神刀安全网

漏洞标题: 安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&存储型XSS

漏洞详情

披露状态:

2016-03-07: 细节已通知厂商并且等待厂商处理中
2016-03-11: 厂商已经确认,细节仅向厂商公开
2016-03-14: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

简要描述:

任意命令执行漏洞&存储型XSS(只需登录系统立刻触发)

详细说明:

任意命令执行/manager/radius/server_ping.php

code 区域
<?
if (!isset($ip) || $ip == "" || !isset($id) || $id == "") exit;

$cmd = "ping -c 2 -s 65 $ip";
$fp = popen($cmd, "r");
$getString = "";
if ($fp) {
while (($line = fgets($fp, 512))) {
$getString .= trim($line);
}
pclose($fp);

}

if (strstr($getString, "2 received, 0%")) {
echo "<html><body><script language=/"javascript/">/n";
echo "parent.doTestResult('$id', 'ok');/n";
echo "</script></body></html>/n";
} else {
echo "<html><body><script language=/"javascript/">/n";
echo "parent.doTestResult('$id', 'no');/n";
echo "</script></body></html>/n";
}
?>

模板功能设置页面/language.php未授权访问,能任意修改系统功能名称导致存储型XSS跨站漏洞。

code 区域
<?
/*
功能:添加语言文字页面

mysql> desc T_Lang;
+-----------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+----------------+
| SerialID | int(16) | NO | PRI | NULL | auto_increment |
| LangID | varchar(128) | NO | | | |
| LangName | varchar(255) | NO | | | |
| LangEName | varchar(255) | YES | | | |
| LangType | varchar(64) | NO | | | |
+-----------+--------------+------+-----+---------+----------------+

mysql> desc T_LangMenu;
+----------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+----------------+
| SerialID | int(16) | NO | PRI | NULL | auto_increment |
| MenuName | varchar(128) | NO | | | |
+----------+--------------+------+-----+---------+----------------+

*/
include_once ("mysql.php");
$dblang = new newDB();
$showResult = "";
if (!isset($SerialID)) $SerialID = "";
if (!isset($LangType)) $LangType = "";
if (!isset($LangID)) $LangID = "";
if (!isset($LangName)) $LangName = "";
if (!isset($LangEName)) $LangEName = "";
if (!isset($Type)) $Type = "";
if (!isset($Flag)) $Flag = "";
if (!isset($Search)) $Search = "";
if (!isset($TitleList)) $TitleList = "";
if (!isset($Lately)) $Lately = "";
if (!isset($doWrite)) $doWrite = "";
if (!isset($EditStatus)) $EditStatus = "";
if (!isset($doAddMenu)) $doAddMenu = "";
if (!isset($MenuName)) $MenuName = "";

$LangID = str_replace("'", "", $LangID);
$LangName = str_replace("'", "", $LangName);
$LangEName = str_replace("'", "''", $LangEName);
$LangName = str_replace("//t", "", $LangName);
$LangEName = str_replace("//t", "", $LangEName);
$Search = str_replace("'", "", $Search);
$MenuName = str_replace("'", "", $MenuName);

if (strcasecmp($doWrite, "ok") == 0) {
$cn_file = "/usr/eflow/hibos/include/lang_cn.php";
$en_file = "/usr/eflow/hibos/include/lang_en.php";

$get_string_cn = "<?/n/*/n * 功能:简体中文语言/n *//n/n/$CHARSET = /"GB2312/";/n/$lang = array/n(/n";
$get_string_en = "<?/n/*/n * 功能:英文语言/n *//n/n/$CHARSET = /"UTF-8/";/n/$lang = array/n(/n";
$title_stats = "";
$sqlcmd = "select LangID, LangName, LangEName, LangType from T_Lang order by LangType, LangID ASC";
$result = $dblang->query($sqlcmd);
while ($result && ($row = $dblang->fetch_row($result)) != false) {
if ($row[3] != $title_stats) {
$get_string_cn .= "/t//".$row[3]."/n";
$get_string_en .= "/t//".$row[3]."/n";
$title_stats = $row[3];
}
$get_string_cn .= "/t'".$row[0]."' => '".str_replace("'", "//'", $row[1])."',/n";
$get_string_en .= "/t'".$row[0]."' => '".str_replace("'", "//'", $row[2])."',/n";
}

$get_string_cn .= "'');/n/n?>";
$get_string_en .= "'');/n/n?>";

$result_cn = 0;
$cnfd = fopen($cn_file, 'w');
if ($cnfd) {
$result_cn = 1;
fputs($cnfd, $get_string_cn);
fclose($cnfd);
}

$result_en = 0;
$enfd = fopen($en_file, 'w');
if ($enfd) {
$result_en = 1;
fputs($enfd, $get_string_en);
fclose($enfd);
}

echo "<html>/n";
echo "<body>/n";
echo "<script language=/"JavaScript/">/n";
if ($result_cn && $result_en) {
echo "alert('写文件成功!');/n";
} else {
echo "alert('写文件失败!');/n";
}
echo "</script>/n";
echo "</body>/n";
echo "</html>/n";
exit;
}

if (strcasecmp($doAddMenu, "ok") == 0) {

if ($MenuName != "") {
$sqlcmd = "insert into T_LangMenu (MenuName) values ('$MenuName')";
$result = $dblang->query($sqlcmd);
} else
$result = 0;

if ($result)
$showResult = "标示位置添加成功!";
else
$showResult = "标示位置添加失败!";
}

if (isset($UID) && $UID == "add") {
//添加
$sqlcmd = "select LangName from T_Lang where LangID='$LangID'";
$result = $dblang->query($sqlcmd);
if ($result && $dblang->num_rows($result) > 0) {
$showResult = "下标ID已经存在!";
} else {
$sqlcmd = "insert into T_Lang(LangID,LangName,LangEName,LangType)";
$sqlcmd .= "values('$LangID','$LangName','$LangEName','$LangType')";
if ($dblang->query($sqlcmd) != false) {
$showResult = "$LangID => $LangName 已添加完成!";
$LangID = "";
$LangName = "";
$LangEName = "";
$LangType = "";
} else {
$showResult = "$LangID => $LangName 添加失败!";
}
}

} else if (isset($Flag) && $Flag == "edit") {
$sqlcmd = "select LangID, LangName, LangEName, LangType, SerialID from T_Lang where LangID='$id'";
$result = $dblang->query($sqlcmd);
if ($result && ($row = $dblang->fetch_row($result)) != false) {
$LangID = $row[0];
$LangName = $row[1];
$LangEName = $row[2];
$LangType = $row[3];
$SerialID = $row[4];
} else {
$Flag = "";
}

} else if (isset($UID) && $UID == "edit" && $SerialID != "") {
$sqlcmd = "update T_Lang set LangID='$LangID', LangName='$LangName', LangEName='$LangEName', LangType='$LangType' where SerialID='$SerialID'";
if ($dblang->query($sqlcmd) != false) {
$showResult = "$LangID => $LangName 已修改完成!";
$LangID = "";
$LangName = "";
$LangEName = "";
$LangType = "";
} else {
$showResult = "$LangID => $LangName 修改失败!";
}

} else if (isset($UID) && $UID == "del") {
$sqlcmd = "delete from T_Lang where LangID='$id'";
if ($dblang->query($sqlcmd) != false) {
$showResult = "$id 已删除完成!";
} else {
$showResult = "$id 删除失败!";
}
}

?>
<html>
<title>语言管理</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link REL="STYLESHEET" TYPE="text/css" HREF="/script/style.css">
<script language="JavaScript" src="/script/string.js"></script>
<script language="JavaScript" src="/script/flybar.js"></script>
<script language="JavaScript">
function docheck(form)
{
form.LangID.value = trim(form.LangID.value);
if (form.LangID.value == "") {
alert("下标ID不允许空");
form.LangID.focus();
return false;
}
form.LangName.value = trim(form.LangName.value);
if (form.LangName.value == "") {
alert("中文语言内容不允许空");
form.LangName.focus();
return false;
}
form.LangEName.value = trim(form.LangEName.value);
if (form.LangEName.value == "") {
alert("英文语言内容不允许空");
form.LangEName.focus();
return false;
}
if (form.LangType.value == "") {
alert("请选择标示位置");
return false;
}
return true;
}

function doWriteLang()
{
var ifr = document.createElement("IFRAME");
ifr.frameBorder = 0;
ifr.scrolling = "no";
ifr.width = 0;
ifr.height = 0;
ifr.src = "language.php?doWrite=OK";
document.body.appendChild(ifr);
}

function addMenuName()
{
var getNamestr = trim(document.getElementById('MenuName').value);
if (getNamestr == "") {
alert("标示位置不允许空!");
return;
}
document.getElementById('divBar').style.visibility = "hidden";

var ifr = document.createElement("IFRAME");
ifr.frameBorder = 0;
ifr.scrolling = "no";
ifr.width = 0;
ifr.height = 0;
ifr.src = "language.php?doAddMenu=OK&MenuName=" + getNamestr;
document.body.appendChild(ifr);
}
</script>
<body>
<br>
<center>
<form action="language.php" method="post">
<input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>">
<table width="750" height="35" border="1" cellpadding="0" cellspacing="0" style="margin:7px">
<tr><td width="100%" height="35" align="left" style="padding-left:20px"><b>语言内容查找(中英):</b> <input type="text" name="Search" value="" size="30"> <input type="submit" name="submit2" value=" 查 找 ">
&nbsp;&nbsp;<span style="width:30px">&nbsp;</span> <input type="button" name="btn_lately" value="最新记录" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&Lately=ok'">&nbsp;&nbsp;
<input type="button" name="btn_title" value="列标题" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&TitleList=ok'">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<input type="button" name="btn_title" value="写文件" onclick="doWriteLang();">
</table>
</form>
<form action="language.php" method="post" onsubmit="return docheck(this)">
<input type="hidden" name="UID" value="<? if ($Flag != "") echo "edit"; else echo "add"; ?>">
<input type="hidden" name="Type" value="<? echo $Type ?>">
<input type="hidden" name="SerialID" value="<? echo $SerialID ?>">
<input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>">
<input type="hidden" name="Search" value="<? echo $Search ?>">
<input type="hidden" name="Lately" value="<? echo $Lately ?>">
<table width="750" height="200" border="1" cellpadding="0" cellspacing="0" style="margin:7px">
<tr><td width="32%" height="200" align="left" style="padding-left:10px"><b>标示位置<?if($TitleList=="" && $Type==""){?>[<a href="javascript:void(0);" onclick="divBar.style.visibility='visible';">增</a>]<?}?>:</b><br>
<select name="LangType" size="20" style="width:200px;height:180px">
<?
if ($Type != "" && $Flag == "") {
?>
<option value="<? echo $Type ?>" selected><? echo $Type ?></option>
<?
} else {
$sqlcmd = "select MenuName from T_LangMenu order by MenuName ASC";
$result2 = $dblang->query($sqlcmd);
while ($result2 && ($row2 = $dblang->fetch_row($result2)) != false) {
?>
<option value="<? echo $row2[0] ?>"<? if ($Flag != "" && $LangType == $row2[0]) echo " selected"; ?>><? echo $row2[0] ?></option>
<?
} //while end
} //if end
?>
</select><font color="#CC0000">*</font>
</td>
<td width="53%" align="left" style="padding-left:20px">
<b>下标ID:</b><br>
<input type="text" name="LangID" value="<? echo $LangID ?>" maxlength="127" size="36" onBlur="this.value=trim(this.value)" <? if ($EditStatus == "" && $Flag != "") echo "style='background-color:#EFEFEF' readonly"; ?>><font color="#CC0000">*</font>
<br><p>
<b>语言内容(中文):</b><br>
<input type="text" name="LangName" value="<? echo $LangName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font>
<br><p>
<b>语言内容(英文):</b><br>
<input type="text" name="LangEName" value="<? echo $LangEName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font>
</td>
<td width="15%" align="center"><input type="submit" name="submit" value=" <? if ($Flag != "") echo "修 改"; else echo "添 加"; ?> "></td></tr>
</table>
</form>
</center>
<p>
<div align="left">
<?
$lang = array();
$show_string = "";
$sqlcmdlang = "select LangID, LangName, LangType, LangEName from T_Lang where 1=1 ";
if ($Type != "") $sqlcmdlang .= "and LangType='$Type' ";
if ($Search != "") $sqlcmdlang .= "and (LangName like '%$Search%' or LangEName like '%$Search%') ";
if ($Lately != "") {
$sqlmax = "select Max(SerialID) from T_Lang";
$resultn = $dblang->query($sqlmax);
$nmax = 0;
if ($resultn && ($rowl = $dblang->fetch_row($resultn)) != false) {
$nmax = $rowl[0] ? $rowl[0] : 0;
}
$sqlcmdlang .= "and SerialID>'".($nmax > 0 ? ($nmax-300) : 0)."' order by LangType, SerialID desc";
} else
$sqlcmdlang .= "order by LangType, SerialID";
$resultlang = $dblang->query($sqlcmdlang);
while ($resultlang && ($rowlang = $dblang->fetch_row($resultlang)) != false) {
if (!isset($lang[$rowlang[2]])) {
$lang[$rowlang[2]] = $rowlang[2];
$show_string .= "<br><b><span style='padding-left:15px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$rowlang[2]'>$rowlang[2]</a>]</span></b><br>/n";
}
$cstrlang = str_replace("<", "&lt;", $rowlang[1]);
$cstrlang = str_replace(">", "&gt;", $cstrlang);
$estrlang = str_replace("<", "&lt;", $rowlang[3]);
$estrlang = str_replace(">", "&gt;", $estrlang);
$show_string .= "<span style='padding-left:40px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Flag=edit&id=${rowlang[0]}&Search=$Search'>改</a>]";
if ($EditStatus != "") {
$show_string .= " [<a href=/"javascript:if(confirm('确定删除下标为$rowlang[0]的记录吗?')) location='language.php?Lately=$Lately&EditStatus=$EditStatus&UID=del&Type=$Type&id=${rowlang[0]}&Search=$Search';/">删</a>]";
}
$show_string .= " &nbsp; <font color='#CC0000' size='2'>'$rowlang[0]'</font> => <font color='#00CC00' size='2'>'$cstrlang'</font> => <font color='#00CC00' size='2'>'$estrlang'</font></span><br>/n";
}

if ($Type == "" && $Flag == "") {
echo "<div align=/"left/" style=/"margin:0px 10px;/">";
$last_str = "";
while (list($key, $value) = each($lang)) {
if (substr($value, 0, 2) != $last_str) {
echo "<br>";
$last_str = substr($value, 0, 2);
}
echo "&nbsp;[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$key'><b>$value</b></a>]&nbsp;&nbsp;";
}
echo "</div><br>";
}

if ($TitleList == "ok") {
echo "</div>/n</body>/n</html>/n";
exit;
}

if ($Flag == "") {
echo $show_string;
}
?>
</div>
<br>
<?
if ($showResult != "") {
?>
<script language="JavaScript">
alert("<? echo $showResult ?>");
</script>
<?
}


if ($Flag != "") {
echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=/"location='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Search=$Search'/"></center>/n";
} else if ($Type != "") {
echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=/"location='language.php?Lately=$Lately&EditStatus=$EditStatus'/"></center>/n";
}
?>
<br>

<div id="divBar" style='position:absolute;top:90px;left:200px;visibility:hidden;z-index:100'>
<table cellspacing="0" cellpadding="0" border="1" width="360" height="60">
<tr><td valign="top">
<table border="0" width="100%" height="100%" cellpadding="0" cellspacing="0">
<tr>
<td class="bg2 text-right" width="70%" height="100%"><input type="text" name="MenuName" value="" maxlength="120" size="35"></td>
<td class="bg2 text-left" width="30%" height="100%" style="padding-left:5px;"><input type="button" name="addbtn" value="添加" onclick="addMenuName()">&nbsp;&nbsp;&nbsp;&nbsp;<input type="button" name="closebtn" value="关闭" onclick="divBar.style.visibility='hidden';"></td>
</tr>
</table>
</td></tr>
</table>
</div>
</body>
</html>

漏洞证明:

任意命令执行:

漏洞标题:  安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&amp;存储型XSS

漏洞标题:  安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&amp;存储型XSS

存储型XSS(只需登录系统立刻触发)

漏洞标题:  安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&amp;存储型XSS

漏洞标题:  安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&amp;存储型XSS

漏洞标题:  安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&amp;存储型XSS

案例:

code 区域
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**:8443/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php
**.**.**.**/manager/login.php

修复方案:

联系厂商

版权声明:转载请注明来源 YY-2012@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&存储型XSS

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址