某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

admin
admin
admin
139598
文章
114
评论
2017年4月19日11:45:55评论309 views字数 282阅读0分56秒阅读模式
摘要

2016-02-29: 细节已通知厂商并且等待厂商处理中
2016-03-04: 厂商已经确认,细节仅向厂商公开
2016-03-07: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2016-04-28: 细节向核心白帽子及相关领域专家公开
2016-05-08: 细节向普通白帽子公开
2016-05-18: 细节向实习白帽子公开
2016-06-02: 细节向公众公开

漏洞概要 关注数(25) 关注此漏洞

缺陷编号: WooYun-2016-179441

漏洞标题: 某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

相关厂商: I-SDN

漏洞作者: YY-2012

提交时间: 2016-02-29 12:00

公开时间: 2016-06-02 19:30

漏洞类型: 设计缺陷/逻辑错误

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 设计缺陷/边界绕过 逻辑错误 设计不当导致攻击界面扩大

2人收藏

漏洞详情

披露状态:

2016-02-29: 细节已通知厂商并且等待厂商处理中
2016-03-04: 厂商已经确认,细节仅向厂商公开
2016-03-07: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-28: 细节向核心白帽子及相关领域专家公开
2016-05-08: 细节向普通白帽子公开
2016-05-18: 细节向实习白帽子公开
2016-06-02: 细节向公众公开

简要描述:

十几万的设备你敢买吗?

详细说明:

第一处注入/analytics/bal/bal_chart_line_status.php

code 区域 
//********************************************流量上行和下行统计**********************************************//
  if($_GET["act"]=="hours"){
   //按小时统计上行平均流量和下行平均流量,每分钟一笔数据
   $value=$_GET["val"];
   $date=$_GET["date"];
   if($value != "all"){
    //查询条件不为空,查询域名的访问量
    $and=" and app_name = '".$value."' ";
   }
   if($date==""){
    $sql="select host_ip,date_format(curr_time,'%H:%i') tm,round(sum(aver_tx)/1024,2) txcount,round(sum(aver_rx)/1024,2) rxcount from t_tjbal_host where 
     curr_time between date_format(date_add(now(),interval -1 hour),'%Y-%m-%d %H:%i:00') 
     and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and."  group by date_format(curr_time,'%H:%i'),host_ip 
     order by host_ip asc,curr_time asc ";
   }else{
    $sql="select host_ip,date_format(curr_time,'%H:%i') tm,round(sum(aver_tx)/1024,2) txcount,round(sum(aver_rx)/1024,2) rxcount from t_tjbal_host where 
     curr_time between date_format('".$date."','%Y-%m-%d %H:%i:00') 
     and date_format(date_add('".$date."',interval +1 hour),'%Y-%m-%d %H:%i:59') ".$and."  
     group by date_format(curr_time,'%H:%i'),host_ip order by host_ip asc,curr_time asc ";
   }
 //  print $sql;

第二处注入/analytics/analytics_firewall.php

code 区域 
if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchFirewall"){
   $serchtype = $_POST["serchType"];
   $serchname = $_POST["serchinput"];
  }else{
   $serchtype = "type0";
   //分页提交
   if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){
    $page = $_POST["p"];
    $serchtype = $_POST["ptype"];
    $serchname = $_POST["pname"];
   }
   
   if ( isset ( $_GET["p"] )){
    $page = $_GET["p"];
    $serchtype = $_GET["serchType"];
    $serchname = $_GET["serchinput"];
   }
  }
  
  $db = new dbBase();
  //数据库连接
  $iRetCon = $db -> dbConnect();
  if($iRetCon!=1)
  {
   print "数据连接失败!";
   return "";
  }
  $and="";
  if($serchname!=""){
   if($serchtype == "type0"){
    //源地址
    $and = " and src_ip like '%".$serchname."%' ";
   }else if($serchtype == "type1"){
    //目标地址
    $and = " and dst_ip like '%".$serchname."%' ";
   }else if($serchtype == "type2"){
    //规则
    $and = " and fire_wall_name like '%".$serchname."%' ";
   }else if($serchtype == "type3"){
    //网口
    $and = " and network_card like '%".$serchname."%' ";
   }
  }
  $sql="select a.host_name,left(a.fire_wall_name,(LENGTH(a.fire_wall_name)-2)) wallname,**.**.**.**work_card,a.src_mac,a.dst_mac,
   a.src_ip,a.dst_ip,a.data_len,a.protocol,a.src_port,a.dst_port,
   a.log_time logtime ,right(fire_wall_name,1) stat 
   from t_log_firewall a  where 1=1 ".$and." order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;
 // print $sql;

第三处注入/analytics/bal/bal_chart_line.php

code 区域 
if($_GET["act"]=="hours"){
   //按小时对bal总数量进行统计及单个域名的访问量
   $value=$_GET["val"];
   if($value != "all"){
    //查询条件不为空,查询域名的访问量
    $and=" and application_name = '".$value."' ";
   }
   $sql="select date_format(log_time,'%H:%i') time,sum(app_count) dcount from t_tjbal_time_minute where 
    log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
    and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";
   $arrFi = every5Minute();
   $datajson = lineJson($sql,$arrFi);
   print $datajson;
  }else if($_GET["act"]=="day"){
   //按天对bal总数量进行统计及单个域名的访问量
   $value=$_GET["val"];
   if($value != "all"){
    //查询条件不为空,查询域名的访问量
    $and = " and application_name = '".$value."' ";
   }
   $sql="select concat(date_format(date_add(log_time,interval -2 minute),'%H'),':00') time ,sum(app_count) dcount from t_tjbal_time_minute where 
    date_add(log_time,interval -2 minute) between date_format(date_add(now(),interval -1 day),'%Y-%m-%d %H:00:00')
    and date_format(date_add(now(),interval -1 hour),'%Y-%m-%d %H:59:59')".$and." 
    group by date_format(date_add(log_time,interval -2 minute),'%H') order by log_time asc ";
   $arrFi = every1Hours();
   $datajson = lineJson($sql,$arrFi);
   print $datajson;
  }else if($_GET["act"]=="week"){
   //按周对bal总数量进行统计及单个域名的访问量

第四处注入/analytics/bal/bal_chart_map.php

code 区域 
if($_GET["act"]=="hours"){
   $value=$_GET["val"];
   balMapMinute($value);
  }else if($_GET["act"]=="day"){
   $value=$_GET["val"];
   balLineDays($value);
  }else if($_GET["act"]=="week"){
   $value=$_GET["val"]; 
   balLineWeeks($value);
  }else if($_GET["act"]=="month"){
   $value=$_GET["val"];
   balLineMonth($value);
  }else if($_GET["act"]=="year"){
   $value=$_GET["val"];
   balLineYears($value);
  }
 
  /**
   * 实时查询bal的总数(按照区域查询)实时查询
   */
  function balMapMinute($value){
   $db = new dbBase();
   //数据库连接
   $iRetCon = $db -> dbConnect();
   if($iRetCon!=1){
    print "数据连接失败!";
    return;
   }
   //查询全球地图信息
   $worldArea = getWorldMapDict($db);
   //查询世界的数据(各个区域所有的域名数量)
   if($value != "all"){
    //查询条件不为空,查询域名的访问量
    $and=" and application_name = '".$value."' ";
   }
   $sql="select remark ,sum(app_count) dnum from t_sys_dict a ,t_tjbal_time_minute b
    where  area!='-' and area!='' and remark!='' and a.short_name=substring_index(b.area,'-',1) and
    log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
    and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by remark";
   $worldData = getWorldMapData($db,$sql);
   
   //查询中国的信息
   $sqlc = "select full_name,sum(app_count) dnum from t_sys_dict a ,t_tjbal_time_minute b where 
    a.code like '%ZG%' and code!='ZG' and substring_index(b.area,'-',1)='CN' and a.short_name=substring(b.area,4) and
    log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
    and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by full_name ";
   $chinaData = getChinaMapData($db,$sqlc);

第五处注入/analytics/analytics_bal.php

code 区域 
if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchBal"){
   $serchtype = $_POST["serchType"];
   $serchname = $_POST["serchinput"];
   $timestat =  $_POST["serchStart"];
   $timeend =  $_POST["serchEnd"];
  }else{
   $serchtype = "type0";
  }
 // print "=====>".$_POST["action"]."<========";
  
  //分页post提交
  if ( isset ( $_POST["action"]) && $_POST["action"]=="GO"){
   $page = $_POST["p"];
   $serchtype = $_POST["ptype"];
   $serchname = $_POST["pname"];
   $timestat =  $_POST["pStart"];
   $timeend =  $_POST["pEnd"];
 //  print "==>".$serchtype."==>".$serchname."==>".$timestat."==>".$timeend;
  }
  //分页get
  if ( isset ( $_GET["p"] )){
   $page = $_GET["p"];
   $serchtype = $_GET["serchType"];
   $serchname = $_GET["serchinput"];
   $timestat = $_GET["stime"];
   $timeend = $_GET["etime"];
  }
  $db = new dbBase();
  //数据库连接
  $iRetCon = $db -> dbConnect();
  if($iRetCon!=1)
  {
   print "数据连接失败!";
   return "";
  }
  $and="";
  if($serchname!=""){
   if($serchtype == "type0"){
    //策略名称
    $and .= " and application_name like '%".$serchname."%' ";
   }else if($serchtype == "type1"){
    //源地址
    $and .= " and src_ip like '%".$serchname."%' ";
   }else if($serchtype == "type2"){
    //目标地址
    $and .= " and server_name like '%".$serchname."%' ";
   }else if($serchtype == "type3"){
    //状态
    $and .= " and status like '%".$serchname."%' ";
   }
  }
  if($timestat!=""){
   $and .= " and log_time >= date_format('".$timestat."','%Y-%m-%d %H:%i:00') ";
  }
  if ($timeend!=""){
   $and .= " and log_time <= date_format('".$timeend."','%Y-%m-%d %H:%i:59') ";
  }
  
  
  $sql="select host_name,application_name,server_name,src_ip,src_port,action,access_target,datalen,dealtime,status,
   log_time logtime,case when length(access_target)>40 then concat(substr(access_target,1,40),'......') else access_target end netar 
   from t_log_load a where 1=1 ".$and."
   order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;
  
 // print $sql."<br/>";
  
  $arrlist = $db->querySqlArray($sql);
  
  
  //查询总页数
  $sqlcou = "select count(1) cou from t_log_load a  where 1=1 ".$and;
  
 // print $sqlcou."<br/>";

第六处注入/analytics/dns/dns_chart_line.php

code 区域 
if($_GET["act"]=="hours"){
   /**
    * 按小时对dns总数量进行统计及单个域名的访问量
    */
   $value=$_GET["val"];
   if($value != ""){
    //查询条件不为空,查询域名的访问量
    $and=" and domain_name like '%".$value."' ";
   }
 //  $sql="select date_format(log_time,'%H:%i') time,sum(domain_count) dcount from t_tjdns_time_minute where 
 //   date_format(log_time,'%Y-%m-%d %H:%i') between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i') 
 //   and date_format(now(),'%Y-%m-%d %H:%i') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";
   $sql="select date_format(log_time,'%H:%i') time,sum(domain_count) dcount from t_tjdns_time_minute where 
    log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00') 
    and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";
   $arrFi = every5Minute();
   $rsjson = lineJson($sql,$arrFi);
   print $rsjson;

第七处注入/analytics/analytics_dns_log.php

code 区域 
<?php 
  include_once "./dbcon/dbBase.php";
  include_once "./dns/time.php";
  date_default_timezone_set('Asia/Shanghai');
  
  $serchname = "";
  $and="";
  if(isset ( $_GET["act"] )){
   //折线图加载log
   $serchname = $_GET["dns"];
   $strtime = getTime($_GET["act"],$_GET["date"]);
   $arrTime = explode("#",$strtime);
   $timestat = $arrTime[0];
   $timeend = $arrTime[1];
  }else if(isset ( $_GET["mapact"] ) && $_GET["mapact"] =="maplog"){
   //地图加载log日志
   $country = $_GET["cy"];
   //print $country."<=======";
   $dnsname = $_GET["dname"];
   $timttype = $_GET["time"];
   $serchname = $dnsname;
   $arrMapTime = explode("#",getMapTime($timttype));
   $timestat = $arrMapTime[0];
   $timeend = $arrMapTime[1];
 //  if($country == "中国"){
 //   $and .=" and substring_index(substr(client_ip_ctname,4), '-', 1) = (select short_name from t_sys_dict a where full_name='".$country."') ";
 //  }else{
 //   $and .=" and substring_index(client_ip_ctname, '-', 1) = (select short_name from t_sys_dict a where full_name='".$country."') ";
 //  }
  }else{
   $timestat = date("Y-m-d")." 00:00";
   $timeend =  date("Y-m-d H:i") ;
  }
  
  $page= 1;
  $pageSize = 20;
  if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchDns"){
   $serchtype = $_POST["serchType"];
   $serchname = $_POST["serchinput"];
   $timestat = $_POST["serchStart"];
   $timeend =  $_POST["serchEnd"];
   $country = $_POST["country"];
  }else{
 //  if($dnsname!=""){
 //   $serchtype = "type1";
 //  }else{
 //   $serchtype = "type0";
 //  }
   $serchtype = "type0";
   //分页提交点击GO
   if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){
    $page = $_POST["p"];
    $serchtype = $_POST["ptype"];
    $serchname = $_POST["pname"];
    $timestat = $_POST["pStart"];
    $timeend =  $_POST["pEnd"];
    $country =  $_POST["cy"];
   }
   //点击翻页
   if ( isset ( $_GET["p"] )){
    $page = $_GET["p"];
    $serchtype = $_GET["serchType"];
    $serchname = $_GET["serchinput"];
    $timestat = $_GET["stime"];
    $timeend =  $_GET["etime"];
    $country =  $_GET["cy"];
   }
  }
  
  $db = new dbBase();
  //数据库连接
  $iRetCon = $db -> dbConnect();
  if($iRetCon!=1)
  {
   print "数据连接失败!";
   return "";
  }
  
  if($serchname!=""){
   if($serchtype == "type0"){
    //域名
    $and .= " and domain_name like '%".$serchname."%' ";
   }else if($serchtype == "type1"){
    //来源地址
    $and .= " and client_ip like '%".$serchname."%' ";
   }
  }
  
  if($country!=""){
   $sqlcy = "select short_name from t_sys_dict a where full_name='".$country."'";
   $arrCy = $db->querySqlArray($sqlcy);
   if(strlen($arrCy[0]["short_name"])>2){
    $and .=" and substring_index(substr(client_ip_ctname,4), '-', 1) = '".$arrCy[0]["short_name"]."' ";
   }else if(strlen($arrCy[0]["short_name"])==2){
    $and .=" and substring_index(client_ip_ctname, '-', 1) = '".$arrCy[0]["short_name"]."' ";
   }
  }

以上注入针对I-SDN负载均衡器

案例:

code 区域 
**.**.**.**/
 **.**.**.**/

一处getshell 地址/test/progressbar/target.php

code 区域 
<?php
 
 if($_SERVER['REQUEST_METHOD']=='POST') {
   move_uploaded_file($_FILES["test_file"]["tmp_name"], "c://sw//wamp//www//" . $_FILES["test_file"]["name"]);
   echo "<p>File uploaded.  Thank you!</p>";
 }
 
 ?>

以上getshell针对I-SDN流控设备&I-SDN负载均衡器

案例:

code 区域 
**.**.**.**/
 **.**.**.**/
 **.**.**.**/
 **.**.**.**/
 **.**.**.**/
 **.**.**.**/
 **.**.**.**/
 **.**.**.**/test/

漏洞证明:

随便选取三处作验证:

/analytics/bal/bal_chart_line_status.php?act=hours&val=1&date=1

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

/analytics/analytics_firewall.php?p=&serchType=type0&serchinput=1

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

/analytics/bal/bal_chart_map.php?act=hours&val=1

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

GETSHELL地址/test/progressbar/target.php:

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

整设备目录遍历导致多处敏感信息泄漏:

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

以上目录遍历针对I-SDN流控设备&I-SDN负载均衡器

案例:

code 区域 
if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchFirewall"){
   $serchtype = $_POST["serchType"];
   $serchname = $_POST["serchinput"];
  }else{
   $serchtype = "type0";
   //分页提交
   if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){
    $page = $_POST["p"];
    $serchtype = $_POST["ptype"];
    $serchname = $_POST["pname"];
   }
   
   if ( isset ( $_GET["p"] )){
    $page = $_GET["p"];
    $serchtype = $_GET["serchType"];
    $serchname = $_GET["serchinput"];
   }
  }
  
  $db = new dbBase();
  //数据库连接
  $iRetCon = $db -> dbConnect();
  if($iRetCon!=1)
  {
   print "数据连接失败!";
   return "";
  }
  $and="";
  if($serchname!=""){
   if($serchtype == "type0"){
    //源地址
    $and = " and src_ip like '%".$serchname."%' ";
   }else if($serchtype == "type1"){
    //目标地址
    $and = " and dst_ip like '%".$serchname."%' ";
   }else if($serchtype == "type2"){
    //规则
    $and = " and fire_wall_name like '%".$serchname."%' ";
   }else if($serchtype == "type3"){
    //网口
    $and = " and network_card like '%".$serchname."%' ";
   }
  }
  $sql="select a.host_name,left(a.fire_wall_name,(LENGTH(a.fire_wall_name)-2)) wallname,**.**.**.**work_card,a.src_mac,a.dst_mac,
   a.src_ip,a.dst_ip,a.data_len,a.protocol,a.src_port,a.dst_port,
   a.log_time logtime ,right(fire_wall_name,1) stat 
   from t_log_firewall a  where 1=1 ".$and." order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;
 // print $sql;

0

还有部分版本存在任意文件修改&目录遍历(AjaXplorer功能为未授权访问导致)

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

针对以上案例:

code 区域 
if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchFirewall"){
   $serchtype = $_POST["serchType"];
   $serchname = $_POST["serchinput"];
  }else{
   $serchtype = "type0";
   //分页提交
   if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){
    $page = $_POST["p"];
    $serchtype = $_POST["ptype"];
    $serchname = $_POST["pname"];
   }
   
   if ( isset ( $_GET["p"] )){
    $page = $_GET["p"];
    $serchtype = $_GET["serchType"];
    $serchname = $_GET["serchinput"];
   }
  }
  
  $db = new dbBase();
  //数据库连接
  $iRetCon = $db -> dbConnect();
  if($iRetCon!=1)
  {
   print "数据连接失败!";
   return "";
  }
  $and="";
  if($serchname!=""){
   if($serchtype == "type0"){
    //源地址
    $and = " and src_ip like '%".$serchname."%' ";
   }else if($serchtype == "type1"){
    //目标地址
    $and = " and dst_ip like '%".$serchname."%' ";
   }else if($serchtype == "type2"){
    //规则
    $and = " and fire_wall_name like '%".$serchname."%' ";
   }else if($serchtype == "type3"){
    //网口
    $and = " and network_card like '%".$serchname."%' ";
   }
  }
  $sql="select a.host_name,left(a.fire_wall_name,(LENGTH(a.fire_wall_name)-2)) wallname,**.**.**.**work_card,a.src_mac,a.dst_mac,
   a.src_ip,a.dst_ip,a.data_len,a.protocol,a.src_port,a.dst_port,
   a.log_time logtime ,right(fire_wall_name,1) stat 
   from t_log_firewall a  where 1=1 ".$and." order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;
 // print $sql;

1

修复方案:

联系厂商

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2016-03-04 19:29

厂商回复:

CNVD未直接复现所述漏洞情况,暂未建立与软件生产厂商或网站管理单位的直接处置渠道,待认领。

最新状态:

2016-03-04:正尝试建立与软件生产厂商上海驾驭网络科技有限公司的联系机制,待处置.

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin