LuManager high-risk SQL injection 0day analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201569823
Type myhack58
Reporter 佚名
Modified 2015-12-08T00:00:00


2 0 1 5 year 9 month 7 day Ali cloud shield situational awareness system captures the LuManager system of 0day a gold that confirmed that the vulnerabilities once a hacker can use directly to the highest authority of the login background, upload webshell, the control system database, the operation of the virtual host, the consequences could be disastrous. LuManager description: LuManager is based on FreeBSD, Zijidelu, the Debian, Centos, Ubuntu and other Linux/Unix systems Web Server Management Software, there are currently a large number of domestic users. Vulnerability to capture: 2 0 1 5 year 9 month 6 days, by Ali cloud-cloud shield situational awareness system, in the abnormal traffic, we found a hacker using LuManager system to obtain the webshell, the capture of the attacker one attack payload: ! Vulnerability reproduction: the In the vulnerability database, we did not find the system there is a security vulnerability, suggesting that the vulnerability for a gold 0day for. Our first time on the payload were to reproduce: to LuManager, version 2. 0. 9 9, The index. php? m=Public&a=login sends the post data packet, after the submission directly to bypass the login authentication into the background, and executes the payload in the SQL statement: ! Vulnerability analysis: Official download of the latest version of Lumanager(2.0.99, the 登陆 验证 的 代码 位于 /Lib/Action/PublicAction.php That LuManager the core code using the Zend encryption and code obfuscation, the controllers directory of the code after decryption, the function name, the class name cannot be restored, the code readability is poor, from the trigger location to find the vulnerability causes is more difficult. We replace the idea to locate the vulnerability position, Lumanager using Thinkphp framework development, the framework code is not encrypted, open ThinkPHP framework trace mode for debugging, to crawl to a normal landing and send the payload when the SQL statement is as follows: ! By execution of the SQL results of the analysis, payload trigger, SQL statement, User. user field values and not single quotes surrounded, while this variable can be controlled, leading toSQL injectionvulnerabilities. Determined to be located in the where condition to trigger theSQL injection, to continue the tracking code,/Sys/Lib/Think/Db/Db.class.php 4 0 0 lines, parseWhere()function within the code: if ( "exp" == via strtolower( $val[$i][0] ) ) { $whereStr .= "(".$ key." ".$ data.") ".$ rule." "; } From the above code we can see: when incoming where condition is an array, and the array of the first element value is“exp”, will directly splice$val[$i][1]to the SQL statement The where conditions, because there is no single quotes, and therefore not subject to the global addsalash escape the impact. parseWhere()function in the upper layer is called, if there is no check incoming variables the type of the directly controllable parameters of the incoming, the attacker using this feature you can construct a malicious SQL. LuManager in the login verification code, the$_POST[‘user’]parameter passed into the parseWhere()function, the structure of the parameters is an array type, you can trigger the execution of malicious SQL. Since the vulnerability is the landing position of the trigger of theSQL injection, we can simplify the payload, the structure constant true condition, the use of”universal password”login background: POST: /index. php? m=Public&a=login user[0]=exp&user[1]==1)) or 1 – Submit directly to the administrator identity into the background. LuManager landing location has the verification code mechanism, the transmission payload when the need first to identify the verification code, you can use the OCR library to automatically identify the verification code, for automated detection: ! From the vulnerability causes that the vulnerability is the essence thinkphp framework is itself a characteristic(Or vulnerability),@phith0n has been submitted through the thinkphp framework, the presence of security issues but there is still a lot based on thinkphp framework for the development of the system and was not aware of this serious problem, the presence of vulnerabilities not only LuManager recommended thinkphp developers check their products whether there is the same problem. Vulnerability impact: The vulnerability affects LuManager 2.1.1 the following for all versions, an attacker can directly to the highest authority of the login background, upload webshell, the control system database, the operation of the virtual host. During the test, we found that the background can add a scheduled task, the scheduled task will be to root the timing of the implementation, the attacker goes into the background after the Get system root permission. Vulnerability fix: The vulnerability we have been informed vendors, 9 December 8 a.m. manufacturers release upgrades, and Ali cloud security team to thank. Currently the latest version is 2. 1. 2, users are advised to upgrade as soon as possible to the latest version 2. 1. 2。