集时通讯程序挖掘之SQL注射打包 | wooyun-2016-0191674| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0191674

漏洞标题：集时通讯程序挖掘之SQL注射打包

漏洞作者： Bear baby

提交时间：2016-04-07 19:20

修复时间：2016-07-10 16:00

公开时间：2016-07-10 16:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-04-07：细节已通知厂商并且等待厂商处理中
2016-04-11：厂商已经确认，细节仅向厂商公开
2016-04-14：细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2016-06-05：细节向核心白帽子及相关领域专家公开
2016-06-15：细节向普通白帽子公开
2016-06-25：细节向实习白帽子公开
2016-07-10：细节向公众公开

简要描述：

好好学习才能天天向上。

详细说明：

厂家地址:http://**.**.**.**,有多家分公司. 案例有些可以看这:http://**.**.**.**/bugs/wooyun-2010-0134587

厂家案例众多，各大企业，政府。。。。
1.漏洞位置:userweb/php/index/user.class.php
此套程序默认环境开了GPC，所以我们把重点放在了不受单引号保护的位置.

public function showselectExten( )
    {
        $db = $this->loadDB( );
        $pid = empty( $_REQUEST['depart_id'] ) ? "" : $_REQUEST['depart_id'];
        $exten_list = $this->getUsersByDeparts( $pid );
        $this->Tmpl['exten_list'] = $exten_list;
        $this->display( );
}

关注点在$pid参数，然后我们跟进getUsersByDeparts函数看看
此函数位置在基类:

public function getUsersByDeparts( $pdepart_id )
    {
        $db = $this->loadDB( );
        $pdepart_ids = $this->getCdepart_id( $pdepart_id );
        $pdepart_ids = substr( $pdepart_ids, 0, -1 );
        if ( empty( $pdepart_id ) )
        {
            $sql = "SELECT * FROM org_user";
        }
        else
        {
            $sql = "SELECT * FROM org_user WHERE dept_id in (".$pdepart_ids.") ";
        }
        $rs = $db->Execute( $sql );
        $users = array( );
        while ( !$rs->EOF )
        {
            $users[] = $rs->fields;
            $rs->MoveNext( );
        }
        return $users;
    }

$pdepart_ids = $this->getCdepart_id( $pdepart_id );看到此处参数$pdepart带进函数gerCdepart_id我们继续跟进函数getCdepart_id:

public function getCdepart_id( $pdepart_id )
    {
        $db = $this->loadDB( );
        global $pdepart_id_str;
        $sql = "SELECT dept_id FROM org_department WHERE dept_parent='".$pdepart_id."'";
        $rs = $db->Execute( $sql );
        while ( $rs && !$rs->EOF )
        {
            $this->getCdepart_id( $rs->fields['dept_id'] );
            $rs->MoveNext( );
        }
        $pdepart_id_str .= $pdepart_id.",";
        return $pdepart_id_str;
    }

对我们没啥影响，只是在$pdepart_id后面加了个逗号而已。现在我们回到函数getUsersByDeparts():
漏洞位置出现在:

$sql = "SELECT * FROM org_user WHERE dept_id in (".$pdepart_ids.") ";

大部门函数都调用了$this->publicCheckLogin( );验证权限，然后此处没写这函数，所以可以无需登陆直接访问。构造url如下:
/userweb/index.php?module=user&action=selectExten&depart_id=1

此套系统默认配置的为dba权限，我们丢入sqlmap

2.漏洞文件位置:
Userweb/php/outbound/ajax.class.php

public function showGetQuestion( )
    {
        $qnid = $_REQUEST['qnid'];
        $array = array( );
        $array = $this->getQuestionList( $qnid );
        echo json_encode( $array );
        exit( );
}
$qnid可控，看getQuestionList函数:
	protected function getQuestionList($qnid) {
		$db = $this->loadDB();
		$sql = "select * from stdout_question where is_deleted=0 and qnid=$qnid order by orderid asc";
		$rs = $db->Execute($sql);
		$list = array();
		while (!$rs->EOF) {
			$list[$rs->fields['id']] = $rs->fields;
			$rs->MoveNext();
		}
		return $list;
	}

直接带入了sql语句，且不受单引号保护，无视GPC，构造URL：
userweb/outbound.php?module=ajax&action=GetQuestion&qnid=1

3.漏洞文件位置:
Userweb/php/outbound/ajax.class.php

public function showGetQuestionOptions( )
    {
        $qid = $_REQUEST['qid'];
        $array = array( );
        $array = $this->getQuestionOptionList( $qid );
        echo json_encode( $array );
        exit( );
}

查看getQuestionOptionList函数

protected function getQuestionOptionList($qid) {
		$db = $this->loadDB();
		$sql = "select * from stdout_question_options where qid=$qid order by id asc";
		$rs = $db->Execute($sql);
		$list = array();
		while (!$rs->EOF) {
			$list[] = $rs->fields;
			$rs->MoveNext();
		}
		return $list;
	}

跟上面类似,构造URL：
userweb/outbound.php?module=ajax&action=GetQuestionOptions&qid=1

4.漏洞文件位置：
Userweb/php/outbound/ajax.class.php

public function showGetObjectList( )
    {
        $db = $this->loadDB( );
        $object_id = $_REQUEST['object_id'];
        $type = $_REQUEST['type'];
        if ( empty( $object_id ) )
        {
            echo "0";
            exit( );
        }
        $list = $this->getObjectList( $object_id, $type );
        echo json_encode( $list );
        exit( );
}

查看getObjectList函数

protected function getObjectList($pid, $type = '') {
		$db = $this->loadDB();
		$where = " WHERE o.pid={$pid} AND o.is_hide=0";
		if ('import' == $type) {  
			$where .= " AND o.run_status<>'run' ";
		} else if ('preview' == $type) {  
			$where .= " AND (o.type1='preview' OR o.run_status<>'run') ";
		} else if ('myPreview' == $type) {  
			$where .= " AND o.type1='preview' AND o.run_status<>'pause' ";
		} else if ('forecast' == $type) {  
			$where .= " AND o.type1='forecast' ";
		} else if ('ivr' == $type) {  
			$where .= " AND o.type1='ivr' ";
		} else if ('quality' == $type) { 
			$where .= " AND o.qpid>0 ";
		} else if ('question' == $type) { 
			$where .= " AND o.qnid>0 ";
		}
		if ($_SESSION['userinfo']['power'] != 1) {
			$user = $this->getLocalUser();
			$where .= " AND (FIND_IN_SET('" . $user['dept_id'] . "', o.visit_dept) OR o.visit_dept='')";  
		}
		if ('myPreview' === $type) {
			$extension = $_SESSION['userinfo']['extension'];
			$sql = "SELECT object_id FROM stdout_agent_object WHERE extension='{$extension}' AND parent_status!='pause'";
			$sql = "SELECT o.id, o.name, o.type1 FROM stdout_object o INNER JOIN ({$sql}) ao ON o.id=ao.object_id {$where} ORDER BY o.id DESC";
		} else {
			$sql = "SELECT o.id, o.name, o.type1 FROM stdout_object o {$where} ORDER BY o.id DESC";
		}
		if (!$rs = $db->Execute($sql)) {
			echo $sql . "<br/>";
			echo $db->ErrorMsg();
			exit();
		}
		$list = array();
		while (!$rs->EOF) {
			$list[$rs->fields['id']] = $rs->fields;
			$rs->MoveNext();
		}
		return $list;
	}

一样的问题，构造URL如下:
userweb/outbound.php?module=ajax&action=GetObjectList&object_id=1

5.漏洞文件位置：
Userweb/php/outbound/ajax.class.php

public function showGetProductClass( )
    {
        $db = $this->loadDB( );
        $parentid = $_REQUEST['parentid'];
        if ( empty( $parentid ) )
        {
            echo "0";
            exit( );
        }
        $list = $this->getProductClass( $parentid );
        echo json_encode( $list );
        exit( );
    }

跟进getProductClass()函数

protected function getProductClass($parentid = 0) {
		$db = $this->loadDB();
		$sql = "SELECT classid, classname FROM stdout_product_class WHERE parentid={$parentid} ORDER BY orderid ASC, classid DESC";
		$rs = $db->Execute($sql);
		$list = array();
		while (!$rs->EOF) {
			$list[$rs->fields['classid']] = $rs->fields;
			$rs->MoveNext();
		}
		return $list;
	}

一样的问题，很明显,构造URL如下:
userweb/outbound.php?module=ajax&action=GetProductClass&parentid=1

1.漏洞文件位置：
Userweb/php/outbound/ajax.class.php

public function showGetCanAdjustExten( )
    {
        $db = $this->loadDB( );
        $dept_id = $_REQUEST['dept_id'];
        $sql = "SELECT * FROM org_department";
        $dept = $db->GetAll( $sql );
        $list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
        $list_depart .= "{$dept_id}";
        $arrFilterExtensions = array( );
        $filter_extensions = $_REQUEST['filter_extensions'];
        if ( !empty( $filter_extensions ) )
        {
            $arrFilterExtensions = explode( ",", $filter_extensions );
        }
        $arrFilterExtensions = array_unique( $arrFilterExtensions );
        $filter_extensions = implode( ",", $arrFilterExtensions );
        $filter_extensions = numbertostring4sql( $filter_extensions );
        $sql = "SELECT extension, user_name FROM org_user WHERE dept_id in (".$list_depart.") AND extension!='' AND extension IS NOT NULL";
        if ( !empty( $filter_extensions ) )
        {
            $sql .= " AND extension NOT IN (".$filter_extensions.")";
        }
        $list = $db->GetAll( $sql );
        echo json_encode( $list );
        exit( );
}

构造URL：
userweb/outbound.php?module=ajax&action=GetCanAdjustExten&dept_id=1

2.漏洞文件位置:
Userweb/php/index/index.class.php

public function showAjaxGetExtensByDept( )
    {
        $db = $this->loadDB( );
        $dept_id = $_REQUEST['dept_id'];
        $sql = "SELECT * FROM org_department";
        $dept = $db->GetAll( $sql );
        $list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
        $list_depart .= "{$dept_id}";
        $sql = "SELECT * FROM org_user WHERE dept_id in (".$list_depart.")";
        $rs = $db->Execute( $sql );
......................................................

构造URL如下:
userweb/index.php?module=index&action=AjaxGetExtensByDept&dept_id=1

3.漏洞文件位置:
Userweb/php/index/index.class.php

public function showGetExtensionComboByDept( )
    {
        $db = $this->loadDB( );
        $dept_id = $_REQUEST['dept_id'];
        $sql = "SELECT * FROM org_department";
        $dept = $db->GetAll( $sql );
        $list_depart = $this->getNodeChild( $dept, $dept_id, "dept" );
        $list_depart .= "{$dept_id}";
        $sql = "SELECT extension, user_name FROM org_user WHERE dept_id in (".$list_depart.")";
        $rs = $db->Execute( $sql );
   		 ..................................................................

构造URL如下:
userweb/index.php?module=index&action=GetExtensionComboByDept&dept_id=1

4.漏洞文件位置:
Userweb/php/index/log.class.php

public function showExportword( )
    {
        $userinfo = $_SESSION['userinfo'];
        $author_id = $userinfo['extension'];
        $sql = "select a.log_id,a.date,log_type,log_title,log_content from crm_oa_worklog a left join crm_oa_log_attachments b on a.log_id=b.log_id";
        $start_time = strtotime( $_POST['start_date'] );
        $end_time = strtotime( $_POST['end_date'] );
.....................................省略无关代码
if ( $_POST['log_type'] != 0 )
        {
            $log_type = "`log_type` = ".$_POST['log_type'];
        }
....................................省略无关代码
$sql .= " group by a.log_id order by a.date desc ";
$db = $this->loadDB( );
...............................................

POST型注入,且不受单引号保护，无视GPC。。
构造URL如下:

抓包丢入sqlmap跑

5.漏洞文件位置:
Userweb/php/index/log.class.php

public function showExport_com_word( )
    {
        $filename = "������־".date( "Y-m-d", time( ) ).".doc";
        header( "Content-type:application/vnd.ms-word" );
        header( "Content-Disposition:filename=".$filename );
        $sql = "select a.log_id,a.date,log_type,log_title,log_content from crm_oa_worklog a left join crm_oa_log_attachments b on a.log_id=b.log_id";
        $start_time = strtotime( $_POST['start_date'] );
        $end_time = strtotime( $_POST['end_date'] );
.......................................................................省略无关代码
 if ( $_POST['log_type'] != 0 )
        {
            $log_type = "`log_type` = ".$_POST['log_type'];
        }
.......................................................................

抓包丢入sqlmap跑

6.漏洞文件位置:
Userweb/php/index/Outbound.class.php

public function showAjaxOptions( )
    {
        varfilter( $_REQUEST );
        extract( $_REQUEST );
        if ( isset( $_REQUEST['topic_id'], $_REQUEST['topic_id'] ) )
        {
            echo 0;
            exit( );
        }
        $db = $this->loadDB( );
        $sql = "SELECT * FROM out_question_topic WHERE id=".$topic_id;
        $row = $db->GetRow( $sql );
...................................................

PHP在linux下是区分大小写的，varfilter函数程序员写成了小写，原本是varFilter的，所以。。。。
构造url如下:
userweb/index.php?module=Outbound&action=AjaxOptions&topic_id=1

1.漏洞文件位置:
Userweb/php/outbound/agent.class.php

function showNo()
	{
		$db = $this->loadDB();
		$object_id = varFilter($_REQUEST['object_id']);
		$sql = "select content from stdout_object where id=$object_id";
		$content = $db->GetOne($sql);
		$this->Tmpl['content'] = varResume($content);
		$this->display();
	}

这里看到$_REQUEST[‘object_id’]经过了函数varFilter，我们跟进看看:

function varFilter( $fArray )
{
    if ( is_array( $fArray ) )
    {
        foreach ( $fArray as $_arrykey => $_arryval )
        {
            if ( is_string( $_arryval ) )
            {
                $fArray[$_arrykey] = trim( nl2br( $fArray[$_arrykey] ) );
                $fArray[$_arrykey] = htmlspecialchars( $fArray[$_arrykey] );
                $fArray[$_arrykey] = !get_magic_quotes_gpc( ) ? addslashes( $fArray[$_arrykey] ) : $fArray[$_arrykey];
                $fArray[$_arrykey] = strip_tags( $fArray[$_arrykey], "<br>" );
            }
            else if ( is_array( $_arryval ) )
            {
                $fArray[$_arrykey] = varfilter( $_arryval );
            }
        }
        return $fArray;
    }
    $fArray = trim( nl2br( $fArray ) );
    $fArray = htmlspecialchars( $fArray );
    $fArray = !get_magic_quotes_gpc( ) ? addslashes( $fArray ) : $fArray;
    $fArray = strip_tags( $fArray, "<br>" );
    return $fArray;
}

主要就是一个GPC,然后看我们的漏洞语句：

$sql = "select content from stdout_object where id=$object_id";

不受单引号保护，因此逃避了GPC，大多函数都调用了$this->publicCheckLogin();函数检测是否登陆，然后有些估计是漏写了，造成我们可以无需登陆直接访问。此处是盲注，因为htmlspecialchars过滤了< >等，我们在丢进sqlmap跑的时候需要加上--tamper=between --time-sec=5这样不然只能跑出证明，跑不出数据。
构造url如下:
userweb/outbound.php?module=agent&action=No&object_id=1

2.漏洞文件位置:
Userweb/php/outbound/agent.class.php

public function showEditTask()
	{
		$db = $this->loadDB();
		$_REQUEST = varFilter($_REQUEST);
		extract($_REQUEST);
		//无关紧要代码省略...............
		$sql = "SELECT SQL_NO_CACHE customer_id, call_status FROM {$table} WHERE id={$task_id}";
		$rowTask = $db->GetRow($sql);
		if (!$rowTask) exit('error.');
      ...................................

这里利用变量覆盖:

$_REQUEST = varFilter($_REQUEST);
extract($_REQUEST);

原因在这,我们可以直接通过GET请求table=stdout_task&task_id=2,将$table玉$task_id覆盖掉.
同样的盲注，这里不受单引号保护:

$sql = "SELECT SQL_NO_CACHE customer_id, call_status FROM {$table} WHERE id={$task_id}";

要注意的就是$table必须是个存在customer_id, call_status字段的表，不然也是出不来数据.这里我的构造URL如下：
userweb/outbound.php?module=agent&action=EditTask&table=stdout_task&task_id=1

3.漏洞文件位置:
Userweb/php/outbound/agent.class.php

public function showQuestion()
	{
		$db = $this->loadDB();
		$_REQUEST = varFilter($_REQUEST);
     extract($_REQUEST);
		if (empty($qnid)) {
			goBack(c('²Ù×÷Ê§°Ü£º´«²Îqnid´íÎó.'), 'exit');
		}
		$row_qn = $this->getQn($qnid);
      ............................................

进入基类查看getQn函数/php/outbound/public.class.php

function getQn($qnid)
	{
		$db = $this->loadDB();
		$sql = "select * from stdout_qn where id=$qnid";
		$row = $db->GetRow($sql);
		return $row;
	}

一样$qnid不受单引号保护，且我们可以通过extract($_REQUEST);覆盖$qnid。
构造URL如下:
地址userweb/outbound.php?module=agent&action=Question&qnid=12

4.漏洞文件位置:
Userweb/php/outbound/agent.class.php

function showAjaxCheckNextQuestion()
	{
		$db = $this->loadDB();
		$qid = varFilter($_REQUEST['qid']);
		$qnid = varFilter($_REQUEST['qnid']);
		$answer = varFilter($_REQUEST['answer']);
		$row_question = $this->getQuestion($qid);
		echo $this->isExistNextQuestion($row_question, true, $answer) ? 'true' : 'false';
	}

直接看getQuestion函数:

protected function getQuestion($qid)
	{
		$db = $this->loadDB();
		$sql = "select * from stdout_question where id=$qid and is_deleted=0";
		$row = $db->GetRow($sql);
		return $row;
	}

依然构造URL：
地址：userweb/outbound.php?module=agent&action=AjaxCheckNextQuestion&qid=1

1.漏洞文件位置:
Userweb/php/outbound/object.class.php

function showObjectPause() {
		$exten_object_id = varFilter($_REQUEST['id']);
  		$db = $this->loadDB();
		$sql = "select object_id, run_status from stdout_exten_object where id={$exten_object_id}";
.........................................//省略

varFilter函数：

function varFilter( $fArray )
{
    if ( is_array( $fArray ) )
    {
        foreach ( $fArray as $_arrykey => $_arryval )
        {
            if ( is_string( $_arryval ) )
            {
                $fArray[$_arrykey] = trim( nl2br( $fArray[$_arrykey] ) );
                $fArray[$_arrykey] = htmlspecialchars( $fArray[$_arrykey] );
                $fArray[$_arrykey] = !get_magic_quotes_gpc( ) ? addslashes( $fArray[$_arrykey] ) : $fArray[$_arrykey];
                $fArray[$_arrykey] = strip_tags( $fArray[$_arrykey], "<br>" );
            }
            else if ( is_array( $_arryval ) )
            {
                $fArray[$_arrykey] = varfilter( $_arryval );
            }
        }
        return $fArray;
    }
    $fArray = trim( nl2br( $fArray ) );
    $fArray = htmlspecialchars( $fArray );
    $fArray = !get_magic_quotes_gpc( ) ? addslashes( $fArray ) : $fArray;
    $fArray = strip_tags( $fArray, "<br>" );
    return $fArray;
}

限制是htmlspecialchars和GPC，此处没单引号保护，无视GPC。Sqlmap跑的时候记得加上--tamper=between，不然跑不出数据.
构造URL如下:
userweb/outbound.php?module=object&action=ObjectPause&id=1

2.漏洞文件位置:
Userweb/php/outbound/object.class.php

function showObjectStop() {
		$exten_object_id = varFilter($_REQUEST['id']);
		$db = $this->loadDB();
		$sql = "select object_id, run_status from stdout_exten_object where id={$exten_object_id}";
........................................//省略

跟上面一样的问题:
构造url如下:
userweb/outbound.php?module=object&action=ObjectStop&id=1

3.漏洞文件位置:
Userweb/php/outbound/report.class.php

function showAjaxGetIvrTotal()
	{
		$db = $this->loadDB();
		$_REQUEST = varFilter($_REQUEST);
		$object_id	= $_REQUEST['object'];
		$ivr_id		= $_REQUEST['ivr_id'];
		$fromdate	= $_REQUEST['fromdate'];
		$todate		= $_REQUEST['todate'];
..................................../省略无关代码
$sql = "SELECT * FROM ss_ivr_dests WHERE ivr_id={$ivr_id} ORDER BY selection ASC";
$rs = $db->GetArray($sql);

构造URL：userweb/outbound.php?module=report&action=AjaxGetIvrTotal&ivr_id=1

4.漏洞文件位置:
Userweb/php/index/crmManager.class.php

public function showAjaxGetTransferLogDetail( )
    {
        $db = $this->loadDB( );
        $sql = "SELECT content FROM log_customer_transfer WHERE id=".$_REQUEST['id'];
        $content = $db->GetOne( $sql );
        $content = str_replace( "\r\n", "<br/>", $content );
        echo $content;
        exit( );
}

构造URL如下：
userweb/index.php?module=crmManager&action=AjaxGetTransferLogDetail&id=1

5.漏洞文件位置:
Userweb/php/index/fieldConfig.class.php

function showeditField(){
			if( isset($_GET['id']) && !empty( $_GET['id'] ) ){
				$id = $_GET['id'];
			}else{
				goBack("来路不明","close");
			}
			$db = $this->loadDB();
			$sql = "SELECT * FROM crm_fields_options WHERE id=".$id;
			$field = $db->GetRow( $sql );
			$this->Tmpl['field'] = $field;
			$this->display();
		}

构造URL如下:
userweb/index.php?module=fieldConfig&action=editField&id=1

Userweb/php/index/log.class.php

public function showDelete( )
    {
        $str = $_GET['delete_str'];
        $mark = $_GET['mark'];
        $str = substr_replace( $str, "", -1, 1 );
        $array = explode( ",", $str );
        $j = count( $array );
        $db = $this->loadDB( );
        $i = 0;
        for ( ; $i < $j; ++$i )
        {
            $sqll = "select filename,date from crm_oa_log_attachments where log_id='".$array[$i]."'";
            $result = mysql_query( $sqll );
            while ( $row = mysql_fetch_array( $result ) )
            {
                $row['date'] = date( "Ym", $row['date'] );
                $filename = "data/diary/".$row['date']."/".$row['filename'];
                @unlink( $filename );
            }
        }
        $sql = "DELETE FROM `crm_oa_worklog`  WHERE `log_id` in (".$str.")";
        $sq = "DELETE FROM `crm_oa_log_attachments`  WHERE `log_id` in (".$str.")";
        $s = "delete from `crm_oa_log_comments` where `log_id` in (".$str.")";
        if ( $db->Execute( $sql ) && $db->Execute( $sq ) && $db->Execute( $s ) )
        {
            goback( c( "ɾ���ɹ���" ), "index.php?module=log&action=".$mark );
        }
        else
        {
            goback( c( "ɾ��ʧ��!" ) );
        }
}

参数delete_str，因为不适合在本地搭建，就在案例上跑的，提前看了，表都是空的。不然这delete注入跑起来会完蛋的.
构造url如下:
userweb/index.php?module=log&action=Delete&delete_str=1

2.漏洞文件位置:
Userweb/php/index/mobileApi.class.php

public function showGetSessionsByImUser( )
    {
        $loginId = trim( $_REQUEST['loginId'] );
        $db_mobile = $this->loadDBMobile( );
        $db_mobile->Execute( "SET NAMES UTF8" );
        $sql = "call proc_im_getsessions(".$loginId.");";
        $res = $db_mobile->Execute( $sql );
....................................................

构造url如下：userweb/index.php?module=mobileApi&action=GetSessionsByImUser&loginId=1

3.漏洞文件位置:
Userweb/php/index/Outbound.class.php

public function showAjaxTopic( )
    {
        varfilter( $_REQUEST );
        extract( $_REQUEST );
        $db = $this->loadDB( );
        if ( isset( $_REQUEST['ques_id'], $_REQUEST['ques_id'] ) )
        {
            echo 0;
            exit( );
        }
        if ( isset( $_REQUEST['topic_id'], $_REQUEST['topic_id'], $_REQUEST['parent_topic_id'], $_REQUEST['parent_topic_id'] ) )
        {
            echo 0;
            exit( );
        }
        $sql = "SELECT id FROM out_question_answer WHERE task_id=".$task_id." AND ques_id={$id} AND custom_contact='{$number}'";
        $quAnsId = $db->GetOne( $sql );
        $sql = "SELECT * FROM out_question_answer_context\r\n\t\t\t\tWHERE task_id=".$task_id." AND ques_id={$id} AND topic_id={$topic_id} AND ques_ans_id={$quAnsId}";
        $answerRow = $db->GetRow( $sql );
        if ( isset( $_REQUEST['parent_topic_id'], $_REQUEST['parent_topic_id'] ) )
        {
            $sql = "SELECT * FROM out_question_topic\r\n                    WHERE ques_id=".$ques_id." AND parent_topic_id={$parent_topic_id} AND parent_option='{$parent_option}'";
            $row = $db->GetRow( $sql );
            if ( !empty( $row ) )
            {
                $row['m'] = $method;
                $row['parent_id'] = 1;
                $row['answer'] = $answerRow['option_context'];
                $row['other_answer'] = $answerRow['other_answer'];
                echo json_encode( $row );
                exit( );
            }
        }
        $sql = "SELECT * FROM out_question_topic WHERE id=".$topic_id." AND ques_id={$ques_id}";
        $row = $db->GetRow( $sql );
        $row['m'] = $method;
        $row['parent_id'] = 0;
        $row['answer'] = $answerRow['option_context'];
        $row['other_answer'] = $answerRow['other_answer'];
        echo json_encode( $row );
        exit( );
}

extract( $_REQUEST );此函数造成变量覆盖。
构造url如下:
userweb/index.php?module=Outbound&action=AjaxTopic&ques_id=1&topic_id=1&parent_topic_id=1&task_id=1

同样的还有参数,id,topic_id,parent_topic_id,ques_id四处..
4.漏洞文件位置:
Userweb/php/index/seatMonitor.class.php

function showDaPingNotify()
	{
		$db = $this->loadDB();
		$id_array = array();
		$id = $_REQUEST['id'];
		$id_array = explode(",",$id);
		//»ñÈ¡ÄÚÈÝ¹«¸æ
		$sql = "SELECT * FROM crm_notify where nid in (".$id.")";
		$tmp_result = $db->GetAll( $sql );
........................................................

构造url如下:
userweb/index.php?module=seatMonitor&action=DaPingNotify&id=1

漏洞证明：

修复方案：

补上登陆验证函数，加强参数过滤，注意单引号保护.

版权声明：转载请注明来源 Bear baby@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：14

确认时间：2016-04-11 15:54

厂商回复：

CNVD确认并复现所述情况，已由CNVD通过软件生产厂商公开联系渠道向其邮件通报，由其后续提供解决方案并协调相关用户单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0191674

漏洞标题：集时通讯程序挖掘之SQL注射打包

相关厂商：深圳市集时通讯股份有限公司

漏洞作者： Bear baby

提交时间：2016-04-07 19:20

修复时间：2016-07-10 16:00

公开时间：2016-07-10 16:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Bear baby@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0191674

漏洞标题：集时通讯程序挖掘之SQL注射打包

相关厂商：深圳市集时通讯股份有限公司

漏洞作者： Bear baby

提交时间：2016-04-07 19:20

修复时间：2016-07-10 16:00

公开时间：2016-07-10 16:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0191674"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Bear baby@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：