)$ds[3];
else if ($dis_type == "total")
$arrxyaxis[$i] = (double)$ds[1];
else if ($dis_type == "flow")
$arrxyaxis[$i] = (int)$ds[4];

$arr[$i]['total'] = (double)$ds[1];
$arr[$i]['up'] = (double)$ds[2];
$arr[$i]['down'] = (double)$ds[3];
$arr[$i]['flowcnt'] = (int)$ds[4];
$arr[$i]['devid'] = $devid;

if ($ds[5] == "$")
$arr[$i]['account'] = "";
else $arr[$i]['account'] = $ds[5];

$arr[$i]['maxout'] = (double)$ds[6];
$arr[$i]['maxin'] = (double)$ds[7];
$arr[$i]['sum_inter'] = (int)$ds[8];
$arr[$i]['inter'] = (int)$ds[9];

$i++;
}

$json['x'] = $arrxaxis;
$json['y'] = $arrxyaxis;
$json['detail'] = $arr;
echo json_encode($json);
?>

也是跟前两处一样赤裸裸的进入exec()函数造成命令执行

第四处

/Flow/iptrend.php

code 区域
<?php
set_time_limit(0);
date_default_timezone_set('PRC');
$doc = $_SERVER['DOCUMENT_ROOT'];
include("$doc/common.php");

$devid = $_GET['devid'];
$ip = $_GET['ip'];
$strstart = $_GET['tmstart'];
$strend = $_GET['tmend'];
$dis_type = $_GET['type'];
$color = $_GET['color'];
$errfile = _CHECKING_STATUS_F.'/'.$_GET['errname'];

$colors = explode(',', $color);

if ($ip == "")
$ip = "**.**.**.**-**.**.**.**";

$longstart = strtotime($strstart);
$longend = strtotime($strend);

$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts)-360*60;
$elong = $longend;
$tables = $slong."/".$elong;

$tablefile = php_getiptable($strstart, $strend, $devid);

exec(LOGDPATH."/bin/logeye iptrend $devid $ip $longstart $longend $tablefile $dis_type $errfile", $output, $return);
$i = 0;
$app = 0;
$appup = 0;
$appdown = 0;
$appflow = 0;
$currtype = "";
$data = array();
$seriesup = array();
$seriesdown = array();
$seriesflow = array();

$slot = 0;
foreach($output as $val){
$ds = explode(' ', $val);
if ($ds[0] == "TAG"){
if ($slot != 0)
break;
}

if ($ds[0] == "DATA")
$slot++;
}
foreach($output as $val){
$ds = explode(' ', $val);

if ($ds[0] == "TAG"){
if ($ds[1] == "DATEUP"){
$currtype = "DATEUP";
$seriesup[$appup]['name'] = long2ip($ds[2]);
$seriesup[$appup]['color'] = "#".$colors[$app];
}
if ($ds[1] == "DATEDOWN"){
$currtype = "DATEDOWN";
$seriesdown[$appdown]['name'] = long2ip($ds[2]);
$seriesdown[$appdown]['color'] = "#".$colors[$app];
}
if ($ds[1] == "DATEFLOW"){
$currtype = "DATEFLOW";
$seriesflow[$appflow]['name'] = long2ip($ds[2]);
$seriesflow[$appflow]['color'] = "#".$colors[$app];
}
}

if ($ds[0] == "DATA"){
$data[$i]['x'] = (int)$ds[1] * 1000;
$data[$i++]['y'] = (int)$ds[2];

if (count($data) == $slot){
if ($currtype == "DATEUP")
$seriesup[$appup++]['data'] = $data;
if ($currtype == "DATEDOWN")
$seriesdown[$appdown++]['data'] = $data;
if ($currtype == "DATEFLOW")
$seriesflow[$appflow++]['data'] = $data;
unset($data);
$i = 0;
}
}
}

$json['result_up'] = $seriesup;
$json['result_down'] = $seriesdown;
$json['result_flow'] = $seriesflow;
echo json_encode($json);
?>

同理

任意删除文件

根目录下 deletefile.php

code 区域
<?php
$doc = $_SERVER["DOCUMENT_ROOT"];
include($doc."/common.php");

$filename = $_POST['filename'];

if (file_exists($filename)){
unlink($filename);
outputres("yes", "操作成功");
exit;
}

outputres("no", "操作失败,文件不存在");
?>

变量$filename可控,如果文件存在则unlink删除文件

http://地址/deletefile.php?filename=

漏洞证明:

第一处证明

漏洞标题:  Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

执行完会在根目录生成一个665.php的文件

第二处证明

漏洞标题:  Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

执行完后悔在根目录生成一个1123.php的文件

其余都一样就不一一演示了

外网部分案例:

**.**.**.**/

**.**.**.**/

**.**.**.**

修复方案:

设置权限

版权声明:转载请注明来源 komas@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址