当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107491

漏洞标题:创想oa二次注入

相关厂商:天生创想oa

漏洞作者: also

提交时间:2015-04-27 16:27

修复时间:2015-07-29 10:38

公开时间:2015-07-29 10:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-27: 细节已通知厂商并且等待厂商处理中
2015-04-30: 厂商已经确认,细节仅向厂商公开
2015-05-03: 细节向第三方安全合作伙伴开放
2015-06-24: 细节向核心白帽子及相关领域专家公开
2015-07-04: 细节向普通白帽子公开
2015-07-14: 细节向实习白帽子公开
2015-07-29: 细节向公众公开

简要描述:

过份相信从数据库里面取出的数据造成sql注入

详细说明:

elseif ($do == 'add') {

if($_POST['view']!=''){
$id = getGP('id','P','int');
if($id!=''){
$title = check_str(getGP('title','P'));
$subject = check_str(getGP('subject','P'));
$content = getGP('content','P');
$attendance = getGP('participation','P');
$startdate = getGP('startdate','P')." ".getGP('starttime1','P').":".getGP('starttime2','P');
$enddate = getGP('enddate','P')." ".getGP('endtime1','P').":".getGP('endtime2','P');
$conferenceroom = getGP('conferenceroom','P');
$otype = getGP('otype','P');
$staffidsms=getGP('staffid','P');
$conference = array(
'title' => $title,
'subject' => $subject,
'content' => $content,
'attendance' => $attendance,
'startdate' => $startdate,
'enddate' => $enddate,
'conferenceroom' => $conferenceroom,
'otype' => $otype
);
#print_r($conference);exit;
update_db('conference',$conference, array('id' => $id));
$content='';
$content=serialize($conference);
$title='编辑会议信息';
get_logadd($id,$content,$title,19,$_USER->id);

}else{
$title = check_str(getGP('title','P'));
$subject = check_str(getGP('subject','P'));
$content = getGP('content','P');
$appperson = check_str(getGP('apppersonid','P'));
$recorduser = check_str(getGP('recorduserid','P'));
$date = get_date('Y-m-d H:i:s',PHP_TIME);
$attendance = check_str(getGP('participation','P'));
$startdate = getGP('startdate','P')." ".getGP('starttime1','P').":".getGP('starttime2','P');
$enddate = getGP('enddate','P')." ".getGP('endtime1','P').":".getGP('endtime2','P');
$conferenceroom = check_str(getGP('conferenceroom','P'));
$type = 1;
$otype = getGP('otype','P');
$staffid = getGP('staffidid','P'); //漏洞的开始在这里形成 getGP函数只是进行了简单过滤将敏感字符替换为空如select等 绕过方法有大小写绕过和seselctlectd等这样的方法
$uid=$_USER->id;
$apppersonsms=check_str(getGP('appperson','P'));
$staffidsms=check_str(getGP('staffid','P'));
$conference = array(
'title' => $title,
'subject' => $subject,
'content' => $content,
'appperson' => $appperson,
'recorduser' => $recorduser,
'date' => $date,
'attendance' => $attendance,
'startdate' => $startdate,
'enddate' => $enddate,
'conferenceroom' => $conferenceroom,
'type' => $type,
'staffid' => $staffid,
'uid' => $uid,
'otype' => $otype
);
insert_db('conference',$conference); //将$conference的数据插入到conference数据库中 value内容可控但是被转义,没有关系插入到数据库里面后会反转义一次
$id=$db->insert_id();
if(getGP('sms_info_box_appperson','P')!=''){
$content='';
$content=$apppersonsms.':您申请的会议室己经提交,请注意查看!';
$content.='<a href="admin.php?ac='.$ac.'&fileurl='.$fileurl.'&do=views';
$content.='&id='.$id.'">点击查看>></a>';
SMS_ADD_POST($apppersonsms,$content,0,0,$_USER->id);
}
if(getGP('sms_phone_box_appperson','P')!=''){
$content='';
$content=$apppersonsms.':您申请的会议室己经提交,请登录OA进行查看!';
PHONE_ADD_POST(getGP('apppersonphone','P'),$content,$apppersonsms,0,0,$_USER->id);
}
//出席人员
if(getGP('sms_info_box_participation','P')!=''){
$content='';
$content='您有一个会议需要出席,申请人是:"'.$apppersonsms.'",请注意查看会议出席时间!<a href="admin.php?ac='.$ac.'&fileurl='.$fileurl.'&do=views&id='.$id.'">点击查看>></a>';

SMS_ADD_POST($attendance,$content,0,0,$_USER->id);
}

if(getGP('sms_phone_box_participation','P')!=''){
$content='';
$content='您有一个会议需要出席,申请人是:"'.$apppersonsms.'",请登录OA查看会议出席时间!';
PHONE_ADD_POST(getGP('participationphone','P'),$content,$attendance,0,0,$_USER->id);
}
//审批人员
if(getGP('sms_info_box_staffid','P')!=''){
$content='';
$content=$staffidsms.':有一个会议申请需要您审批,申请人是:"'.$apppersonsms.'",请进入会议管理进行审批!<a href="admin.php?ac='.$ac.'&fileurl='.$fileurl.'&do=views&id='.$id.'">点击审批>></a>';

SMS_ADD_POST($staffidsms,$content,0,0,$_USER->id);
}

if(getGP('sms_phone_box_staffid','P')!=''){
$content='';
$content=$staffidsms.':有一个会议申请需要您审批,申请人是:"'.$apppersonsms.'",请登录OA进行审批!';
PHONE_ADD_POST(getGP('staffidphone','P'),$content,$staffidsms,0,0,$_USER->id);
}
$content='';
$content=serialize($conference);
$title='新增会议信息';
get_logadd($id,$content,$title,19,$_USER->id);
}
show_msg('会议信息操作成功!', 'admin.php?ac='.$ac.'&fileurl='.$fileurl.'');
}else{
$id = getGP('id','G','int');
if($id!=''){
get_key("istration_conference_edit");
$user = $db->fetch_one_array("SELECT * FROM ".DB_TABLEPRE."conference WHERE id = '$id'");
$startdate=explode(' ',$user['startdate']);
$starttime=explode(':',$startdate[1]);
$enddate=explode(' ',$user['enddate']);
$endtime=explode(':',$enddate[1]);
$_title['name']='编辑';
}else{
get_key("istration_conference_Increase");
$startdate=explode(' ',get_date('Y-m-d H:i:s',PHP_TIME));
$starttime=explode(':',$startdate[1]);
$enddate=explode(' ',get_date('Y-m-d H:i:s',PHP_TIME));
$endtime=explode(':',$enddate[1]);
$_title['name']='发布';
}
include_once('template/conferenceadd.php');

}
}

QQ截图20150412175037.jpg


308行
else{
if($id!=''){
$blog = $db->fetch_one_array("SELECT * FROM ".DB_TABLEPRE."conference WHERE id = '$id'"); //取出conference表内所以的信息给$blog
$record = $db->fetch_one_array("SELECT * FROM ".DB_TABLEPRE."conference_record WHERE conferenceid = '$id'");
$_title['name']='[会议信息浏览]';
}
}
include_once('template/conferenceviews.php'); //包含这个文件,跟进

<form name="save" method="post" action="?ac=<?php echo $ac?>&fileurl=<?php echo $fileurl?>&do=views">
<input type="hidden" name="view" value="edit" />
<input type="hidden" name="bbsid" value="<?php echo $blog['id']?>" />
<input type="hidden" name="author" value="<?php echo get_realname($_USER->id)?>" />
<table class="TableBlock" border="0" width="90%" align="center" style="border-bottom:#4686c6 solid 0px;">
<tr>
<td nowrap class="TableContent" width="90">申请时间:</td>
<td class="TableData">
<?php echo $blog['date']?> </td>
</tr>

<tr>
<td nowrap class="TableContent"> 申请人:</td>
<td class="TableData"><?php echo get_realname($blog['appperson'])?> 同样存在漏洞但是因字节数有限不好利用 </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">名称:</td>
<td class="TableData">
<?php echo $blog['title']?> </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">主题:</td>
<td class="TableData">
<?php echo $blog['subject']?> </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">出席人员:</td>
<td class="TableData">
<?php echo $blog['attendance']?> </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">会议开始时间:</td>
<td class="TableData">
<?php echo $blog['startdate']?> </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">会议结束时间:</td>
<td class="TableData">
<?php echo $blog['enddate']?> </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">会议室:</td>
<td class="TableData">
<?php echo get_typename($blog['conferenceroom'])?> 同样存在漏洞但是因字节数有限不好利用 </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">分类:</td>
<td class="TableData">
<?php echo get_typename($blog['otype'])?> 同样存在漏洞但是因字节数有限不好利用 </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">记录人员:</td>
<td class="TableData">
<?php echo get_realname($blog['recorduser'])?> 同样存在漏洞但是因字节数有限不好利用 </td>
</tr>
<tr>
<td nowrap class="TableContent" width="90">审批人员:</td>
<td class="TableData">
<?php echo get_realname($blog['staffid'])?> 把$blog['staffid']带入到get_realname 方法中 代码如下:
function get_realname($id=0){
if($id!=0){
global $db;
$sql = "SELECT name FROM ".DB_TABLEPRE."user_view where uid='".$id."' ORDER BY uid desc limit 0,1"; //没有任何过滤将$id($blog['staffid'])带入到sql语句中
$row = $db->fetch_one_array($sql);
if($row['name']!=''){
return $row['name'];
}
}
}
</td>
</tr>



</table>
<table width="90%" style="border-left:#4686c6 solid 1px;border-right:#4686c6 solid 1px;border-bottom:#4686c6 solid 1px;" align="center">
<tr>
<td colspan="2" bgcolor="#FFFFFF" style="padding:20px 20px 20px 20px;"><?php echo $blog['content']?> </td>
</tr>
</table>


<?if($record['rid']!=''){?>

<table width="90%" border="0" align="center" cellpadding="3" cellspacing="0" class="small" style='margin-top:30px;'>
<tr>
<td class="Big"><img src="template/default/content/images/notify_new.gif" align="absmiddle"><span class="big3"> 会议总结</span>
</td>
</tr>
</table>
<table class="TableBlock" border="0" width="90%" align="center" style="border-bottom:#4686c6 solid 0px;">
<tr>
<td nowrap class="TableContent" width="120">总结时间:</td>
<td class="TableData">
<?php echo $record['date']?> </td>
</tr>
<tr>
<td nowrap class="TableContent"> 具体出席参会人员:</td>
<td class="TableData"><?php echo $record['attendance']?> </td>
</tr>
<tr>
<td nowrap class="TableContent"> 所在会议室:</td>
<td class="TableData"><?php echo get_typename($record['conferenceroom'])?></td>
</tr>
<tr>
<td nowrap class="TableContent"> 会议总结人:</td>
<td class="TableData"><?php echo get_realname($record['recordperson'])?> </td>
</tr>


表结构:

QQ截图20150412172813.jpg


QQ截图20150412175151.jpg

漏洞证明:

QQ截图20150412175918.jpg


QQ截图20150412183136.jpg

修复方案:

对数据库取出的数据再次进行过滤

版权声明:转载请注明来源 also@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-30 10:38

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无