安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&存储型XSS admin 139544文章 114评论 2017年4月28日03:33:07评论368 views字数 271阅读0分54秒阅读模式 摘要2016-03-07: 细节已通知厂商并且等待厂商处理中 2016-03-11: 厂商已经确认,细节仅向厂商公开 2016-03-14: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-05-05: 细节向核心白帽子及相关领域专家公开 2016-05-15: 细节向普通白帽子公开 2016-05-25: 细节向实习白帽子公开 2016-06-09: 细节向公众公开 漏洞概要 关注数(12) 关注此漏洞 缺陷编号: WooYun-2016-181444 漏洞标题: 安美世纪自主研发的酒店高速互联网接入及综合管理服务系统设备任意命令执行&存储型XSS 相关厂商: 安美世纪(北京)科技有限公司 漏洞作者: YY-2012 提交时间: 2016-03-07 12:50 公开时间: 2016-06-09 18:10 漏洞类型: 命令执行 危害等级: 中 自评Rank: 20 漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理 漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系 Tags标签: 设计缺陷/边界绕过 逻辑错误 1人收藏 漏洞详情 披露状态: 2016-03-07: 细节已通知厂商并且等待厂商处理中 2016-03-11: 厂商已经确认,细节仅向厂商公开 2016-03-14: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-05-05: 细节向核心白帽子及相关领域专家公开 2016-05-15: 细节向普通白帽子公开 2016-05-25: 细节向实习白帽子公开 2016-06-09: 细节向公众公开 简要描述: 任意命令执行漏洞&存储型XSS(只需登录系统立刻触发) 详细说明: 任意命令执行/manager/radius/server_ping.php code 区域 <? if (!isset($ip) || $ip == "" || !isset($id) || $id == "") exit; $cmd = "ping -c 2 -s 65 $ip"; $fp = popen($cmd, "r"); $getString = ""; if ($fp) { while (($line = fgets($fp, 512))) { $getString .= trim($line); } pclose($fp); } if (strstr($getString, "2 received, 0%")) { echo "<html><body><script language=/"javascript/">/n"; echo "parent.doTestResult('$id', 'ok');/n"; echo "</script></body></html>/n"; } else { echo "<html><body><script language=/"javascript/">/n"; echo "parent.doTestResult('$id', 'no');/n"; echo "</script></body></html>/n"; } ?> 模板功能设置页面/language.php未授权访问,能任意修改系统功能名称导致存储型XSS跨站漏洞。 code 区域 <? /* 功能:添加语言文字页面 mysql> desc T_Lang; +-----------+--------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+--------------+------+-----+---------+----------------+ | SerialID | int(16) | NO | PRI | NULL | auto_increment | | LangID | varchar(128) | NO | | | | | LangName | varchar(255) | NO | | | | | LangEName | varchar(255) | YES | | | | | LangType | varchar(64) | NO | | | | +-----------+--------------+------+-----+---------+----------------+ mysql> desc T_LangMenu; +----------+--------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+--------------+------+-----+---------+----------------+ | SerialID | int(16) | NO | PRI | NULL | auto_increment | | MenuName | varchar(128) | NO | | | | +----------+--------------+------+-----+---------+----------------+ */ include_once ("mysql.php"); $dblang = new newDB(); $showResult = ""; if (!isset($SerialID)) $SerialID = ""; if (!isset($LangType)) $LangType = ""; if (!isset($LangID)) $LangID = ""; if (!isset($LangName)) $LangName = ""; if (!isset($LangEName)) $LangEName = ""; if (!isset($Type)) $Type = ""; if (!isset($Flag)) $Flag = ""; if (!isset($Search)) $Search = ""; if (!isset($TitleList)) $TitleList = ""; if (!isset($Lately)) $Lately = ""; if (!isset($doWrite)) $doWrite = ""; if (!isset($EditStatus)) $EditStatus = ""; if (!isset($doAddMenu)) $doAddMenu = ""; if (!isset($MenuName)) $MenuName = ""; $LangID = str_replace("'", "", $LangID); $LangName = str_replace("'", "", $LangName); $LangEName = str_replace("'", "''", $LangEName); $LangName = str_replace("//t", "", $LangName); $LangEName = str_replace("//t", "", $LangEName); $Search = str_replace("'", "", $Search); $MenuName = str_replace("'", "", $MenuName); if (strcasecmp($doWrite, "ok") == 0) { $cn_file = "/usr/eflow/hibos/include/lang_cn.php"; $en_file = "/usr/eflow/hibos/include/lang_en.php"; $get_string_cn = "<?/n/*/n * 功能:简体中文语言/n *//n/n/$CHARSET = /"GB2312/";/n/$lang = array/n(/n"; $get_string_en = "<?/n/*/n * 功能:英文语言/n *//n/n/$CHARSET = /"UTF-8/";/n/$lang = array/n(/n"; $title_stats = ""; $sqlcmd = "select LangID, LangName, LangEName, LangType from T_Lang order by LangType, LangID ASC"; $result = $dblang->query($sqlcmd); while ($result && ($row = $dblang->fetch_row($result)) != false) { if ($row[3] != $title_stats) { $get_string_cn .= "/t//".$row[3]."/n"; $get_string_en .= "/t//".$row[3]."/n"; $title_stats = $row[3]; } $get_string_cn .= "/t'".$row[0]."' => '".str_replace("'", "//'", $row[1])."',/n"; $get_string_en .= "/t'".$row[0]."' => '".str_replace("'", "//'", $row[2])."',/n"; } $get_string_cn .= "'');/n/n?>"; $get_string_en .= "'');/n/n?>"; $result_cn = 0; $cnfd = fopen($cn_file, 'w'); if ($cnfd) { $result_cn = 1; fputs($cnfd, $get_string_cn); fclose($cnfd); } $result_en = 0; $enfd = fopen($en_file, 'w'); if ($enfd) { $result_en = 1; fputs($enfd, $get_string_en); fclose($enfd); } echo "<html>/n"; echo "<body>/n"; echo "<script language=/"JavaScript/">/n"; if ($result_cn && $result_en) { echo "alert('写文件成功!');/n"; } else { echo "alert('写文件失败!');/n"; } echo "</script>/n"; echo "</body>/n"; echo "</html>/n"; exit; } if (strcasecmp($doAddMenu, "ok") == 0) { if ($MenuName != "") { $sqlcmd = "insert into T_LangMenu (MenuName) values ('$MenuName')"; $result = $dblang->query($sqlcmd); } else $result = 0; if ($result) $showResult = "标示位置添加成功!"; else $showResult = "标示位置添加失败!"; } if (isset($UID) && $UID == "add") { //添加 $sqlcmd = "select LangName from T_Lang where LangID='$LangID'"; $result = $dblang->query($sqlcmd); if ($result && $dblang->num_rows($result) > 0) { $showResult = "下标ID已经存在!"; } else { $sqlcmd = "insert into T_Lang(LangID,LangName,LangEName,LangType)"; $sqlcmd .= "values('$LangID','$LangName','$LangEName','$LangType')"; if ($dblang->query($sqlcmd) != false) { $showResult = "$LangID => $LangName 已添加完成!"; $LangID = ""; $LangName = ""; $LangEName = ""; $LangType = ""; } else { $showResult = "$LangID => $LangName 添加失败!"; } } } else if (isset($Flag) && $Flag == "edit") { $sqlcmd = "select LangID, LangName, LangEName, LangType, SerialID from T_Lang where LangID='$id'"; $result = $dblang->query($sqlcmd); if ($result && ($row = $dblang->fetch_row($result)) != false) { $LangID = $row[0]; $LangName = $row[1]; $LangEName = $row[2]; $LangType = $row[3]; $SerialID = $row[4]; } else { $Flag = ""; } } else if (isset($UID) && $UID == "edit" && $SerialID != "") { $sqlcmd = "update T_Lang set LangID='$LangID', LangName='$LangName', LangEName='$LangEName', LangType='$LangType' where SerialID='$SerialID'"; if ($dblang->query($sqlcmd) != false) { $showResult = "$LangID => $LangName 已修改完成!"; $LangID = ""; $LangName = ""; $LangEName = ""; $LangType = ""; } else { $showResult = "$LangID => $LangName 修改失败!"; } } else if (isset($UID) && $UID == "del") { $sqlcmd = "delete from T_Lang where LangID='$id'"; if ($dblang->query($sqlcmd) != false) { $showResult = "$id 已删除完成!"; } else { $showResult = "$id 删除失败!"; } } ?> <html> <title>语言管理</title> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <link REL="STYLESHEET" TYPE="text/css" HREF="/script/style.css"> <script language="JavaScript" src="/script/string.js"></script> <script language="JavaScript" src="/script/flybar.js"></script> <script language="JavaScript"> function docheck(form) { form.LangID.value = trim(form.LangID.value); if (form.LangID.value == "") { alert("下标ID不允许空"); form.LangID.focus(); return false; } form.LangName.value = trim(form.LangName.value); if (form.LangName.value == "") { alert("中文语言内容不允许空"); form.LangName.focus(); return false; } form.LangEName.value = trim(form.LangEName.value); if (form.LangEName.value == "") { alert("英文语言内容不允许空"); form.LangEName.focus(); return false; } if (form.LangType.value == "") { alert("请选择标示位置"); return false; } return true; } function doWriteLang() { var ifr = document.createElement("IFRAME"); ifr.frameBorder = 0; ifr.scrolling = "no"; ifr.width = 0; ifr.height = 0; ifr.src = "language.php?doWrite=OK"; document.body.appendChild(ifr); } function addMenuName() { var getNamestr = trim(document.getElementById('MenuName').value); if (getNamestr == "") { alert("标示位置不允许空!"); return; } document.getElementById('divBar').style.visibility = "hidden"; var ifr = document.createElement("IFRAME"); ifr.frameBorder = 0; ifr.scrolling = "no"; ifr.width = 0; ifr.height = 0; ifr.src = "language.php?doAddMenu=OK&MenuName=" + getNamestr; document.body.appendChild(ifr); } </script> <body> <br> <center> <form action="language.php" method="post"> <input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>"> <table width="750" height="35" border="1" cellpadding="0" cellspacing="0" style="margin:7px"> <tr><td width="100%" height="35" align="left" style="padding-left:20px"><b>语言内容查找(中英):</b> <input type="text" name="Search" value="" size="30"> <input type="submit" name="submit2" value=" 查 找 "> <span style="width:30px"> </span> <input type="button" name="btn_lately" value="最新记录" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&Lately=ok'"> <input type="button" name="btn_title" value="列标题" onclick="location.href='language.php?EditStatus=<? echo $EditStatus ?>&TitleList=ok'"> <input type="button" name="btn_title" value="写文件" onclick="doWriteLang();"> </table> </form> <form action="language.php" method="post" onsubmit="return docheck(this)"> <input type="hidden" name="UID" value="<? if ($Flag != "") echo "edit"; else echo "add"; ?>"> <input type="hidden" name="Type" value="<? echo $Type ?>"> <input type="hidden" name="SerialID" value="<? echo $SerialID ?>"> <input type="hidden" name="EditStatus" value="<? echo $EditStatus ?>"> <input type="hidden" name="Search" value="<? echo $Search ?>"> <input type="hidden" name="Lately" value="<? echo $Lately ?>"> <table width="750" height="200" border="1" cellpadding="0" cellspacing="0" style="margin:7px"> <tr><td width="32%" height="200" align="left" style="padding-left:10px"><b>标示位置<?if($TitleList=="" && $Type==""){?>[<a href="javascript:void(0);" onclick="divBar.style.visibility='visible';">增</a>]<?}?>:</b><br> <select name="LangType" size="20" style="width:200px;height:180px"> <? if ($Type != "" && $Flag == "") { ?> <option value="<? echo $Type ?>" selected><? echo $Type ?></option> <? } else { $sqlcmd = "select MenuName from T_LangMenu order by MenuName ASC"; $result2 = $dblang->query($sqlcmd); while ($result2 && ($row2 = $dblang->fetch_row($result2)) != false) { ?> <option value="<? echo $row2[0] ?>"<? if ($Flag != "" && $LangType == $row2[0]) echo " selected"; ?>><? echo $row2[0] ?></option> <? } //while end } //if end ?> </select><font color="#CC0000">*</font> </td> <td width="53%" align="left" style="padding-left:20px"> <b>下标ID:</b><br> <input type="text" name="LangID" value="<? echo $LangID ?>" maxlength="127" size="36" onBlur="this.value=trim(this.value)" <? if ($EditStatus == "" && $Flag != "") echo "style='background-color:#EFEFEF' readonly"; ?>><font color="#CC0000">*</font> <br><p> <b>语言内容(中文):</b><br> <input type="text" name="LangName" value="<? echo $LangName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font> <br><p> <b>语言内容(英文):</b><br> <input type="text" name="LangEName" value="<? echo $LangEName ?>" maxlength="2000" size="48" onBlur="this.value=trim(this.value)"><font color="#CC0000">*</font> </td> <td width="15%" align="center"><input type="submit" name="submit" value=" <? if ($Flag != "") echo "修 改"; else echo "添 加"; ?> "></td></tr> </table> </form> </center> <p> <div align="left"> <? $lang = array(); $show_string = ""; $sqlcmdlang = "select LangID, LangName, LangType, LangEName from T_Lang where 1=1 "; if ($Type != "") $sqlcmdlang .= "and LangType='$Type' "; if ($Search != "") $sqlcmdlang .= "and (LangName like '%$Search%' or LangEName like '%$Search%') "; if ($Lately != "") { $sqlmax = "select Max(SerialID) from T_Lang"; $resultn = $dblang->query($sqlmax); $nmax = 0; if ($resultn && ($rowl = $dblang->fetch_row($resultn)) != false) { $nmax = $rowl[0] ? $rowl[0] : 0; } $sqlcmdlang .= "and SerialID>'".($nmax > 0 ? ($nmax-300) : 0)."' order by LangType, SerialID desc"; } else $sqlcmdlang .= "order by LangType, SerialID"; $resultlang = $dblang->query($sqlcmdlang); while ($resultlang && ($rowlang = $dblang->fetch_row($resultlang)) != false) { if (!isset($lang[$rowlang[2]])) { $lang[$rowlang[2]] = $rowlang[2]; $show_string .= "<br><b><span style='padding-left:15px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$rowlang[2]'>$rowlang[2]</a>]</span></b><br>/n"; } $cstrlang = str_replace("<", "<", $rowlang[1]); $cstrlang = str_replace(">", ">", $cstrlang); $estrlang = str_replace("<", "<", $rowlang[3]); $estrlang = str_replace(">", ">", $estrlang); $show_string .= "<span style='padding-left:40px'>[<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Flag=edit&id=${rowlang[0]}&Search=$Search'>改</a>]"; if ($EditStatus != "") { $show_string .= " [<a href=/"javascript:if(confirm('确定删除下标为$rowlang[0]的记录吗?')) location='language.php?Lately=$Lately&EditStatus=$EditStatus&UID=del&Type=$Type&id=${rowlang[0]}&Search=$Search';/">删</a>]"; } $show_string .= " <font color='#CC0000' size='2'>'$rowlang[0]'</font> => <font color='#00CC00' size='2'>'$cstrlang'</font> => <font color='#00CC00' size='2'>'$estrlang'</font></span><br>/n"; } if ($Type == "" && $Flag == "") { echo "<div align=/"left/" style=/"margin:0px 10px;/">"; $last_str = ""; while (list($key, $value) = each($lang)) { if (substr($value, 0, 2) != $last_str) { echo "<br>"; $last_str = substr($value, 0, 2); } echo " [<a href='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$key'><b>$value</b></a>] "; } echo "</div><br>"; } if ($TitleList == "ok") { echo "</div>/n</body>/n</html>/n"; exit; } if ($Flag == "") { echo $show_string; } ?> </div> <br> <? if ($showResult != "") { ?> <script language="JavaScript"> alert("<? echo $showResult ?>"); </script> <? } if ($Flag != "") { echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=/"location='language.php?Lately=$Lately&EditStatus=$EditStatus&Type=$Type&Search=$Search'/"></center>/n"; } else if ($Type != "") { echo "<center><input type='button' name='btn_return' value=' 返 回 ' onclick=/"location='language.php?Lately=$Lately&EditStatus=$EditStatus'/"></center>/n"; } ?> <br> <div id="divBar" style='position:absolute;top:90px;left:200px;visibility:hidden;z-index:100'> <table cellspacing="0" cellpadding="0" border="1" width="360" height="60"> <tr><td valign="top"> <table border="0" width="100%" height="100%" cellpadding="0" cellspacing="0"> <tr> <td class="bg2 text-right" width="70%" height="100%"><input type="text" name="MenuName" value="" maxlength="120" size="35"></td> <td class="bg2 text-left" width="30%" height="100%" style="padding-left:5px;"><input type="button" name="addbtn" value="添加" onclick="addMenuName()"> <input type="button" name="closebtn" value="关闭" onclick="divBar.style.visibility='hidden';"></td> </tr> </table> </td></tr> </table> </div> </body> </html> 漏洞证明: 任意命令执行: 存储型XSS(只需登录系统立刻触发) 案例: code 区域 **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**:8443/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php **.**.**.**/manager/login.php 修复方案: 联系厂商 版权声明:转载请注明来源 YY-2012@乌云 漏洞回应 厂商回应: 危害等级:高 漏洞Rank:16 确认时间:2016-03-11 18:09 厂商回复: CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。 最新状态: 暂无 漏洞评价: 对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值 漏洞评价(共0人评价): 登陆后才能进行评分 评价 2016-03-07 14:49 | 一只猿 ( 普通白帽子 | Rank:560 漏洞数:98 | 硬件与无线通信研究方向) 1 这个屌 1# 回复此人 2016-03-07 14:51 | YY-2012 ( 核心白帽子 | Rank:3893 漏洞数:737 | 意淫,是《红楼梦》原创的词汇,但后来演变...) 1 @一只猿 你怎么知道的? 2# 回复此人 免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。 点赞 https://cn-sec.com/archives/42321.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论