当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191674

漏洞标题:集时通讯程序挖掘之SQL注射打包

相关厂商:深圳市集时通讯股份有限公司

漏洞作者: Bear baby

提交时间:2016-04-07 19:20

修复时间:2016-07-10 16:00

公开时间:2016-07-10 16:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-07: 细节已通知厂商并且等待厂商处理中
2016-04-11: 厂商已经确认,细节仅向厂商公开
2016-04-14: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-06-05: 细节向核心白帽子及相关领域专家公开
2016-06-15: 细节向普通白帽子公开
2016-06-25: 细节向实习白帽子公开
2016-07-10: 细节向公众公开

简要描述:

好好学习才能天天向上。

详细说明:

厂家地址:http://**.**.**.**,有多家分公司. 案例有些可以看这:http://**.**.**.**/bugs/wooyun-2010-0134587

1.png

厂家案例众多,各大企业,政府。。。。
1.漏洞位置:userweb/php/index/user.class.php
此套程序默认环境开了GPC,所以我们把重点放在了不受单引号保护的位置.

public function showselectExten( )
{
$db = $this->loadDB( );
$pid = empty( $_REQUEST['depart_id'] ) ? "" : $_REQUEST['depart_id'];
$exten_list = $this->getUsersByDeparts( $pid );
$this->Tmpl['exten_list'] = $exten_list;
$this->display( );
}


关注点在$pid参数,然后我们跟进getUsersByDeparts函数看看
此函数位置在基类:

public function getUsersByDeparts( $pdepart_id )
{
$db = $this->loadDB( );
$pdepart_ids = $this->getCdepart_id( $pdepart_id );
$pdepart_ids = substr( $pdepart_ids, 0, -1 );
if ( empty( $pdepart_id ) )
{
$sql = "SELECT * FROM org_user";
}
else
{
$sql = "SELECT * FROM org_user WHERE dept_id in (".$pdepart_ids.") ";
}
$rs = $db->Execute( $sql );
$users = array( );
while ( !$rs->EOF )
{
$users[] = $rs->fields;
$rs->MoveNext( );
}
return $users;
}


$pdepart_ids = $this->getCdepart_id( $pdepart_id );看到此处参数$pdepart带进函数gerCdepart_id我们继续跟进函数getCdepart_id:

public function getCdepart_id( $pdepart_id )
{
$db = $this->loadDB( );
global $pdepart_id_str;
$sql = "SELECT dept_id FROM org_department WHERE dept_parent='".$pdepart_id."'";
$rs = $db->Execute( $sql );
while ( $rs && !$rs->EOF )
{
$this->getCdepart_id( $rs->fields['dept_id'] );
$rs->MoveNext( );
}
$pdepart_id_str .= $pdepart_id.",";
return $pdepart_id_str;
}


对我们没啥影响,只是在$pdepart_id后面加了个逗号而已。现在我们回到函数getUsersByDeparts():
漏洞位置出现在:

$sql = "SELECT * FROM org_user WHERE dept_id in (".$pdepart_ids.") ";


大部门函数都调用了$this->publicCheckLogin( );验证权限,然后此处没写这函数,所以可以无需登陆直接访问。构造url如下:
/userweb/index.php?module=user&action=selectExten&depart_id=1

1.png


此套系统默认配置的为dba权限,我们丢入sqlmap

2.png


3.png


2.漏洞文件位置:
Userweb/php/outbound/ajax.class.php

public function showGetQuestion( )
{
$qnid = $_REQUEST['qnid'];
$array = array( );
$array = $this->getQuestionList( $qnid );
echo json_encode( $array );
exit( );
}
$qnid可控,看getQuestionList函数:
protected function getQuestionList($qnid) {
$db = $this->loadDB();
$sql = "select * from stdout_question where is_deleted=0 and qnid=$qnid order by orderid asc";
$rs = $db->Execute($sql);
$list = array();
while (!$rs->EOF) {
$list[$rs->fields['id']] = $rs->fields;
$rs->MoveNext();
}
return $list;
}


直接带入了sql语句,且不受单引号保护,无视GPC,构造URL:
userweb/outbound.php?module=ajax&action=GetQuestion&qnid=1

5.png


6.png


3.漏洞文件位置:
Userweb/php/outbound/ajax.class.php

public function showGetQuestionOptions( )
{
$qid = $_REQUEST['qid'];
$array = array( );
$array = $this->getQuestionOptionList( $qid );
echo json_encode( $array );
exit( );
}


查看getQuestionOptionList函数

protected function getQuestionOptionList($qid) {
$db = $this->loadDB();
$sql = "select * from stdout_question_options where qid=$qid order by id asc";
$rs = $db->Execute($sql);
$list = array();
while (!$rs->EOF) {
$list[] = $rs->fields;
$rs->MoveNext();
}
return $list;
}


跟上面类似,构造URL:
userweb/outbound.php?module=ajax&action=GetQuestionOptions&qid=1

8.png


9.png


4.漏洞文件位置:
Userweb/php/outbound/ajax.class.php

public function showGetObjectList( )
{
$db = $this->loadDB( );
$object_id = $_REQUEST['object_id'];
$type = $_REQUEST['type'];
if ( empty( $object_id ) )
{
echo "0";
exit( );
}
$list = $this->getObjectList( $object_id, $type );
echo json_encode( $list );
exit( );
}


查看getObjectList函数

protected function getObjectList($pid, $type = '') {
$db = $this->loadDB();
$where = " WHERE o.pid={$pid} AND o.is_hide=0";
if ('import' == $type) {
$where .= " AND o.run_status<>'run' ";
} else if ('preview' == $type) {
$where .= " AND (o.type1='preview' OR o.run_status<>'run') ";
} else if ('myPreview' == $type) {
$where .= " AND o.type1='preview' AND o.run_status<>'pause' ";
} else if ('forecast' == $type) {
$where .= " AND o.type1='forecast' ";
} else if ('ivr' == $type) {
$where .= " AND o.type1='ivr' ";
} else if ('quality' == $type) {
$where .= " AND o.qpid>0 ";
} else if ('question' == $type) {
$where .= " AND o.qnid>0 ";
}
if ($_SESSION['userinfo']['power'] != 1) {
$user = $this->getLocalUser();
$where .= " AND (FIND_IN_SET('" . $user['dept_id'] . "', o.visit_dept) OR o.visit_dept='')";
}
if ('myPreview' === $type) {
$extension = $_SESSION['userinfo']['extension'];
$sql = "SELECT object_id FROM stdout_agent_object WHERE extension='{$extension}' AND parent_status!='pause'";
$sql = "SELECT o.id, o.name, o.type1 FROM stdout_object o INNER JOIN ({$sql}) ao ON o.id=ao.object_id {$where} ORDER BY o.id DESC";
} else {
$sql = "SELECT o.id, o.name, o.type1 FROM stdout_object o {$where} ORDER BY o.id DESC";
}
if (!$rs = $db->Execute($sql)) {
echo $sql . "<br/>";
echo $db->ErrorMsg();
exit();
}
$list = array();
while (!$rs->EOF) {
$list[$rs->fields['id']] = $rs->fields;
$rs->MoveNext();
}
return $list;
}


一样的问题,构造URL如下:
userweb/outbound.php?module=ajax&action=GetObjectList&object_id=1

10.png


11.png


5.漏洞文件位置:
Userweb/php/outbound/ajax.class.php

public function showGetProductClass( )
{
$db = $this->loadDB( );
$parentid = $_REQUEST['parentid'];
if ( empty( $parentid ) )
{
echo "0";
exit( );
}
$list = $this->getProductClass( $parentid );
echo json_encode( $list );
exit( );
}


跟进getProductClass()函数

protected function getProductClass($parentid = 0) {
$db = $this->loadDB();
$sql = "SELECT classid, classname FROM stdout_product_class WHERE parentid={$parentid} ORDER BY orderid ASC, classid DESC";
$rs = $db->Execute($sql);
$list = array();
while (!$rs->EOF) {
$list[$rs->fields['classid']] = $rs->fields;
$rs->MoveNext();
}
return $list;
}


一样的问题,很明显,构造URL如下:
userweb/outbound.php?module=ajax&action=GetProductClass&parentid=1

12.png


13.png


1.漏洞文件位置:
Userweb/php/outbound/ajax.class.php

public function showGetCanAdjustExten( )
{
$db = $this->loadDB( );
$dept_id = $_REQUEST['dept_id'];
$sql = "SELECT * FROM org_department";
$dept = $db->GetAll( $sql );
$list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
$list_depart .= "{$dept_id}";
$arrFilterExtensions = array( );
$filter_extensions = $_REQUEST['filter_extensions'];
if ( !empty( $filter_extensions ) )
{
$arrFilterExtensions = explode( ",", $filter_extensions );
}
$arrFilterExtensions = array_unique( $arrFilterExtensions );
$filter_extensions = implode( ",", $arrFilterExtensions );
$filter_extensions = numbertostring4sql( $filter_extensions );
$sql = "SELECT extension, user_name FROM org_user WHERE dept_id in (".$list_depart.") AND extension!='' AND extension IS NOT NULL";
if ( !empty( $filter_extensions ) )
{
$sql .= " AND extension NOT IN (".$filter_extensions.")";
}
$list = $db->GetAll( $sql );
echo json_encode( $list );
exit( );
}


构造URL:
userweb/outbound.php?module=ajax&action=GetCanAdjustExten&dept_id=1

1.png


2.png


2.漏洞文件位置:
Userweb/php/index/index.class.php

public function showAjaxGetExtensByDept( )
{
$db = $this->loadDB( );
$dept_id = $_REQUEST['dept_id'];
$sql = "SELECT * FROM org_department";
$dept = $db->GetAll( $sql );
$list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
$list_depart .= "{$dept_id}";
$sql = "SELECT * FROM org_user WHERE dept_id in (".$list_depart.")";
$rs = $db->Execute( $sql );
......................................................


构造URL如下:
userweb/index.php?module=index&action=AjaxGetExtensByDept&dept_id=1

3.png


4.png


3.漏洞文件位置:
Userweb/php/index/index.class.php

public function showGetExtensionComboByDept( )
{
$db = $this->loadDB( );
$dept_id = $_REQUEST['dept_id'];
$sql = "SELECT * FROM org_department";
$dept = $db->GetAll( $sql );
$list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
$list_depart .= "{$dept_id}";
$sql = "SELECT extension, user_name FROM org_user WHERE dept_id in (".$list_depart.")";
$rs = $db->Execute( $sql );
..................................................................


构造URL如下:
userweb/index.php?module=index&action=GetExtensionComboByDept&dept_id=1

5.png


6.png


4.漏洞文件位置:
Userweb/php/index/log.class.php

public function showExportword( )
{
$userinfo = $_SESSION['userinfo'];
$author_id = $userinfo['extension'];
$sql = "select a.log_id,a.date,log_type,log_title,log_content from crm_oa_worklog a left join crm_oa_log_attachments b on a.log_id=b.log_id";
$start_time = strtotime( $_POST['start_date'] );
$end_time = strtotime( $_POST['end_date'] );
.....................................省略无关代码
if ( $_POST['log_type'] != 0 )
{
$log_type = "`log_type` = ".$_POST['log_type'];
}
....................................省略无关代码
$sql .= " group by a.log_id order by a.date desc ";
$db = $this->loadDB( );
...............................................


POST型注入,且不受单引号保护,无视GPC。。
构造URL如下:

7.png


抓包丢入sqlmap跑

8.png


9.png


10.png


5.漏洞文件位置:
Userweb/php/index/log.class.php

public function showExport_com_word( )
{
$filename = "������־".date( "Y-m-d", time( ) ).".doc";
header( "Content-type:application/vnd.ms-word" );
header( "Content-Disposition:filename=".$filename );
$sql = "select a.log_id,a.date,log_type,log_title,log_content from crm_oa_worklog a left join crm_oa_log_attachments b on a.log_id=b.log_id";
$start_time = strtotime( $_POST['start_date'] );
$end_time = strtotime( $_POST['end_date'] );
.......................................................................省略无关代码
if ( $_POST['log_type'] != 0 )
{
$log_type = "`log_type` = ".$_POST['log_type'];
}
.......................................................................


11.png


抓包丢入sqlmap跑

12.png


13.png


6.漏洞文件位置:
Userweb/php/index/Outbound.class.php

public function showAjaxOptions( )
{
varfilter( $_REQUEST );
extract( $_REQUEST );
if ( isset( $_REQUEST['topic_id'], $_REQUEST['topic_id'] ) )
{
echo 0;
exit( );
}
$db = $this->loadDB( );
$sql = "SELECT * FROM out_question_topic WHERE id=".$topic_id;
$row = $db->GetRow( $sql );
...................................................


PHP在linux下是区分大小写的,varfilter函数程序员写成了小写,原本是varFilter的,所以。。。。
构造url如下:
userweb/index.php?module=Outbound&action=AjaxOptions&topic_id=1

14.png


15.png


1.漏洞文件位置:
Userweb/php/outbound/agent.class.php

function showNo()
{
$db = $this->loadDB();
$object_id = varFilter($_REQUEST['object_id']);
$sql = "select content from stdout_object where id=$object_id";
$content = $db->GetOne($sql);
$this->Tmpl['content'] = varResume($content);
$this->display();
}


这里看到$_REQUEST[‘object_id’]经过了函数varFilter,我们跟进看看:

function varFilter( $fArray )
{
if ( is_array( $fArray ) )
{
foreach ( $fArray as $_arrykey => $_arryval )
{
if ( is_string( $_arryval ) )
{
$fArray[$_arrykey] = trim( nl2br( $fArray[$_arrykey] ) );
$fArray[$_arrykey] = htmlspecialchars( $fArray[$_arrykey] );
$fArray[$_arrykey] = !get_magic_quotes_gpc( ) ? addslashes( $fArray[$_arrykey] ) : $fArray[$_arrykey];
$fArray[$_arrykey] = strip_tags( $fArray[$_arrykey], "<br>" );
}
else if ( is_array( $_arryval ) )
{
$fArray[$_arrykey] = varfilter( $_arryval );
}
}
return $fArray;
}
$fArray = trim( nl2br( $fArray ) );
$fArray = htmlspecialchars( $fArray );
$fArray = !get_magic_quotes_gpc( ) ? addslashes( $fArray ) : $fArray;
$fArray = strip_tags( $fArray, "<br>" );
return $fArray;
}


主要就是一个GPC,然后看我们的漏洞语句:

$sql = "select content from stdout_object where id=$object_id";


不受单引号保护,因此逃避了GPC,大多函数都调用了$this->publicCheckLogin();函数检测是否登陆,然后有些估计是漏写了,造成我们可以无需登陆直接访问。此处是盲注,因为htmlspecialchars过滤了< >等,我们在丢进sqlmap跑的时候需要加上--tamper=between --time-sec=5这样 不然只能跑出证明,跑不出数据。
构造url如下:
userweb/outbound.php?module=agent&action=No&object_id=1

1.png


2.png


2.漏洞文件位置:
Userweb/php/outbound/agent.class.php

public function showEditTask()
{
$db = $this->loadDB();
$_REQUEST = varFilter($_REQUEST);
extract($_REQUEST);
//无关紧要代码省略...............
$sql = "SELECT SQL_NO_CACHE customer_id, call_status FROM {$table} WHERE id={$task_id}";
$rowTask = $db->GetRow($sql);
if (!$rowTask) exit('error.');
...................................


这里利用变量覆盖:

$_REQUEST = varFilter($_REQUEST);
extract($_REQUEST);


原因在这,我们可以直接通过GET请求table=stdout_task&task_id=2,将$table玉$task_id覆盖掉.
同样的盲注,这里不受单引号保护:

$sql = "SELECT SQL_NO_CACHE customer_id, call_status FROM {$table} WHERE id={$task_id}";


要注意的就是$table必须是个存在customer_id, call_status字段的表,不然也是出不来数据.这里我的构造URL如下:
userweb/outbound.php?module=agent&action=EditTask&table=stdout_task&task_id=1

3.png


4.png


3.漏洞文件位置:
Userweb/php/outbound/agent.class.php

public function showQuestion()
{
$db = $this->loadDB();
$_REQUEST = varFilter($_REQUEST);
extract($_REQUEST);
if (empty($qnid)) {
goBack(c('²Ù×÷ʧ°Ü£º´«²Îqnid´íÎó.'), 'exit');
}
$row_qn = $this->getQn($qnid);
............................................


进入基类查看getQn函数/php/outbound/public.class.php

function getQn($qnid)
{
$db = $this->loadDB();
$sql = "select * from stdout_qn where id=$qnid";
$row = $db->GetRow($sql);
return $row;
}


一样$qnid不受单引号保护,且我们可以通过extract($_REQUEST);覆盖$qnid。
构造URL如下:
地址userweb/outbound.php?module=agent&action=Question&qnid=12

5.png


6.png


4.漏洞文件位置:
Userweb/php/outbound/agent.class.php

function showAjaxCheckNextQuestion()
{
$db = $this->loadDB();
$qid = varFilter($_REQUEST['qid']);
$qnid = varFilter($_REQUEST['qnid']);
$answer = varFilter($_REQUEST['answer']);
$row_question = $this->getQuestion($qid);
echo $this->isExistNextQuestion($row_question, true, $answer) ? 'true' : 'false';
}


直接看getQuestion函数:

protected function getQuestion($qid)
{
$db = $this->loadDB();
$sql = "select * from stdout_question where id=$qid and is_deleted=0";
$row = $db->GetRow($sql);
return $row;
}


依然构造URL:
地址:userweb/outbound.php?module=agent&action=AjaxCheckNextQuestion&qid=1

7.png


8.png


1.漏洞文件位置:
Userweb/php/outbound/object.class.php

function showObjectPause() {
$exten_object_id = varFilter($_REQUEST['id']);
$db = $this->loadDB();
$sql = "select object_id, run_status from stdout_exten_object where id={$exten_object_id}";
.........................................//省略


varFilter函数:

function varFilter( $fArray )
{
if ( is_array( $fArray ) )
{
foreach ( $fArray as $_arrykey => $_arryval )
{
if ( is_string( $_arryval ) )
{
$fArray[$_arrykey] = trim( nl2br( $fArray[$_arrykey] ) );
$fArray[$_arrykey] = htmlspecialchars( $fArray[$_arrykey] );
$fArray[$_arrykey] = !get_magic_quotes_gpc( ) ? addslashes( $fArray[$_arrykey] ) : $fArray[$_arrykey];
$fArray[$_arrykey] = strip_tags( $fArray[$_arrykey], "<br>" );
}
else if ( is_array( $_arryval ) )
{
$fArray[$_arrykey] = varfilter( $_arryval );
}
}
return $fArray;
}
$fArray = trim( nl2br( $fArray ) );
$fArray = htmlspecialchars( $fArray );
$fArray = !get_magic_quotes_gpc( ) ? addslashes( $fArray ) : $fArray;
$fArray = strip_tags( $fArray, "<br>" );
return $fArray;
}


限制是htmlspecialchars和GPC,此处没单引号保护,无视GPC。Sqlmap跑的时候记得加上--tamper=between,不然跑不出数据.
构造URL如下:
userweb/outbound.php?module=object&action=ObjectPause&id=1

1.png


2.png


2.漏洞文件位置:
Userweb/php/outbound/object.class.php

function showObjectStop() {
$exten_object_id = varFilter($_REQUEST['id']);
$db = $this->loadDB();
$sql = "select object_id, run_status from stdout_exten_object where id={$exten_object_id}";
........................................//省略


跟上面一样的问题:
构造url如下:
userweb/outbound.php?module=object&action=ObjectStop&id=1

3.png


4.png


3.漏洞文件位置:
Userweb/php/outbound/report.class.php

function showAjaxGetIvrTotal()
{
$db = $this->loadDB();
$_REQUEST = varFilter($_REQUEST);
$object_id = $_REQUEST['object'];
$ivr_id = $_REQUEST['ivr_id'];
$fromdate = $_REQUEST['fromdate'];
$todate = $_REQUEST['todate'];
..................................../省略无关代码
$sql = "SELECT * FROM ss_ivr_dests WHERE ivr_id={$ivr_id} ORDER BY selection ASC";
$rs = $db->GetArray($sql);


构造URL:userweb/outbound.php?module=report&action=AjaxGetIvrTotal&ivr_id=1

5.png


6.png


4.漏洞文件位置:
Userweb/php/index/crmManager.class.php

public function showAjaxGetTransferLogDetail( )
{
$db = $this->loadDB( );
$sql = "SELECT content FROM log_customer_transfer WHERE id=".$_REQUEST['id'];
$content = $db->GetOne( $sql );
$content = str_replace( "\r\n", "<br/>", $content );
echo $content;
exit( );
}


构造URL如下:
userweb/index.php?module=crmManager&action=AjaxGetTransferLogDetail&id=1

7.png


8.png


5.漏洞文件位置:
Userweb/php/index/fieldConfig.class.php

function showeditField(){
if( isset($_GET['id']) && !empty( $_GET['id'] ) ){
$id = $_GET['id'];
}else{
goBack("来路不明","close");
}
$db = $this->loadDB();
$sql = "SELECT * FROM crm_fields_options WHERE id=".$id;
$field = $db->GetRow( $sql );
$this->Tmpl['field'] = $field;
$this->display();
}


构造URL如下:
userweb/index.php?module=fieldConfig&action=editField&id=1

9.png


10.png


Userweb/php/index/log.class.php

public function showDelete( )
{
$str = $_GET['delete_str'];
$mark = $_GET['mark'];
$str = substr_replace( $str, "", -1, 1 );
$array = explode( ",", $str );
$j = count( $array );
$db = $this->loadDB( );
$i = 0;
for ( ; $i < $j; ++$i )
{
$sqll = "select filename,date from crm_oa_log_attachments where log_id='".$array[$i]."'";
$result = mysql_query( $sqll );
while ( $row = mysql_fetch_array( $result ) )
{
$row['date'] = date( "Ym", $row['date'] );
$filename = "data/diary/".$row['date']."/".$row['filename'];
@unlink( $filename );
}
}
$sql = "DELETE FROM `crm_oa_worklog` WHERE `log_id` in (".$str.")";
$sq = "DELETE FROM `crm_oa_log_attachments` WHERE `log_id` in (".$str.")";
$s = "delete from `crm_oa_log_comments` where `log_id` in (".$str.")";
if ( $db->Execute( $sql ) && $db->Execute( $sq ) && $db->Execute( $s ) )
{
goback( c( "ɾ���ɹ���" ), "index.php?module=log&action=".$mark );
}
else
{
goback( c( "ɾ��ʧ��!" ) );
}
}


参数delete_str,因为不适合在本地搭建,就在案例上跑的,提前看了,表都是空的。不然这delete注入跑起来会完蛋的.
构造url如下:
userweb/index.php?module=log&action=Delete&delete_str=1

1.png


2.png


2.漏洞文件位置:
Userweb/php/index/mobileApi.class.php

public function showGetSessionsByImUser( )
{
$loginId = trim( $_REQUEST['loginId'] );
$db_mobile = $this->loadDBMobile( );
$db_mobile->Execute( "SET NAMES UTF8" );
$sql = "call proc_im_getsessions(".$loginId.");";
$res = $db_mobile->Execute( $sql );
....................................................


构造url如下:userweb/index.php?module=mobileApi&action=GetSessionsByImUser&loginId=1

3.png


4.png


3.漏洞文件位置:
Userweb/php/index/Outbound.class.php

public function showAjaxTopic( )
{
varfilter( $_REQUEST );
extract( $_REQUEST );
$db = $this->loadDB( );
if ( isset( $_REQUEST['ques_id'], $_REQUEST['ques_id'] ) )
{
echo 0;
exit( );
}
if ( isset( $_REQUEST['topic_id'], $_REQUEST['topic_id'], $_REQUEST['parent_topic_id'], $_REQUEST['parent_topic_id'] ) )
{
echo 0;
exit( );
}
$sql = "SELECT id FROM out_question_answer WHERE task_id=".$task_id." AND ques_id={$id} AND custom_contact='{$number}'";
$quAnsId = $db->GetOne( $sql );
$sql = "SELECT * FROM out_question_answer_context\r\n\t\t\t\tWHERE task_id=".$task_id." AND ques_id={$id} AND topic_id={$topic_id} AND ques_ans_id={$quAnsId}";
$answerRow = $db->GetRow( $sql );
if ( isset( $_REQUEST['parent_topic_id'], $_REQUEST['parent_topic_id'] ) )
{
$sql = "SELECT * FROM out_question_topic\r\n WHERE ques_id=".$ques_id." AND parent_topic_id={$parent_topic_id} AND parent_option='{$parent_option}'";
$row = $db->GetRow( $sql );
if ( !empty( $row ) )
{
$row['m'] = $method;
$row['parent_id'] = 1;
$row['answer'] = $answerRow['option_context'];
$row['other_answer'] = $answerRow['other_answer'];
echo json_encode( $row );
exit( );
}
}
$sql = "SELECT * FROM out_question_topic WHERE id=".$topic_id." AND ques_id={$ques_id}";
$row = $db->GetRow( $sql );
$row['m'] = $method;
$row['parent_id'] = 0;
$row['answer'] = $answerRow['option_context'];
$row['other_answer'] = $answerRow['other_answer'];
echo json_encode( $row );
exit( );
}


extract( $_REQUEST );此函数造成变量覆盖。
构造url如下:
userweb/index.php?module=Outbound&action=AjaxTopic&ques_id=1&topic_id=1&parent_topic_id=1&task_id=1

5.png


6.png


同样的还有参数,id,topic_id,parent_topic_id,ques_id四处..
4.漏洞文件位置:
Userweb/php/index/seatMonitor.class.php

function showDaPingNotify()
{
$db = $this->loadDB();
$id_array = array();
$id = $_REQUEST['id'];
$id_array = explode(",",$id);
//»ñÈ¡ÄÚÈݹ«¸æ
$sql = "SELECT * FROM crm_notify where nid in (".$id.")";
$tmp_result = $db->GetAll( $sql );
........................................................


构造url如下:
userweb/index.php?module=seatMonitor&action=DaPingNotify&id=1

7.png


8.png


漏洞证明:

4.png


7.png

修复方案:

补上登陆验证函数,加强参数过滤,注意单引号保护.

版权声明:转载请注明来源 Bear baby@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2016-04-11 15:54

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无