深信服数据中心2.0某处存在命令执行漏洞
没穿底裤发表于 2016-07-08 13:56:13
漏洞文件:/src/acloglogin.php 其实就是引入的弱口令检测存在问题。
<?php
/*
+-------------------------------------------------------------------------+
| Copyright (C) 2006
| 文件名: acloglogin.php
| 描述: -->用户登录
|
+-------------------------------------------------------------------------+
| 作者:
| 时间:
| Email:
+-------------------------------------------------------------------------+
| - 相关网站 - http://www.sinfors.com.cn/
+-------------------------------------------------------------------------+
*/
require_once("../inc/config.inc.php");//CONFIG_INC_PHP_PATH
require_once(ACLOG_INC_DATAPATH."usrmanage.php");
require_once(ACLOG_LANGPATH."chs.utf8.lang.php");
require_once(ACLOG_INC_CALLPATH."caclogin.php");
require_once(ACLOG_SRCPATH."formparam.php");
define("TIME_FREEZE", 60);
define("TIME_COOKIE", 3600);
global $arrDB;
if (!WorkOnLinux() && is_null($arrDB))
{
$errmsg = COMMON_LOG_NO_SYNC_ACCOUNT;
viewErrmsg($errmsg);
exit;
}
$request_forms = array (
'login_user' => array (null, null, null),
'login_password' => array (null, null, null),
'submit' => array(null, null, null),
'logout' => array(null, null, null),
'in' => array(null, null, null),
'login' => array(null, null, null),
'auth' => array(0, null, null),
'page' => array("linkconfig.php?in=1", null, null),
'dkey' => array(null, null, null),
'dkeylogin' => array(null, null, null),
);
GetFormsRequestValue($request_forms, $forms);
if ($forms['auth'] == true) { //已经验证的
$forms["login"] = true;
}
global $arrDBSrc, $needDebug;
$obj = new CAcLogin($arrDBSrc, $forms, $needDebug);
global $g_arrScript, $g_arrSkin, $g_page, $g_strLang, $_form;
$fields = array (
"script" => $g_arrScript,
"skin" => $g_arrSkin,
"page" => $g_page,
"lang" => $g_strLang,
"form" => $_form,
"title" => "Sinfor AC DataCenter",
);
if (isset($forms["login"]) || isset($forms["logout"])) {
$obj->GetData();
}
if (isset($forms["logout"]) && $forms["logout"] == true) {
$obj->logout();
$obj->ShowLogin($fields);
exit;
}
$weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来
system($weak_str, $weak_status);
if( $weak_status == 1 ){
$weak_time_str='/usr/sbin/check_weak_date.sh';
system($weak_time_str, $weak_time_status);
if( $weak_time_status == 1 ){
$strError = LOGIN_WEAK_PASS;
$obj->AddErrMessage($strError);
$obj->ShowLogin($fields);
exit;
}
}
$nSubmit = 0;
$nAllRight = 0;
//自动登陆,psw不用算md5,因为get过来的psw就是md5
$auth = $forms['auth'];
if (isset($forms["in"]) && $forms["in"] == true) {
$location = $forms['page'];
} else {
$location = "f.html";
}
$_SESSION["lifeTime"] = TIME_COOKIE;
$hasToLower = $forms["login_user"];
//来自webui,已经登陆,
if(isset($_SESSION["auth_user"]) && $auth == true) {
//该用户已经登陆
if(($_SESSION["auth_user"] == $hasToLower)) {
setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/");
header("Location: $location"); //redirect
exit;
} else {//新的webui用户登陆,注销以前的用户
//标志离线
//TODO...
}
}
if(isset($_SESSION["auth_user"]) && strlen($_SESSION["auth_user"])) {
$strUser = $_SESSION["auth_user"];
setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/");
header("Location: $location"); //redirect to the dbm page
exit;
} else {
if(isset($forms["login_user"]) && isset($forms["login_password"])) {
$nSubmit = 1;
}
}
//得到冻结标志
if(isset($_SESSION["freeze"])) {
$freeze = $_SESSION["freeze"];
$lefttime = time() - $_SESSION["logtime"];
if($lefttime > TIME_FREEZE || $lefttime < 0) {
unset($_SESSION["logtime"]);
unset($_SESSION["logcishu"]);
unset($_SESSION["freeze"]);
$freeze = false;
}
if($freeze) {
$strError = LOGIN_TIP1.(TIME_FREEZE - $lefttime).LOGIN_TIP2;
}
} else {
$freeze = false;
}
//限制用户登陆次数
$ret = false;
//冻结了,不用登陆
//print_msg($_COOKIE);
if($freeze == false) {
if($nSubmit) {
$ret = $obj->Validate();
//登陆一次,次数加一
}
if($ret) {
$_SESSION["aclog_session"] = 1;
$_SESSION["auth_user"] = $strUser;//
$_SESSION["auth_user_pwd"] = $strPsw;
$_SESSION["nAllRight"] = $nAllRight;
if (isset($_COOKIE["LifeTime"])) {
//echo "cook LifeTime is seted:".$_COOKIE["LifeTime"];
}
else
{
$strJScript = ' <script language="javascript">
function SetCookie(name,value)//两个参数,一个是cookie的名子,一个是值
{
var exp = new Date();
exp.setTime(exp.getTime() + %d*1000);
document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString();
}
SetCookie ("LifeTime", "%d")
</script>';
if (isset($_COOKIE["LifeTime"])) {
echo "<script language='javascript'> alert(\"".$_COOKIE["LifeTime"]."\"); </srcipt>";
}
else
{
//var_dump($_SESSION["lifeTime"]);
$strJScript = sprintf($strJScript, TIME_COOKIE, $_SESSION["lifeTime"]);
echo($strJScript);
}
//setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"]);
}
unset($_SESSION["logtime"]);
unset($_SESSION["logcishu"]);
unset($_SESSION["freeze"]);
//die();
$javascript = "";
if ($forms["in"]) {
$javascript .= 'if(typeof(eval("window.parent.frames[\"topFrame\"]")) != "undefined")window.parent.frames["topFrame"].location.reload();if(typeof(eval("window.parent.frames[\"leftFrame\"]")) != "undefined")window.parent.frames["leftFrame"].location.reload();';
}
$javascript .= "location.href='$location'";
echo "<script>$javascript</script>";
exit;
} else {
if($nSubmit) {
$_SESSION["logcishu"] = $_SESSION["logcishu"] +1;
if($_SESSION["logcishu"] == 1) {
$_SESSION["logtime"] = time();
}
$lefttime = time() - $_SESSION["logtime"];
if(($lefttime < TIME_FREEZE) && $_SESSION["logcishu"] >= 3) {
//设置冻结标志
$_SESSION["freeze"] = true;
}
}
}
}
//print_msg($strError, 10);
if (!is_empty($strError))
$obj->AddErrMessage($strError);
//print_msg($_SESSION, 10);
//print_msg($fields, 10);
$obj->ShowLogin($fields);
?>问题出现在弱口令检测的地方
$weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来
system($weak_str, $weak_status);
if( $weak_status == 1 ){
$weak_time_str='/usr/sbin/check_weak_date.sh';
system($weak_time_str, $weak_time_status);
if( $weak_time_status == 1 ){
$strError = LOGIN_WEAK_PASS;
$obj->AddErrMessage($strError);
$obj->ShowLogin($fields);
exit;
}
} 
。好吧,命令执行才是关键
