Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

admin
admin
admin
105013
文章
87
评论
2017年4月25日02:38:55评论447 views字数 253阅读0分50秒阅读模式
摘要

2016-03-04: 细节已通知厂商并且等待厂商处理中
2016-03-08: 厂商已经确认,细节仅向厂商公开
2016-03-11: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

漏洞概要 关注数(23) 关注此漏洞

缺陷编号: WooYun-2016-180658

漏洞标题: Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录) Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

相关厂商: 北京派网软件有限公司

漏洞作者: komas

提交时间: 2016-03-04 00:30

公开时间: 2016-06-06 17:10

漏洞类型: 命令执行

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 任意文件写入利用

1人收藏

漏洞详情

披露状态:

2016-03-04: 细节已通知厂商并且等待厂商处理中
2016-03-08: 厂商已经确认,细节仅向厂商公开
2016-03-11: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

详细说明:

官网案例:http://**.**.**.**/html/solution/success_case/2014/0903/82.html

可以看到此厂商面对的客户都是一些运营商 高校 企业 小区 网吧规模是非常大

第一处

/Flow/ipsegtrend.php

code 区域 
<?php
 set_time_limit(0);
 date_default_timezone_set('PRC');
 $doc = $_SERVER['DOCUMENT_ROOT'];
 include("$doc/common.php");
 
 $devid = $_GET['devid'];
 $ip = $_GET['ip'];
 $strstart = $_GET['tmstart'];
 $strend = $_GET['tmend'];
 $dis_type = $_GET['type'];
 
 $longstart = strtotime($strstart);
 $longend = strtotime($strend);
 
 $tbstart = explode(' ', $strstart);
 $tbstarts = $tbstart[0]." 00:00:00";
 $slong = strtotime($tbstarts)-360*60;
 $elong = $longend;
 $tables = $slong."/".$elong;
 
 $i = 0;
 $arr = array();
 $json = array();
 exec(DOCROOT."//bin//logeye.exe ipsegtrend $devid $ip $longstart $longend $tables $dis_type", $output, $return);
 foreach($output as $val){
  $ds = explode(' ', $val);
 
  $arr[$i]['x'] = (int)$ds[1]*1000;
  $arr[$i]['y'] = (int)$ds[2];
  
  $i++;
 }
  
 $json['result'] = $arr;
 echo json_encode($json);
 ?>

参数devid ip tmstart tmend type

直接进入exec()函数 造成命令执行

第二处

/Flow/ipapplist.php

code 区域 
<?php
 set_time_limit(0);
 date_default_timezone_set('PRC');
 $doc = $_SERVER['DOCUMENT_ROOT'];
 include("$doc/common.php");
 
 $devid = $_GET['devid'];
 $ip = ($_GET['ip']);
 $strstart = $_GET['tmstart'];
 $strend = $_GET['tmend'];
 $dis_type = $_GET['type'];
 $appid = $_GET['appid'];
 $errfile = _CHECKING_STATUS_F.'/'.$_GET['errname'];
 
 $longstart = strtotime($strstart);
 $longend = strtotime($strend);
 
 $tables = $longstart."/".$longend;
 
 $minutes = ($longend - $longstart) / 60;
 $tablefile = "/var/tmp/session_table_".date("YmdHis").".txt";
 $fp = fopen($tablefile, "w");
 for ($i = 0; $i < $minutes; $i++){
     if (date("i", $longstart-300+$i*60) % 5 == 0)
         fwrite($fp, "session".date("Ymd", $longstart+$i*60).".sess".date("YmdHi", $longstart+$i*60)."00/n");
 }
 fclose($fp);
 
 $arr = array();
 $json = array();
 
 $cmd = LOGDPATH."/bin/logeye iptoapp $devid $ip $longstart $longend $tablefile $dis_type $errfile $appid";
 exec($cmd, $output, $return);
 
 $fp = fopen("/var/tmp/apptofile_content_apply.txt", "w");
 foreach($output as $val){
     $ds = explode(' ', $val);
 
     fwrite($fp, $val."/n");
 
     array_push($arr, array("name"=>$ds[0], "cname"=>iconv('gb2312','utf-8', $ds[1]),
         "upbytes"=>(double)$ds[2], "downbytes"=>(double)$ds[3]));
 }
 fclose($fp);
 
 $json['rows'] = $arr;
 echo json_encode($json);
 ?>

参数devid ip tmstart tmend type appid

直接进入赋值给$cmd $cmd进入exec()函数 造成命令执行

第三处

/Flow/iptop.php

code 区域 
<?php
 set_time_limit(0);
 date_default_timezone_set('PRC');
 $doc = $_SERVER['DOCUMENT_ROOT'];
 include("$doc/common.php");
 
 $devid = $_GET['devid'];
 $ip = $_GET['ip'];
 $strstart = $_GET['tmstart'];
 $strend = $_GET['tmend'];
 $topip = $_GET['topip'];
 $dis_type = $_GET['type'];
 $errfile = _CHECKING_STATUS_F.'/'.$_GET['errname'];
 
 if ($ip == "") $ip = "**.**.**.**-**.**.**.**";
 
 $longstart = strtotime($strstart);
 $longend = strtotime($strend);
 
 $tbstart = explode(' ', $strstart);
 $tbstarts = $tbstart[0]." 00:00:00";
 $slong = strtotime($tbstarts)-360*60;
 $elong = $longend;
 $tables = $slong."/".$elong;
 
 $i = 0;
 $arr = array();
 $arrxaxis = array();
 $arrxyaxis = array();
 $json = array();
 
 $tablefile = php_getiptable($strstart, $strend, $devid);
 
 exec(LOGDPATH."/bin/logeye iptop $devid $ip $longstart $longend $tablefile $topip $dis_type $errfile", $output, $return);
 foreach($output as $val){
  $ds = explode(' ', $val);
  
  if ($ds[0] == "**.**.**.**") continue;
   
  $arrxaxis[$i] = sprintf("%s", $ds[0]);
  $arr[$i]['ip'] = sprintf("%s", $ds[0]);
  
  if ($dis_type == "up")
   $arrxyaxis[$i] = (double)$ds[2];
  else if ($dis_type == "down")
   $arrxyaxis[$i] = (double)$ds[3];
  else if ($dis_type == "total")
   $arrxyaxis[$i] = (double)$ds[1];
  else if ($dis_type == "flow")
   $arrxyaxis[$i] = (int)$ds[4];
  
  $arr[$i]['total'] = (double)$ds[1];
  $arr[$i]['up'] = (double)$ds[2];
  $arr[$i]['down'] = (double)$ds[3];
  $arr[$i]['flowcnt'] = (int)$ds[4];
     $arr[$i]['devid'] = $devid;
 
     if ($ds[5] == "$")
         $arr[$i]['account'] = "";
     else $arr[$i]['account'] = $ds[5];
 
     $arr[$i]['maxout'] = (double)$ds[6];
     $arr[$i]['maxin'] = (double)$ds[7];
     $arr[$i]['sum_inter'] = (int)$ds[8];
     $arr[$i]['inter'] = (int)$ds[9];
   
  $i++;
 }
  
 $json['x'] = $arrxaxis;
 $json['y'] = $arrxyaxis;
 $json['detail'] = $arr;
 echo json_encode($json);
 ?>

也是跟前两处一样赤裸裸的进入exec()函数造成命令执行

第四处

/Flow/iptrend.php

code 区域 
<?php
 set_time_limit(0);
 date_default_timezone_set('PRC');
 $doc = $_SERVER['DOCUMENT_ROOT'];
 include("$doc/common.php");
 
 $devid = $_GET['devid'];
 $ip = $_GET['ip'];
 $strstart = $_GET['tmstart'];
 $strend = $_GET['tmend'];
 $dis_type = $_GET['type'];
 $color = $_GET['color'];
 $errfile = _CHECKING_STATUS_F.'/'.$_GET['errname'];
 
 $colors = explode(',', $color);
 
 if ($ip == "")
  $ip = "**.**.**.**-**.**.**.**";
 
 $longstart = strtotime($strstart);
 $longend = strtotime($strend);
 
 $tbstart = explode(' ', $strstart);
 $tbstarts = $tbstart[0]." 00:00:00";
 $slong = strtotime($tbstarts)-360*60;
 $elong = $longend;
 $tables = $slong."/".$elong;
 
 $tablefile = php_getiptable($strstart, $strend, $devid);
 
 exec(LOGDPATH."/bin/logeye iptrend $devid $ip $longstart $longend $tablefile $dis_type $errfile", $output, $return);
 $i = 0;
 $app = 0;
 $appup = 0;
 $appdown = 0;
 $appflow = 0;
 $currtype = "";
 $data = array();
 $seriesup = array();
 $seriesdown = array();
 $seriesflow = array();
 
 $slot = 0;
 foreach($output as $val){
     $ds = explode(' ', $val);
     if ($ds[0] == "TAG"){
         if ($slot != 0)
             break;
     }
 
     if ($ds[0] == "DATA")
         $slot++;
 }
 foreach($output as $val){
     $ds = explode(' ', $val);
 
     if ($ds[0] == "TAG"){
         if ($ds[1] == "DATEUP"){
             $currtype = "DATEUP";
             $seriesup[$appup]['name'] = long2ip($ds[2]);
             $seriesup[$appup]['color'] = "#".$colors[$app];
         }
         if ($ds[1] == "DATEDOWN"){
             $currtype = "DATEDOWN";
             $seriesdown[$appdown]['name'] = long2ip($ds[2]);
             $seriesdown[$appdown]['color'] = "#".$colors[$app];
         }
         if ($ds[1] == "DATEFLOW"){
             $currtype = "DATEFLOW";
             $seriesflow[$appflow]['name'] = long2ip($ds[2]);
             $seriesflow[$appflow]['color'] = "#".$colors[$app];
         }
     }
 
     if ($ds[0] == "DATA"){
         $data[$i]['x'] = (int)$ds[1] * 1000;
         $data[$i++]['y'] = (int)$ds[2];
 
         if (count($data) == $slot){
             if ($currtype == "DATEUP")
                 $seriesup[$appup++]['data'] = $data;
             if ($currtype == "DATEDOWN")
                 $seriesdown[$appdown++]['data'] = $data;
             if ($currtype == "DATEFLOW")
                 $seriesflow[$appflow++]['data'] = $data;
             unset($data);
             $i = 0;
         }
     }
 }
 
 $json['result_up'] = $seriesup;
 $json['result_down'] = $seriesdown;
 $json['result_flow'] = $seriesflow;
 echo json_encode($json);
 ?>

同理

任意删除文件

根目录下 deletefile.php

code 区域 
<?php
 $doc = $_SERVER["DOCUMENT_ROOT"];
 include($doc."/common.php");
 
 $filename = $_POST['filename'];
 
 if (file_exists($filename)){
     unlink($filename);
     outputres("yes", "操作成功");
     exit;
 }
 
 outputres("no", "操作失败,文件不存在");
 ?>

变量$filename可控,如果文件存在则unlink删除文件

http://地址/deletefile.php?filename=

漏洞证明:

第一处证明

Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

执行完会在根目录生成一个665.php的文件

第二处证明

Panabit某流量分析管理系统四处命令执行+任意删除文件(无需登录)

执行完后悔在根目录生成一个1123.php的文件

其余都一样就不一一演示了

外网部分案例:

**.**.**.**/

**.**.**.**/

**.**.**.**

修复方案:

设置权限

版权声明:转载请注明来源 komas@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-03-08 17:00

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-03-04 09:27 | f4ckbaidu ( 普通白帽子 | Rank:265 漏洞数:29 | 开发真是日了狗了)

    2

    其实你去日他们官网也是一堆漏洞

  2. 2016-03-04 09:31 | komas ( 普通白帽子 | Rank:107 漏洞数:23 )

    2

    @f4ckbaidu .....我只是碰巧遇上了

  3. 2016-03-04 14:23 | 牛肉包子 ( 普通白帽子 | Rank:307 漏洞数:70 | baozisec)

    2

    $$

  4. 2016-03-04 21:12 | 小红猪 ( 普通白帽子 | Rank:341 漏洞数:42 | little red pig!)

    2

    $$

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin