记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)

2016-06-03 05:40

第一处注入/analytics/bal/bal_chart_line_status.php

code 区域
//********************************************流量上行和下行统计**********************************************//

if($_GET["act"]=="hours"){

//按小时统计上行平均流量和下行平均流量,每分钟一笔数据

$value=$_GET["val"];

$date=$_GET["date"];

if($value != "all"){

//查询条件不为空,查询域名的访问量

$and=" and app_name = '".$value."' ";

}

if($date==""){

$sql="select host_ip,date_format(curr_time,'%H:%i') tm,round(sum(aver_tx)/1024,2) txcount,round(sum(aver_rx)/1024,2) rxcount from t_tjbal_host where

curr_time between date_format(date_add(now(),interval -1 hour),'%Y-%m-%d %H:%i:00')

and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by date_format(curr_time,'%H:%i'),host_ip

order by host_ip asc,curr_time asc ";

}else{

$sql="select host_ip,date_format(curr_time,'%H:%i') tm,round(sum(aver_tx)/1024,2) txcount,round(sum(aver_rx)/1024,2) rxcount from t_tjbal_host where

curr_time between date_format('".$date."','%Y-%m-%d %H:%i:00')

and date_format(date_add('".$date."',interval +1 hour),'%Y-%m-%d %H:%i:59') ".$and."

group by date_format(curr_time,'%H:%i'),host_ip order by host_ip asc,curr_time asc ";

}

//print $sql;





第二处注入/analytics/analytics_firewall.php

code 区域
if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchFirewall"){

$serchtype = $_POST["serchType"];

$serchname = $_POST["serchinput"];

}else{

$serchtype = "type0";

//分页提交

if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){

$page = $_POST["p"];

$serchtype = $_POST["ptype"];

$serchname = $_POST["pname"];

}



if ( isset ( $_GET["p"] )){

$page = $_GET["p"];

$serchtype = $_GET["serchType"];

$serchname = $_GET["serchinput"];

}

}



$db = new dbBase();

//数据库连接

$iRetCon = $db -> dbConnect();

if($iRetCon!=1)

{

print "数据连接失败!";

return "";

}

$and="";

if($serchname!=""){

if($serchtype == "type0"){

//源地址

$and = " and src_ip like '%".$serchname."%' ";

}else if($serchtype == "type1"){

//目标地址

$and = " and dst_ip like '%".$serchname."%' ";

}else if($serchtype == "type2"){

//规则

$and = " and fire_wall_name like '%".$serchname."%' ";

}else if($serchtype == "type3"){

//网口

$and = " and network_card like '%".$serchname."%' ";

}

}

$sql="select a.host_name,left(a.fire_wall_name,(LENGTH(a.fire_wall_name)-2)) wallname,**.**.**.**work_card,a.src_mac,a.dst_mac,

a.src_ip,a.dst_ip,a.data_len,a.protocol,a.src_port,a.dst_port,

a.log_time logtime ,right(fire_wall_name,1) stat

from t_log_firewall a where 1=1 ".$and." order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;

//print $sql;





第三处注入/analytics/bal/bal_chart_line.php

code 区域
if($_GET["act"]=="hours"){

//按小时对bal总数量进行统计及单个域名的访问量

$value=$_GET["val"];

if($value != "all"){

//查询条件不为空,查询域名的访问量

$and=" and application_name = '".$value."' ";

}

$sql="select date_format(log_time,'%H:%i') time,sum(app_count) dcount from t_tjbal_time_minute where

log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00')

and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";

$arrFi = every5Minute();

$datajson = lineJson($sql,$arrFi);

print $datajson;

}else if($_GET["act"]=="day"){

//按天对bal总数量进行统计及单个域名的访问量

$value=$_GET["val"];

if($value != "all"){

//查询条件不为空,查询域名的访问量

$and = " and application_name = '".$value."' ";

}

$sql="select concat(date_format(date_add(log_time,interval -2 minute),'%H'),':00') time ,sum(app_count) dcount from t_tjbal_time_minute where

date_add(log_time,interval -2 minute) between date_format(date_add(now(),interval -1 day),'%Y-%m-%d %H:00:00')

and date_format(date_add(now(),interval -1 hour),'%Y-%m-%d %H:59:59')".$and."

group by date_format(date_add(log_time,interval -2 minute),'%H') order by log_time asc ";

$arrFi = every1Hours();

$datajson = lineJson($sql,$arrFi);

print $datajson;

}else if($_GET["act"]=="week"){

//按周对bal总数量进行统计及单个域名的访问量





第四处注入/analytics/bal/bal_chart_map.php

code 区域
if($_GET["act"]=="hours"){

$value=$_GET["val"];

balMapMinute($value);

}else if($_GET["act"]=="day"){

$value=$_GET["val"];

balLineDays($value);

}else if($_GET["act"]=="week"){

$value=$_GET["val"];

balLineWeeks($value);

}else if($_GET["act"]=="month"){

$value=$_GET["val"];

balLineMonth($value);

}else if($_GET["act"]=="year"){

$value=$_GET["val"];

balLineYears($value);

}



/**

* 实时查询bal的总数(按照区域查询)实时查询

*/

function balMapMinute($value){

$db = new dbBase();

//数据库连接

$iRetCon = $db -> dbConnect();

if($iRetCon!=1){

print "数据连接失败!";

return;

}

//查询全球地图信息

$worldArea = getWorldMapDict($db);

//查询世界的数据(各个区域所有的域名数量)

if($value != "all"){

//查询条件不为空,查询域名的访问量

$and=" and application_name = '".$value."' ";

}

$sql="select remark ,sum(app_count) dnum from t_sys_dict a ,t_tjbal_time_minute b

where area!='-' and area!='' and remark!='' and a.short_name=substring_index(b.area,'-',1) and

log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00')

and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by remark";

$worldData = getWorldMapData($db,$sql);



//查询中国的信息

$sqlc = "select full_name,sum(app_count) dnum from t_sys_dict a ,t_tjbal_time_minute b where

a.code like '%ZG%' and code!='ZG' and substring_index(b.area,'-',1)='CN' and a.short_name=substring(b.area,4) and

log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00')

and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by full_name ";

$chinaData = getChinaMapData($db,$sqlc);





第五处注入/analytics/analytics_bal.php

code 区域
if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchBal"){

$serchtype = $_POST["serchType"];

$serchname = $_POST["serchinput"];

$timestat = $_POST["serchStart"];

$timeend = $_POST["serchEnd"];

}else{

$serchtype = "type0";

}

//print "=====>".$_POST["action"]."<========";



//分页post提交

if ( isset ( $_POST["action"]) && $_POST["action"]=="GO"){

$page = $_POST["p"];

$serchtype = $_POST["ptype"];

$serchname = $_POST["pname"];

$timestat = $_POST["pStart"];

$timeend = $_POST["pEnd"];

//print "==>".$serchtype."==>".$serchname."==>".$timestat."==>".$timeend;

}

//分页get

if ( isset ( $_GET["p"] )){

$page = $_GET["p"];

$serchtype = $_GET["serchType"];

$serchname = $_GET["serchinput"];

$timestat = $_GET["stime"];

$timeend = $_GET["etime"];

}

$db = new dbBase();

//数据库连接

$iRetCon = $db -> dbConnect();

if($iRetCon!=1)

{

print "数据连接失败!";

return "";

}

$and="";

if($serchname!=""){

if($serchtype == "type0"){

//策略名称

$and .= " and application_name like '%".$serchname."%' ";

}else if($serchtype == "type1"){

//源地址

$and .= " and src_ip like '%".$serchname."%' ";

}else if($serchtype == "type2"){

//目标地址

$and .= " and server_name like '%".$serchname."%' ";

}else if($serchtype == "type3"){

//状态

$and .= " and status like '%".$serchname."%' ";

}

}

if($timestat!=""){

$and .= " and log_time >= date_format('".$timestat."','%Y-%m-%d %H:%i:00') ";

}

if ($timeend!=""){

$and .= " and log_time <= date_format('".$timeend."','%Y-%m-%d %H:%i:59') ";

}





$sql="select host_name,application_name,server_name,src_ip,src_port,action,access_target,datalen,dealtime,status,

log_time logtime,case when length(access_target)>40 then concat(substr(access_target,1,40),'......') else access_target end netar

from t_log_load a where 1=1 ".$and."

order by log_time desc limit ".($page-1)*$pageSize.", ".$pageSize;



//print $sql."<br/>";



$arrlist = $db->querySqlArray($sql);





//查询总页数

$sqlcou = "select count(1) cou from t_log_load a where 1=1 ".$and;



//print $sqlcou."<br/>";





第六处注入/analytics/dns/dns_chart_line.php

code 区域
if($_GET["act"]=="hours"){

/**

* 按小时对dns总数量进行统计及单个域名的访问量

*/

$value=$_GET["val"];

if($value != ""){

//查询条件不为空,查询域名的访问量

$and=" and domain_name like '%".$value."' ";

}

//$sql="select date_format(log_time,'%H:%i') time,sum(domain_count) dcount from t_tjdns_time_minute where

//date_format(log_time,'%Y-%m-%d %H:%i') between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i')

//and date_format(now(),'%Y-%m-%d %H:%i') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";

$sql="select date_format(log_time,'%H:%i') time,sum(domain_count) dcount from t_tjdns_time_minute where

log_time between date_format(date_add(now(),interval -2 hour),'%Y-%m-%d %H:%i:00')

and date_format(now(),'%Y-%m-%d %H:%i:59') ".$and." group by date_format(log_time,'%H:%i') order by log_time asc ";

$arrFi = every5Minute();

$rsjson = lineJson($sql,$arrFi);

print $rsjson;





第七处注入/analytics/analytics_dns_log.php

code 区域
<?php 

include_once "./dbcon/dbBase.php";

include_once "./dns/time.php";

date_default_timezone_set('Asia/Shanghai');



$serchname = "";

$and="";

if(isset ( $_GET["act"] )){

//折线图加载log

$serchname = $_GET["dns"];

$strtime = getTime($_GET["act"],$_GET["date"]);

$arrTime = explode("#",$strtime);

$timestat = $arrTime[0];

$timeend = $arrTime[1];

}else if(isset ( $_GET["mapact"] ) && $_GET["mapact"] =="maplog"){

//地图加载log日志

$country = $_GET["cy"];

//print $country."<=======";

$dnsname = $_GET["dname"];

$timttype = $_GET["time"];

$serchname = $dnsname;

$arrMapTime = explode("#",getMapTime($timttype));

$timestat = $arrMapTime[0];

$timeend = $arrMapTime[1];

//if($country == "中国"){

//$and .=" and substring_index(substr(client_ip_ctname,4), '-', 1) = (select short_name from t_sys_dict a where full_name='".$country."') ";

//}else{

//$and .=" and substring_index(client_ip_ctname, '-', 1) = (select short_name from t_sys_dict a where full_name='".$country."') ";

//}

}else{

$timestat = date("Y-m-d")." 00:00";

$timeend = date("Y-m-d H:i") ;

}



$page= 1;

$pageSize = 20;

if ( isset ( $_POST["action"] ) && $_POST["action"]=="serchDns"){

$serchtype = $_POST["serchType"];

$serchname = $_POST["serchinput"];

$timestat = $_POST["serchStart"];

$timeend = $_POST["serchEnd"];

$country = $_POST["country"];

}else{

//if($dnsname!=""){

//$serchtype = "type1";

//}else{

//$serchtype = "type0";

//}

$serchtype = "type0";

//分页提交点击GO

if ( isset ( $_POST["action"] ) && $_POST["action"]=="GO"){

$page = $_POST["p"];

$serchtype = $_POST["ptype"];

$serchname = $_POST["pname"];

$timestat = $_POST["pStart"];

$timeend = $_POST["pEnd"];

$country = $_POST["cy"];

}

//点击翻页

if ( isset ( $_GET["p"] )){

$page = $_GET["p"];

$serchtype = $_GET["serchType"];

$serchname = $_GET["serchinput"];

$timestat = $_GET["stime"];

$timeend = $_GET["etime"];

$country = $_GET["cy"];

}

}



$db = new dbBase();

//数据库连接

$iRetCon = $db -> dbConnect();

if($iRetCon!=1)

{

print "数据连接失败!";

return "";

}



if($serchname!=""){

if($serchtype == "type0"){

//域名

$and .= " and domain_name like '%".$serchname."%' ";

}else if($serchtype == "type1"){

//来源地址

$and .= " and client_ip like '%".$serchname."%' ";

}

}



if($country!=""){

$sqlcy = "select short_name from t_sys_dict a where full_name='".$country."'";

$arrCy = $db->querySqlArray($sqlcy);

if(strlen($arrCy[0]["short_name"])>2){

$and .=" and substring_index(substr(client_ip_ctname,4), '-', 1) = '".$arrCy[0]["short_name"]."' ";

}else if(strlen($arrCy[0]["short_name"])==2){

$and .=" and substring_index(client_ip_ctname, '-', 1) = '".$arrCy[0]["short_name"]."' ";

}

}



以上注入针对I-SDN负载均衡器

案例:

code 区域
**.**.**.**/

**.**.**.**/





一处getshell 地址/test/progressbar/target.php

code 区域
<?php



if($_SERVER['REQUEST_METHOD']=='POST') {

move_uploaded_file($_FILES["test_file"]["tmp_name"], "c:\\sw\\wamp\\www\\" . $_FILES["test_file"]["name"]);

echo "<p>File uploaded. Thank you!</p>";

}



?>



以上getshell针对I-SDN流控设备&I-SDN负载均衡器

案例:

code 区域
**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/test/

漏洞证明:

随便选取三处作验证:

/analytics/bal/bal_chart_line_status.php?act=hours&val=1&date=1

aaaaaaaaaaaaaaa111111111111111111111111.jpg





/analytics/analytics_firewall.php?p=&serchType=type0&serchinput=1

aaaaaaaaaaaaaaaaa2222222222222222222222.jpg





/analytics/bal/bal_chart_map.php?act=hours&val=1

aaaaaaaaaaaaaaaaaa333333333333333333333.jpg





GETSHELL地址/test/progressbar/target.php:

aaaaaaaaaaaaaaaa444444444444444444.jpg



qqqqqqqqqqqqqq55555555555555555555.jpg



aaaaaaaaaaaaaaaaaa55555555555555555.jpg



aaaaaaaaaaaaaaaa66666666666666666666.jpg





整设备目录遍历导致多处敏感信息泄漏:

aaaaaaaaaaaaaa7777777777777777777.jpg



aaaaaaaaaaaaaaaaaa88888888888888888888888.jpg



aaaaaaaaaaaaaaaaaaa999999999999999999999999.jpg



aaaaaaaaaaaaaaa00000000000000000000.jpg



以上目录遍历针对I-SDN流控设备&I-SDN负载均衡器

案例:

code 区域
**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/

**.**.**.**/test/





还有部分版本存在任意文件修改&目录遍历(AjaXplorer功能为未授权访问导致)

qqqqqqqqqqqqqqqqqq444444444444444444.jpg



针对以上案例:

code 区域
**.**.**.**/exploer/#0

**.**.**.**/exploer/#0

**.**.**.**/exploer/#0

**.**.**.**/exploer/#0

**.**.**.**/exploer/#0

修复方案:

联系厂商


知识来源: www.wooyun.org/bugs/wooyun-2016-0179441

阅读:107357 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“某流控设备&负载均衡器七处SQL注入&一处getshell&多处敏感信息泄漏(都无需登录)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云

本页关键词