当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157921

漏洞标题:rockoa某处sql注入可shell

相关厂商:www.rockoa.com

漏洞作者: range

提交时间:2015-12-03 13:59

修复时间:2016-01-17 14:00

公开时间:2016-01-17 14:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

在官网下了个最新版,然后在webrock\webim\record目录下,recordAction.php代码:

public function dataAjax()
{
$atype = $this->request('atype');
$sid = $this->request('sid');
$aid = $this->request('aid');
$page = (int)$this->request('page', '1');
$fen = 20;
$whes = $this->rock->dbinstr('receuid', $aid);
$where = "";
if($atype == 'user'){
$where = "and ((`sendid`=$aid and `receid`=$sid) or (`sendid`=$sid and `receid`=$aid))";
}
if($atype == 'group' || $atype == 'system' || $atype == 'dept'){
$where = "and `receid`=$sid and $whes ";
}

$count = m('im_mess')->rows("`type`='$atype' $where");
$maxpage= ceil($count / $fen);

$sql = "select * from [Q]im_mess where `type`='$atype' $where order by `id` desc limit ".(($page-1)*$fen).",$fen"; //没有过滤就执行了
$rows = $this->db->getall($sql);

if($atype != 'system'){
$snid = '0';
foreach($rows as $k=>$rs){
$snid .=','.$rs['sendid'];
}
if($snid != '0'){
$uarr = m('admin')->getall("`id` in($snid)", '`id`,`name`,`face`');
$_ursa= array();
foreach($uarr as $k=>$rs){
$rs['face'] = $this->rock->repempt($rs['face'], 'images/im/user100.png');
$_ursa[$rs['id']] = $rs;
}
foreach($rows as $k=>$rs){
$rows[$k]['sendname'] = $_ursa[$rs['sendid']]['name'];
$rows[$k]['sendface'] = $_ursa[$rs['sendid']]['face'];
}
}
}else{
foreach($rows as $k=>$rs){
$rows[$k]['sendname'] = '';
$rows[$k]['sendface'] = 'images/im/shezhi_blue.png';
}
}

echo json_encode(array(
'data' => $rows,
'count' => $count,
'page' => $page,
'maxpage' => $maxpage
));
}


sql语句没有过滤就执行了,可以直接用sqlmap跑出来

漏洞证明:

拿官网demo做演示:
其绝对路径可以由报错知道:

QQ截图20151203122444.png


然后sqlmap:

QQ截图20151203122635.png


QQ截图20151203122958.png


其实已经传上去了

QQ图片20151203122859.png


**.**.**.**/help1.php 密码 b374k

修复方案:

过滤

版权声明:转载请注明来源 range@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评价