当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107491

漏洞标题:创想oa二次注入

相关厂商:天生创想oa

漏洞作者: also

提交时间:2015-04-27 16:27

修复时间:2015-07-29 10:38

公开时间:2015-07-29 10:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-27: 细节已通知厂商并且等待厂商处理中
2015-04-30: 厂商已经确认,细节仅向厂商公开
2015-05-03: 细节向第三方安全合作伙伴开放
2015-06-24: 细节向核心白帽子及相关领域专家公开
2015-07-04: 细节向普通白帽子公开
2015-07-14: 细节向实习白帽子公开
2015-07-29: 细节向公众公开

简要描述:

过份相信从数据库里面取出的数据造成sql注入

详细说明:

elseif ($do == 'add') {
	
	if($_POST['view']!=''){
		$id = getGP('id','P','int');
		if($id!=''){
			$title = check_str(getGP('title','P'));
			$subject = check_str(getGP('subject','P'));
			$content = getGP('content','P');
			$attendance = getGP('participation','P');
			$startdate = getGP('startdate','P')." ".getGP('starttime1','P').":".getGP('starttime2','P');
			$enddate = getGP('enddate','P')." ".getGP('endtime1','P').":".getGP('endtime2','P');
			$conferenceroom = getGP('conferenceroom','P');
			$otype = getGP('otype','P');
			$staffidsms=getGP('staffid','P');
			$conference = array(
				'title' => $title,
				'subject' => $subject,
				'content' => $content,
				'attendance' => $attendance,
				'startdate' => $startdate,
				'enddate' => $enddate,
				'conferenceroom' => $conferenceroom,
				'otype' => $otype
			);
                        #print_r($conference);exit;
			update_db('conference',$conference, array('id' => $id));
			$content='';
			$content=serialize($conference);
			$title='编辑会议信息';
			get_logadd($id,$content,$title,19,$_USER->id);
			
		}else{
			$title = check_str(getGP('title','P'));
			$subject = check_str(getGP('subject','P'));
			$content = getGP('content','P');
			$appperson = check_str(getGP('apppersonid','P'));
			$recorduser = check_str(getGP('recorduserid','P'));
			$date = get_date('Y-m-d H:i:s',PHP_TIME);
			$attendance = check_str(getGP('participation','P'));
			$startdate = getGP('startdate','P')." ".getGP('starttime1','P').":".getGP('starttime2','P');
			$enddate = getGP('enddate','P')." ".getGP('endtime1','P').":".getGP('endtime2','P');
			$conferenceroom = check_str(getGP('conferenceroom','P'));
			$type = 1;
			$otype = getGP('otype','P');
			$staffid = getGP('staffidid','P'); //漏洞的开始在这里形成  getGP函数只是进行了简单过滤将敏感字符替换为空如select等 绕过方法有大小写绕过和seselctlectd等这样的方法
			$uid=$_USER->id;
			$apppersonsms=check_str(getGP('appperson','P'));
			$staffidsms=check_str(getGP('staffid','P'));
			$conference = array(
				'title' => $title,
				'subject' => $subject,
				'content' => $content,
				'appperson' => $appperson,
				'recorduser' => $recorduser,
				'date' => $date,
				'attendance' => $attendance,
				'startdate' => $startdate,
				'enddate' => $enddate,
				'conferenceroom' => $conferenceroom,
				'type' => $type,
				'staffid' => $staffid,
				'uid' => $uid,
				'otype' => $otype
			);
			insert_db('conference',$conference); //将$conference的数据插入到conference数据库中 value内容可控但是被转义,没有关系插入到数据库里面后会反转义一次
			$id=$db->insert_id();
			if(getGP('sms_info_box_appperson','P')!=''){
				$content='';
				$content=$apppersonsms.':您申请的会议室己经提交,请注意查看!';
				$content.='<a href="admin.php?ac='.$ac.'&fileurl='.$fileurl.'&do=views';
				$content.='&id='.$id.'">点击查看>></a>';
				SMS_ADD_POST($apppersonsms,$content,0,0,$_USER->id);
			}
			if(getGP('sms_phone_box_appperson','P')!=''){
				$content='';
				$content=$apppersonsms.':您申请的会议室己经提交,请登录OA进行查看!';
				PHONE_ADD_POST(getGP('apppersonphone','P'),$content,$apppersonsms,0,0,$_USER->id);
			}
			//出席人员
			if(getGP('sms_info_box_participation','P')!=''){
				$content='';
				$content='您有一个会议需要出席,申请人是:"'.$apppersonsms.'",请注意查看会议出席时间!<a href="admin.php?ac='.$ac.'&fileurl='.$fileurl.'&do=views&id='.$id.'">点击查看>></a>';
				
				SMS_ADD_POST($attendance,$content,0,0,$_USER->id);
			}
			
			if(getGP('sms_phone_box_participation','P')!=''){
				$content='';
				$content='您有一个会议需要出席,申请人是:"'.$apppersonsms.'",请登录OA查看会议出席时间!';
				PHONE_ADD_POST(getGP('participationphone','P'),$content,$attendance,0,0,$_USER->id);
			}
			//审批人员
			if(getGP('sms_info_box_staffid','P')!=''){
				$content='';
				$content=$staffidsms.':有一个会议申请需要您审批,申请人是:"'.$apppersonsms.'",请进入会议管理进行审批!<a href="admin.php?ac='.$ac.'&fileurl='.$fileurl.'&do=views&id='.$id.'">点击审批>></a>';
				
				SMS_ADD_POST($staffidsms,$content,0,0,$_USER->id);
			}
			
			if(getGP('sms_phone_box_staffid','P')!=''){
				$content='';
				$content=$staffidsms.':有一个会议申请需要您审批,申请人是:"'.$apppersonsms.'",请登录OA进行审批!';
				PHONE_ADD_POST(getGP('staffidphone','P'),$content,$staffidsms,0,0,$_USER->id);
			}
			$content='';
			$content=serialize($conference);
			$title='新增会议信息';
			get_logadd($id,$content,$title,19,$_USER->id);
		}
		show_msg('会议信息操作成功!', 'admin.php?ac='.$ac.'&fileurl='.$fileurl.'');
	}else{
		$id = getGP('id','G','int');
		if($id!=''){
			get_key("istration_conference_edit");
			$user = $db->fetch_one_array("SELECT * FROM ".DB_TABLEPRE."conference  WHERE id = '$id'");
			$startdate=explode(' ',$user['startdate']);
			$starttime=explode(':',$startdate[1]);
			$enddate=explode(' ',$user['enddate']);
			$endtime=explode(':',$enddate[1]);
			$_title['name']='编辑';
		}else{ 
			get_key("istration_conference_Increase");
			$startdate=explode(' ',get_date('Y-m-d H:i:s',PHP_TIME));
			$starttime=explode(':',$startdate[1]);
			$enddate=explode(' ',get_date('Y-m-d H:i:s',PHP_TIME));
			$endtime=explode(':',$enddate[1]);
			$_title['name']='发布';
		}
		include_once('template/conferenceadd.php');
		
	}
}
QQ截图20150412175037.jpg




308行
else{
			if($id!=''){
				$blog = $db->fetch_one_array("SELECT * FROM ".DB_TABLEPRE."conference  WHERE id = '$id'"); //取出conference表内所以的信息给$blog 
				$record = $db->fetch_one_array("SELECT * FROM ".DB_TABLEPRE."conference_record  WHERE conferenceid = '$id'");
				$_title['name']='[会议信息浏览]';
			}
		}
		include_once('template/conferenceviews.php'); //包含这个文件,跟进
		
<form name="save" method="post" action="?ac=<?php echo $ac?>&fileurl=<?php echo $fileurl?>&do=views">
	<input type="hidden" name="view" value="edit" />
	<input type="hidden" name="bbsid" value="<?php echo $blog['id']?>" />
	<input type="hidden" name="author" value="<?php echo get_realname($_USER->id)?>" />
<table class="TableBlock" border="0" width="90%" align="center" style="border-bottom:#4686c6 solid 0px;">
		<tr>
			<td nowrap class="TableContent" width="90">申请时间:</td>
			  <td class="TableData">
					<?php echo $blog['date']?>				</td>  	  	
		</tr>
		
		<tr>
      <td nowrap class="TableContent"> 申请人:</td>
      <td class="TableData"><?php echo get_realname($blog['appperson'])?>  同样存在漏洞但是因字节数有限不好利用	   </td>
    </tr>
	<tr>
			<td nowrap class="TableContent" width="90">名称:</td>
			  <td class="TableData">
					<?php echo $blog['title']?>				</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">主题:</td>
			  <td class="TableData">
					<?php echo $blog['subject']?>				</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">出席人员:</td>
			  <td class="TableData">
					<?php echo $blog['attendance']?>				</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">会议开始时间:</td>
			  <td class="TableData">
					<?php echo $blog['startdate']?>				</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">会议结束时间:</td>
			  <td class="TableData">
					<?php echo $blog['enddate']?>				</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">会议室:</td>
			  <td class="TableData">
					<?php echo get_typename($blog['conferenceroom'])?>	同样存在漏洞但是因字节数有限不好利用				</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">分类:</td>
			  <td class="TableData">
					<?php echo get_typename($blog['otype'])?>		同样存在漏洞但是因字节数有限不好利用			</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">记录人员:</td>
			  <td class="TableData">
					<?php echo get_realname($blog['recorduser'])?>	同样存在漏洞但是因字节数有限不好利用			</td>  	  	
		</tr>
		<tr>
			<td nowrap class="TableContent" width="90">审批人员:</td>
			  <td class="TableData">
					<?php echo get_realname($blog['staffid'])?>	把$blog['staffid']带入到get_realname 方法中		代码如下:
function get_realname($id=0){
	if($id!=0){
		global $db;
		$sql = "SELECT name FROM ".DB_TABLEPRE."user_view where uid='".$id."'  ORDER BY uid desc limit 0,1"; //没有任何过滤将$id($blog['staffid'])带入到sql语句中
		$row = $db->fetch_one_array($sql);
		if($row['name']!=''){
			return $row['name'];
		}
	}
}
					</td>  	  	
		</tr>
		
	
	
	</table>	
	<table  width="90%" style="border-left:#4686c6 solid 1px;border-right:#4686c6 solid 1px;border-bottom:#4686c6 solid 1px;" align="center">
	<tr>
      <td colspan="2" bgcolor="#FFFFFF" style="padding:20px 20px 20px 20px;"><?php echo $blog['content']?> </td>
    </tr>
	</table>	
	
	
<?if($record['rid']!=''){?>	
	
<table width="90%" border="0" align="center" cellpadding="3" cellspacing="0" class="small" style='margin-top:30px;'>
  <tr>
    <td class="Big"><img src="template/default/content/images/notify_new.gif" align="absmiddle"><span class="big3"> 会议总结</span>
    </td>
  </tr>
</table>
<table class="TableBlock" border="0" width="90%" align="center" style="border-bottom:#4686c6 solid 0px;">
		<tr>
			<td nowrap class="TableContent" width="120">总结时间:</td>
			  <td class="TableData">
					<?php echo $record['date']?>				</td>  	  	
		</tr>
		<tr>
      <td nowrap class="TableContent"> 具体出席参会人员:</td>
      <td class="TableData"><?php echo $record['attendance']?>     </td>
    </tr>
	<tr>
      <td nowrap class="TableContent"> 所在会议室:</td>
      <td class="TableData"><?php echo get_typename($record['conferenceroom'])?></td>
    </tr>
		<tr>
      <td nowrap class="TableContent"> 会议总结人:</td>
      <td class="TableData"><?php echo get_realname($record['recordperson'])?>     </td>
    </tr>


表结构:

QQ截图20150412172813.jpg


QQ截图20150412175151.jpg

漏洞证明:

QQ截图20150412175918.jpg


QQ截图20150412183136.jpg

修复方案:

对数据库取出的数据再次进行过滤

版权声明:转载请注明来源 also@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-30 10:38

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无

漏洞评价:

评论