深信服数据中心2.0某处存在命令执行漏洞

  • A+
所属分类:漏洞时代
摘要

漏洞文件:/src/acloglogin.php 其实就是引入的弱口令检测存在问题。问题出现在弱口令检测的地方

漏洞文件:/src/acloglogin.php 其实就是引入的弱口令检测存在问题。

<?php /*  +-------------------------------------------------------------------------+  | Copyright (C) 2006        | 文件名: acloglogin.php       | 描述:   -->用户登录  |                               +-------------------------------------------------------------------------+  | 作者:  | 时间:  | Email:  +-------------------------------------------------------------------------+  | - 相关网站 - http://www.sinfors.com.cn/   +-------------------------------------------------------------------------+ */ require_once("../inc/config.inc.php");//CONFIG_INC_PHP_PATH require_once(ACLOG_INC_DATAPATH."usrmanage.php"); require_once(ACLOG_LANGPATH."chs.utf8.lang.php"); require_once(ACLOG_INC_CALLPATH."caclogin.php"); require_once(ACLOG_SRCPATH."formparam.php");  define("TIME_FREEZE", 60); define("TIME_COOKIE", 3600); global $arrDB;  if (!WorkOnLinux() && is_null($arrDB))  {  $errmsg = COMMON_LOG_NO_SYNC_ACCOUNT;  viewErrmsg($errmsg);  exit; } $request_forms = array (         'login_user'      =>  array (null, null, null),         'login_password'  =>  array (null, null, null),         'submit'   =>  array(null, null, null),         'logout'   =>  array(null, null, null),         'in'       =>  array(null, null, null),         'login'    =>  array(null, null, null),         'auth'     =>  array(0, null, null),         'page'     =>  array("linkconfig.php?in=1", null, null),         'dkey'     =>  array(null, null, null),   'dkeylogin'     =>  array(null, null, null),         ); GetFormsRequestValue($request_forms, $forms);  if ($forms['auth'] == true) {                               //已经验证的     $forms["login"] = true; } global $arrDBSrc, $needDebug; $obj = new CAcLogin($arrDBSrc, $forms, $needDebug); global $g_arrScript, $g_arrSkin, $g_page, $g_strLang, $_form; $fields = array (          "script"    => $g_arrScript,         "skin"      => $g_arrSkin,         "page"      => $g_page,         "lang"      => $g_strLang,         "form"      => $_form,         "title"     => "Sinfor AC DataCenter",         ); if (isset($forms["login"]) || isset($forms["logout"])) {     $obj->GetData(); } if (isset($forms["logout"]) && $forms["logout"] == true) {     $obj->logout();     $obj->ShowLogin($fields);     exit; }  $weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来 system($weak_str, $weak_status); if( $weak_status == 1 ){  $weak_time_str='/usr/sbin/check_weak_date.sh';  system($weak_time_str, $weak_time_status);  if( $weak_time_status == 1 ){   $strError = LOGIN_WEAK_PASS;   $obj->AddErrMessage($strError);    $obj->ShowLogin($fields);   exit;  } }  $nSubmit = 0; $nAllRight = 0; //自动登陆,psw不用算md5,因为get过来的psw就是md5 $auth = $forms['auth']; if (isset($forms["in"]) && $forms["in"] == true) {     $location = $forms['page']; } else {     $location = "f.html"; } $_SESSION["lifeTime"] = TIME_COOKIE; $hasToLower = $forms["login_user"]; //来自webui,已经登陆, if(isset($_SESSION["auth_user"])  && $auth == true) {      //该用户已经登陆       if(($_SESSION["auth_user"] == $hasToLower)) {         setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/");         header("Location: $location");          //redirect         exit;     } else {//新的webui用户登陆,注销以前的用户         //标志离线         //TODO...     } }  if(isset($_SESSION["auth_user"]) && strlen($_SESSION["auth_user"])) {     $strUser = $_SESSION["auth_user"];     setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/");     header("Location: $location");          //redirect to the dbm page     exit; } else {     if(isset($forms["login_user"]) && isset($forms["login_password"])) {         $nSubmit = 1;     } }  //得到冻结标志 if(isset($_SESSION["freeze"])) {     $freeze  = $_SESSION["freeze"];     $lefttime = time() - $_SESSION["logtime"];     if($lefttime > TIME_FREEZE || $lefttime < 0) {         unset($_SESSION["logtime"]);         unset($_SESSION["logcishu"]);         unset($_SESSION["freeze"]);          $freeze = false;     }     if($freeze) {         $strError = LOGIN_TIP1.(TIME_FREEZE - $lefttime).LOGIN_TIP2;     } } else {     $freeze = false; }   //限制用户登陆次数 $ret = false; //冻结了,不用登陆 //print_msg($_COOKIE);   if($freeze == false) {     if($nSubmit) {         $ret = $obj->Validate();         //登陆一次,次数加一     }       if($ret) {         $_SESSION["aclog_session"] = 1;         $_SESSION["auth_user"] = $strUser;//         $_SESSION["auth_user_pwd"] = $strPsw;         $_SESSION["nAllRight"] = $nAllRight;     if (isset($_COOKIE["LifeTime"])) {    //echo "cook LifeTime is seted:".$_COOKIE["LifeTime"];   }   else   {    $strJScript = ' <script language="javascript">      function SetCookie(name,value)//两个参数,一个是cookie的名子,一个是值      {       var exp  = new Date();           exp.setTime(exp.getTime() + %d*1000);       document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString();      }      SetCookie ("LifeTime", "%d")           </script>';          if (isset($_COOKIE["LifeTime"])) {     echo "<script language='javascript'> alert(/"".$_COOKIE["LifeTime"]."/"); </srcipt>";    }     else    {     //var_dump($_SESSION["lifeTime"]);     $strJScript = sprintf($strJScript, TIME_COOKIE, $_SESSION["lifeTime"]);     echo($strJScript);    }        //setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"]);       }                 unset($_SESSION["logtime"]);         unset($_SESSION["logcishu"]);         unset($_SESSION["freeze"]);   //die();         $javascript = "";         if ($forms["in"]) {             $javascript .= 'if(typeof(eval("window.parent.frames[/"topFrame/"]")) != "undefined")window.parent.frames["topFrame"].location.reload();if(typeof(eval("window.parent.frames[/"leftFrame/"]")) != "undefined")window.parent.frames["leftFrame"].location.reload();';         }         $javascript .= "location.href='$location'";         echo "<script>$javascript</script>";            exit;     } else {         if($nSubmit) {              $_SESSION["logcishu"] = $_SESSION["logcishu"] +1;             if($_SESSION["logcishu"] == 1) {                 $_SESSION["logtime"] = time();             }             $lefttime = time() - $_SESSION["logtime"];             if(($lefttime < TIME_FREEZE) && $_SESSION["logcishu"] >= 3) {                 //设置冻结标志                 $_SESSION["freeze"] = true;             }         }     } } //print_msg($strError, 10);  if (!is_empty($strError))     $obj->AddErrMessage($strError);  //print_msg($_SESSION, 10); //print_msg($fields, 10); $obj->ShowLogin($fields); ?>

问题出现在弱口令检测的地方

 $weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来 system($weak_str, $weak_status); if( $weak_status == 1 ){  $weak_time_str='/usr/sbin/check_weak_date.sh';  system($weak_time_str, $weak_time_status);  if( $weak_time_status == 1 ){   $strError = LOGIN_WEAK_PASS;   $obj->AddErrMessage($strError);    $obj->ShowLogin($fields);   exit;  } }

深信服数据中心2.0某处存在命令执行漏洞。好吧,命令执行才是关键
深信服数据中心2.0某处存在命令执行漏洞

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: