rockoa某处sql注入可shell | wooyun-2015-0157921

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0157921

漏洞标题：

rockoa某处sql注入可shell

漏洞详情

披露状态：

2015-12-03：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-01-17：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

在官网下了个最新版，然后在webrock\webim\record目录下，recordAction.php代码：

public function dataAjax()
	{
		$atype = $this->request('atype');
		$sid   = $this->request('sid');
		$aid   = $this->request('aid');
		$page  = (int)$this->request('page', '1');
		$fen	= 20;
		$whes	= $this->rock->dbinstr('receuid', $aid);
		$where 	= "";
		if($atype == 'user'){
			$where = "and ((`sendid`=$aid and `receid`=$sid) or (`sendid`=$sid and `receid`=$aid))";
		}
		if($atype == 'group' || $atype == 'system' || $atype == 'dept'){
			$where = "and `receid`=$sid and $whes ";
		}
		
		$count  = m('im_mess')->rows("`type`='$atype' $where");
		$maxpage= ceil($count / $fen);
		
		$sql	= "select * from [Q]im_mess where `type`='$atype' $where order by `id` desc limit ".(($page-1)*$fen).",$fen"; //没有过滤就执行了
		$rows   = $this->db->getall($sql);
		
		if($atype != 'system'){
			$snid 	= '0'; 
			foreach($rows as $k=>$rs){
				$snid .=','.$rs['sendid'];
			}
			if($snid != '0'){
				$uarr = m('admin')->getall("`id` in($snid)", '`id`,`name`,`face`');
				$_ursa= array();
				foreach($uarr as $k=>$rs){
					$rs['face'] = $this->rock->repempt($rs['face'], 'images/im/user100.png');
					$_ursa[$rs['id']] = $rs;
				}
				foreach($rows as $k=>$rs){
					$rows[$k]['sendname'] = $_ursa[$rs['sendid']]['name'];
					$rows[$k]['sendface'] = $_ursa[$rs['sendid']]['face'];
				}
			}
		}else{
			foreach($rows as $k=>$rs){
				$rows[$k]['sendname'] = '';
				$rows[$k]['sendface'] = 'images/im/shezhi_blue.png';
			}
		}
		
		echo json_encode(array(
			'data'	=> $rows,
			'count'	=> $count,
			'page'	=> $page,
			'maxpage' => $maxpage
		));
	}

sql语句没有过滤就执行了，可以直接用sqlmap跑出来

漏洞证明：

拿官网demo做演示：
其绝对路径可以由报错知道：

然后sqlmap：

其实已经传上去了

**.**.**.**/help1.php 密码 b374k

修复方案：

过滤

版权声明：转载请注明来源 range@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

WooYun.org

漏洞概要 关注数(24) 关注此漏洞