漏洞文件:/src/acloglogin.php 其实就是引入的弱口令检测存在问题。
<?php /* +-------------------------------------------------------------------------+ | Copyright (C) 2006 | 文件名: acloglogin.php | 描述: -->用户登录 | +-------------------------------------------------------------------------+ | 作者: | 时间: | Email: +-------------------------------------------------------------------------+ | - 相关网站 - http://www.sinfors.com.cn/ +-------------------------------------------------------------------------+ */ require_once("../inc/config.inc.php");//CONFIG_INC_PHP_PATH require_once(ACLOG_INC_DATAPATH."usrmanage.php"); require_once(ACLOG_LANGPATH."chs.utf8.lang.php"); require_once(ACLOG_INC_CALLPATH."caclogin.php"); require_once(ACLOG_SRCPATH."formparam.php"); define("TIME_FREEZE", 60); define("TIME_COOKIE", 3600); global $arrDB; if (!WorkOnLinux() && is_null($arrDB)) { $errmsg = COMMON_LOG_NO_SYNC_ACCOUNT; viewErrmsg($errmsg); exit; } $request_forms = array ( 'login_user' => array (null, null, null), 'login_password' => array (null, null, null), 'submit' => array(null, null, null), 'logout' => array(null, null, null), 'in' => array(null, null, null), 'login' => array(null, null, null), 'auth' => array(0, null, null), 'page' => array("linkconfig.php?in=1", null, null), 'dkey' => array(null, null, null), 'dkeylogin' => array(null, null, null), ); GetFormsRequestValue($request_forms, $forms); if ($forms['auth'] == true) { //已经验证的 $forms["login"] = true; } global $arrDBSrc, $needDebug; $obj = new CAcLogin($arrDBSrc, $forms, $needDebug); global $g_arrScript, $g_arrSkin, $g_page, $g_strLang, $_form; $fields = array ( "script" => $g_arrScript, "skin" => $g_arrSkin, "page" => $g_page, "lang" => $g_strLang, "form" => $_form, "title" => "Sinfor AC DataCenter", ); if (isset($forms["login"]) || isset($forms["logout"])) { $obj->GetData(); } if (isset($forms["logout"]) && $forms["logout"] == true) { $obj->logout(); $obj->ShowLogin($fields); exit; } $weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来 system($weak_str, $weak_status); if( $weak_status == 1 ){ $weak_time_str='/usr/sbin/check_weak_date.sh'; system($weak_time_str, $weak_time_status); if( $weak_time_status == 1 ){ $strError = LOGIN_WEAK_PASS; $obj->AddErrMessage($strError); $obj->ShowLogin($fields); exit; } } $nSubmit = 0; $nAllRight = 0; //自动登陆,psw不用算md5,因为get过来的psw就是md5 $auth = $forms['auth']; if (isset($forms["in"]) && $forms["in"] == true) { $location = $forms['page']; } else { $location = "f.html"; } $_SESSION["lifeTime"] = TIME_COOKIE; $hasToLower = $forms["login_user"]; //来自webui,已经登陆, if(isset($_SESSION["auth_user"]) && $auth == true) { //该用户已经登陆 if(($_SESSION["auth_user"] == $hasToLower)) { setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/"); header("Location: $location"); //redirect exit; } else {//新的webui用户登陆,注销以前的用户 //标志离线 //TODO... } } if(isset($_SESSION["auth_user"]) && strlen($_SESSION["auth_user"])) { $strUser = $_SESSION["auth_user"]; setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/"); header("Location: $location"); //redirect to the dbm page exit; } else { if(isset($forms["login_user"]) && isset($forms["login_password"])) { $nSubmit = 1; } } //得到冻结标志 if(isset($_SESSION["freeze"])) { $freeze = $_SESSION["freeze"]; $lefttime = time() - $_SESSION["logtime"]; if($lefttime > TIME_FREEZE || $lefttime < 0) { unset($_SESSION["logtime"]); unset($_SESSION["logcishu"]); unset($_SESSION["freeze"]); $freeze = false; } if($freeze) { $strError = LOGIN_TIP1.(TIME_FREEZE - $lefttime).LOGIN_TIP2; } } else { $freeze = false; } //限制用户登陆次数 $ret = false; //冻结了,不用登陆 //print_msg($_COOKIE); if($freeze == false) { if($nSubmit) { $ret = $obj->Validate(); //登陆一次,次数加一 } if($ret) { $_SESSION["aclog_session"] = 1; $_SESSION["auth_user"] = $strUser;// $_SESSION["auth_user_pwd"] = $strPsw; $_SESSION["nAllRight"] = $nAllRight; if (isset($_COOKIE["LifeTime"])) { //echo "cook LifeTime is seted:".$_COOKIE["LifeTime"]; } else { $strJScript = ' <script language="javascript"> function SetCookie(name,value)//两个参数,一个是cookie的名子,一个是值 { var exp = new Date(); exp.setTime(exp.getTime() + %d*1000); document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString(); } SetCookie ("LifeTime", "%d") </script>'; if (isset($_COOKIE["LifeTime"])) { echo "<script language='javascript'> alert(/"".$_COOKIE["LifeTime"]."/"); </srcipt>"; } else { //var_dump($_SESSION["lifeTime"]); $strJScript = sprintf($strJScript, TIME_COOKIE, $_SESSION["lifeTime"]); echo($strJScript); } //setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"]); } unset($_SESSION["logtime"]); unset($_SESSION["logcishu"]); unset($_SESSION["freeze"]); //die(); $javascript = ""; if ($forms["in"]) { $javascript .= 'if(typeof(eval("window.parent.frames[/"topFrame/"]")) != "undefined")window.parent.frames["topFrame"].location.reload();if(typeof(eval("window.parent.frames[/"leftFrame/"]")) != "undefined")window.parent.frames["leftFrame"].location.reload();'; } $javascript .= "location.href='$location'"; echo "<script>$javascript</script>"; exit; } else { if($nSubmit) { $_SESSION["logcishu"] = $_SESSION["logcishu"] +1; if($_SESSION["logcishu"] == 1) { $_SESSION["logtime"] = time(); } $lefttime = time() - $_SESSION["logtime"]; if(($lefttime < TIME_FREEZE) && $_SESSION["logcishu"] >= 3) { //设置冻结标志 $_SESSION["freeze"] = true; } } } } //print_msg($strError, 10); if (!is_empty($strError)) $obj->AddErrMessage($strError); //print_msg($_SESSION, 10); //print_msg($fields, 10); $obj->ShowLogin($fields); ?>
问题出现在弱口令检测的地方
$weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来 system($weak_str, $weak_status); if( $weak_status == 1 ){ $weak_time_str='/usr/sbin/check_weak_date.sh'; system($weak_time_str, $weak_time_status); if( $weak_time_status == 1 ){ $strError = LOGIN_WEAK_PASS; $obj->AddErrMessage($strError); $obj->ShowLogin($fields); exit; } }
。好吧,命令执行才是关键
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论