海康威视视频接入网关系统 /userInfo/roleInfo.php等34处 SQL注入漏洞

Source

Detail

Contributor Got 0KB

###0x01漏洞简介海康威视视频接入网关系统采用PHP+SQLite架构，其在以下34处均存在注入漏洞： ``` /userInfo/roleInfo.php /userInfo/userInfo.php /data/fetchRoleTreeJson.php /deviceConfig/configDeviceInfo.php /transformServer/serverConfigInfo.php /cameraConfig/transferInfo.php /data/deviceAndCameraListData.php /data/deviceTypeData.php /data/checkIsExist.php /data/fetchIoInfoData.php /data/saveDeviceType.php /data/saveDecodeServer.php /data/fetchGroup.php /data/login.php /data/transferCamera.php /data/modifyPassword.php /data/fetchDeviceByGroupId.php /data/deleteDeviceInfo.php /data/modifyDeviceInfo.php /data/decodeServerData.php /data/userInfoData.php /data/checkDevice.php /data/deviceListData.php /data/saveUserInfo.php /data/fetchCameraInfo.php /data/fetchDeviceType.php /data/saveGroup.php ``` 远程攻击者可以利用Union方式执行SQL指令，获取敏感信息。 ###0x02漏洞详情第一处注入：/userInfo/userInfo.php ``` <?php include('../common/connDb.php'); include('roleInfoClass.php'); $dbQuery = new DataBaseQuery(); $isEmpty = empty($_GET['userId']); $userId = ""; $name = ""; $password = "******"; $realName = ""; $phone = ""; $eMail = ""; $roleId = ""; $unitCode = ""; if(!$isEmpty){ $re = $dbQuery->query('select * from user_info where userId ='.$_GET['userId']); while ($row = $dbQuery->fetchArray($re)){ $userId = $row['userId']; $name = $row['name']; //$password = $row['password']; $realName = $row['realName']; $phone = $row['phone']; $eMail = $row['eMail']; $roleId = $row['roleId']; $unitCode= $row['unitCode']; ``` 第二处注入：/userInfo/roleInfo.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $isEmpty = empty($_GET['roleId']); $roleId = ""; $name = ""; $description = ""; $menuIds = ""; if(!$isEmpty){ $re = $dbQuery->query('select * from role_info where roleId ='.$_GET['roleId']); while ($row = $dbQuery->fetchArray($re)){ $roleId = $row['roleId']; $name = $row['name']; $description = $row['description']; $menuIds = $row['menuIds']; } } ``` 第三处注入：/data/fetchRoleTreeJson.php ``` <?php include('../common/connDb.php'); $type = $_GET['type']; $pNodeId = @$_GET['pNodeId']; $dbQuery = new DataBaseQuery(); if($type=="main"){//取主菜单的树 findAllMainMenuNode($dbQuery); }else{//取子菜单的树 findAllSubMenuNode($dbQuery,$pNodeId); } class TreeNode{ var $id; var $text; var $iconCls; var $state; var $children=array(); function __construct(){ } public function setId($id) { $this->id = $id; } public function setText($text) { $this->text = $text; } public function setIconCls($iconCls) { $this->iconCls = $iconCls; } public function setState($state) { $this->state = $state; } public function setChildren($children) { $this->children = $children; } public function getId() { return $this->id; } public function getText() { return $this->text; } public function getIconCls() { return $this->iconCls; } public function getState() { return $this->state; } public function getChildren() { return $this->children; } } /** 找出主菜单的树节点 */ function findAllMainMenuNode($dbQuery){ $jsonArray = array(); $pNode = new TreeNode(); $pNode->setId('0'); $pNode->setText('主菜单'); $pNode->setIconCls('icon-folder'); array_push($jsonArray,$pNode); $re= $dbQuery->query('select * from menu_info where level=1');//查询所有主菜单 while($row = $dbQuery->fetchArray($re)){ $cNode = new TreeNode(); $cNode->setId($row['menuId']); $cNode->setText($row['name']); $cNode->setIconCls('icon-systemMenu'); if ($pNode->getChildren() != null) { $childrenArray = $pNode->getChildren(); array_push($childrenArray,$cNode); $pNode->setChildren($childrenArray); }else{ $childrenNodes = array(); array_push($childrenNodes,$cNode); $pNode->setChildren($childrenNodes); } } print_r(json_encode($jsonArray)); $dbQuery->closeDb(); } /** 找出子菜单的树节点 */ function findAllSubMenuNode($dbQuery,$pNodeId){ $jsonArray = array(); $pNode = new TreeNode(); $pNode->setId('0'); $pNode->setText('子菜单'); $pNode->setIconCls('icon-folder'); array_push($jsonArray,$pNode); $re= $dbQuery->query('select * from menu_info where level=2 and parentMenuId='.$pNodeId);//根据父菜单查询所有子菜单 ``` 第四处注入：/deviceConfig/configDeviceInfo.php ``` <?php include('../common/connDb.php'); include('deviceTypeClass.php'); $deviceId = $_GET['deviceId']; $dbQuery = new DataBaseQuery(); $re = $dbQuery->query('select type_code,name from device_type_info'); $deviceTypeArray = array(); //获取所有设备类型 while ($row = $dbQuery->fetchArray($re)){ $deviceType = new DeviceType($row['type_code'],$row['name']); array_push($deviceTypeArray,$deviceType); } $re = $dbQuery->query('select id,name from device_group_info'); $groupArray = array(); array_push($groupArray,new DeviceType("0","请选择")); while ($row = $dbQuery->fetchArray($re)){ $deviceType = new DeviceType($row['id'],$row['name']); array_push($groupArray,$deviceType); } $type_code=""; $network_addr=""; $network_port=""; $username=""; $password="******"; $indexcode=""; $name=""; $serial_num=""; $analog_chan_count=""; $digital_chan_count=""; $alarm_in_count=""; $alarm_out_count=""; $audio_num=""; $reg_type=""; $group_id=""; $allowShare=""; $ctrl_unit_id =""; $re = $dbQuery->query('select * from device_info where id='.$deviceId); ``` 第五处注入：/transformServer/serverConfigInfo.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $isEmpty = empty($_GET['transId']); $transId = ""; $name = ""; $transIp = ""; $transPort = ""; $transMax = ""; $transType = ""; if(!$isEmpty){ $re = $dbQuery->query('select * from transform_server_info where transform_server_id ='.$_GET['transId']); ``` 第六处注入：/cameraConfig/transferInfo.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $id = $_GET['id']; $src_audio_encode = "-1"; $src_video_encode = "-1"; $src_standard = "0"; $src_stream_type = "0"; $src_transform = "-1"; $src_image_size = "1"; $dst_audio_encode = "2"; $dst_video_encode = "1"; $dst_stream_type = "0"; $dst_transform = "2"; $dst_bitrate_type = "1"; $dst_resolution = "3"; $dst_video_bitrate = "19"; $dst_framerate = "-1"; $dst_interval_BPframe = "2"; $dst_interval_Iframe = "30"; $dst_pic_quality = "0"; $transform_server_id = ""; $re = $dbQuery->query('select * from camera_info where is_transform=1 and id ='.$id); while ($row = $dbQuery->fetchArray($re)){ ``` 第七处注入：/data/deviceAndCameraListData.php ``` include('../common/connDb.php'); include('../common/unitCode.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $sort=$_POST['sort']; $order=$_POST['order']; $start=($page -1)*$rows; $name=@$_POST['name']; $organize=@$_POST['organize']; $group=@$_POST['group']; $configFlag=@$_POST['configFlag']; $type=@$_GET['type']; $deviceIndexCode = @$_GET['deviceIndexCode']; $deviceId = @$_GET['deviceId']; $show = @$_GET['show']; if($type =="device"){ $whereStr=""; if($name != ""){ if($name=="." || $name=="%" || $name=="_"){ $name ="[".$name."]"; } $whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')"; } if($organize != ""){ if($organize =="0"){ //如果是主控制中心则查询全部 }else{ if(strlen($organize)==8){//如果是派出所级别 $whereStr =" and d.indexcode like '".$organize."%'"; }else{ $qxCode = substr($organize,4,2); $shiCode = substr($organize,2,2); $shengCode = substr($organize,0,2); if($shiCode=="00" && $qxCode=="00"){ //如果是省 $whereStr =" and d.indexcode like '".$shengCode."%'"; }else if($shiCode !="00" && $qxCode=="00"){ //如果是市 $whereStr =" and d.indexcode like '".$shengCode.$shiCode."%'"; }else{ $whereStr =" and d.indexcode like '".$organize."%'"; } } } } if($group != ""){ if($group=="-1"){ }else{ $whereStr =" and d.group_id =".$group; } } $str=""; if($configFlag == "1"){ $str =" and (c.is_transform is null or c.is_transform=0)"; }else if($configFlag == "2"){ $str =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)"; } $re = $dbQuery->query('select distinct d.id,d.name,d.type_code,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type regType,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,d.status,"device" type,d.indexcode,d.username,d.password from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows); $jsonArray = array(); $count = $dbQuery->querySingle('select count(distinct d.id) from device_info d,camera_info c where d.indexcode=c.device_indexcode'.$unitWhere.$whereStr.$str); while ($row = $dbQuery->fetchArray($re)){ $pNode = new TreeNode(); ``` 第8处注入：/data/deviceTypeData.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $start=($page -1)*$rows; $re = $dbQuery->query('select * from device_type_info limit '.$start.','.$rows); $count = $dbQuery->querySingle('select count(*) from device_type_info'); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $jsonStr = $jsonStr.json_encode($row).","; } if($jsonStr !=""){ $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1); } $str ='{"total":'.$count.',"rows":['.$jsonStr.']}'; $dbQuery->closeDb(); echo ($str); ?> ``` 第九处注入：/data/checkIsExist.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $object=$_POST['object']; if($object=="userInfo"){ //如果是校验用户名称 $name=$_POST['name']; $userId=$_POST['userId']; checkUserName($dbQuery,$name,$userId); }else if($object=="roleInfo"){ $name=$_POST['name']; $roleId=$_POST['roleId']; checkRoleName($dbQuery,$name,$roleId); }else if($object=="password"){ $name=$_POST['name']; $password=$_POST['password']; checkPassword($dbQuery,$name,$password); }else if($object=="deviceGroup"){ //如果是校验用户名称 $name=$_POST['name']; $groupId=$_POST['groupId']; checkGroupName($dbQuery,$name,$groupId); } function checkUserName($dbQuery,$name,$userId){ $count = 0; if($userId ==""){ $count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'"'); }else{ $count = $dbQuery->querySingle('select count(*) from user_info where name="'.$name.'" and userId<>'.$userId); } echo $count; $dbQuery->closeDb(); } function checkRoleName($dbQuery,$name,$roleId){ $count = 0; if($roleId ==""){ $count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'"'); }else{ $count = $dbQuery->querySingle('select count(*) from role_info where name="'.$name.'" and roleId<>'.$roleId); } echo $count; $dbQuery->closeDb(); } function checkPassword($dbQuery,$name,$password){ $oldPassword = $dbQuery->querySingle('select password from user_info where name="'.$name.'"'); if($password ==$oldPassword){ echo 0; }else{ echo 1; } $dbQuery->closeDb(); } function checkGroupName($dbQuery,$name,$groupId){ $count = 0; if($groupId ==""){ $count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'"'); }else{ $count = $dbQuery->querySingle('select count(*) from device_group_info where name="'.$name.'" and id<>'.$groupId); } echo $count; $dbQuery->closeDb(); } ?> ``` 第十处注入：/data/fetchIoInfoData.php ``` <?php include('../common/connDb.php'); include('../common/unitCode.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $sort=$_POST['sort']; $order=$_POST['order']; $start=($page -1)*$rows; $organize=@$_POST['organize']; $group=@$_POST['group']; $configFlag=@$_POST['configFlag']; $re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,d.indexcode devIndexCode,d.type_code typeCode, c.globe_num from io_info c,device_info d where c.device_indexcode=d.indexcode order by c.id '.$order.' limit '.$start.','.$rows); $count = $dbQuery->querySingle('select count(*) from io_info c,device_info d where c.device_indexcode=d.indexcode'); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $jsonStr = $jsonStr.json_encode($row).","; } if($jsonStr !=""){ $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1); } $str ='{"total":'.$count.',"rows":['.$jsonStr.']}'; $dbQuery->closeDb(); echo ($str); ?> ``` 第十一处：/data/saveDeviceType.php ``` <?php include('../common/connDb.php'); $operate=$_POST['operate']; $typeCodes = @$_POST['typeCodes']; $typeCode= @$_POST['typeCode']; $name= @$_POST['name']; $manufacturer= @$_POST['manufacturer']; $registerType= @$_POST['registerType']; $accessType= @$_POST['accessType']; $equipmentType= @$_POST['equipmentType']; $otherMan= @$_POST['otherMan']; $port= @$_POST['port']; if($operate=="delete"){ //如果是删除操作 deleteDeviceType($typeCodes); }else if($operate=="add"){ //如果是增加操作 saveDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port); }else{ //如果是修改操作 updateDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port); } function deleteDeviceType($typeCodes){ $dbQuery = new DataBaseQuery(); $typeCodeArray = explode(",",$typeCodes); $codes=""; for($i=0;$i<count($typeCodeArray);$i++){ $count = $dbQuery->querySingle('select count(*) from device_info where type_code='.$typeCodeArray[$i]); if($count==0){ $codes .=$typeCodeArray[$i].","; } } if(strlen($codes)>0){ $codes = substr($codes,0,strlen($codes)-1); } $query = $dbQuery->execute("delete from device_type_info where type_code in(".$codes.")"); if ($query) { echo $codes; }else{ echo "0"; } $dbQuery->closeDb(); } function saveDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port){ $pulginId=""; if($accessType=="GB28181" || $accessType=="E-home" || $accessType=="Onvif" || $accessType=="Pisa" || $accessType=="Hkp协议"){ $pulginId=""; }else{ $pulginId=$accessType; } $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute('insert into device_type_info(type_code,name,manufacturer,register_type,access_type,equipment_type,plugin_id,update_time,int_rev,str_rev) values('.$typeCode.',"'.$name.'","'.$manufacturer.'",'.$registerType.',"'.$accessType.'","'.$equipmentType.'","'.$pulginId.'","'.$time.'",'.$port.',"'.$otherMan.'")'); if ($query) { echo $typeCode; }else{ echo 0; } $dbQuery->closeDb(); } function updateDeviceType($typeCode,$name,$manufacturer,$registerType,$accessType,$equipmentType,$otherMan,$port){ $pulginId=""; if($accessType=="GB28181" || $accessType=="E-home" || $accessType=="Onvif" || $accessType=="Pisa" || $accessType=="Hkp协议"){ $pulginId=""; }else{ $pulginId=$accessType; } $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute('update device_type_info set name="'.$name.'",manufacturer="'.$manufacturer.'",register_type='.$registerType.',access_type="'.$accessType.'",equipment_type="'.$equipmentType.'",plugin_id="'.$pulginId.'",update_time="'.$time.'",int_rev='.$port.',str_rev="'.$otherMan.'" where type_code='.$typeCode); if ($query) { echo $typeCode; }else{ echo 0; } $dbQuery->closeDb(); } ?> ``` 第十二处：/data/saveDecodeServer.php ``` <?php include('../common/connDb.php'); $operate=$_POST['operate']; if($operate=="delete"){ //如果是删除操作 $transIds = $_POST['transIds']; deleteDecodeServer($transIds); }else{ //如果是增加或者修改操作 $isEmpty=empty($_POST['transId']); $name=$_POST['name']; $transIp=$_POST['transIp']; $transPort=$_POST['transPort']; $transMax=$_POST['transMax']; $transType=$_POST['transType']; if($isEmpty){ saveDecodeServer($name,$transIp,$transPort,$transMax,$transType); }else{ updateDecodeServer($_POST['transId'],$name,$transIp,$transPort,$transMax,$transType); } } function deleteDecodeServer($transIds){ $dbQuery = new DataBaseQuery(); $query = $dbQuery->execute("delete from transform_server_info where transform_server_id in(".$transIds.")"); if ($query) { echo "0"; }else{ echo "1"; } $dbQuery->closeDb(); } function saveDecodeServer($name,$transIp,$transPort,$transMax,$transType){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute("insert into transform_server_info(transform_server_id,server_ip,server_port,name,trans_type,trans_max,update_time) values (NULL,'".$transIp."',".$transPort.",'".$name."',".$transType.",".$transMax.",'".$time."')"); if ($query) { echo $dbQuery->lastInsertRowID(); }else{ echo 0; } $dbQuery->closeDb(); } function updateDecodeServer($transId,$name,$transIp,$transPort,$transMax,$transType){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute("update transform_server_info set server_ip='".$transIp."',server_port=".$transPort.",name='".$name."',trans_type=".$transType.",trans_max=".$transMax.",update_time='".$time."' where transform_server_id=".$transId); if ($query) { echo $transId; }else{ echo 0; } $dbQuery->closeDb(); } ?> ``` 第十三处：/data/fetchGroup.php ``` <?php /* 根据id找出分组 */ include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $groupId=$_POST['groupId']; $groupArray = $dbQuery->querySingleRow('select id,name from device_group_info where id='.$groupId,true); $dbQuery->closeDb(); echo(json_encode($groupArray)); ?> ``` 第十四处：/data/login.php ``` <?php /** 系统登录设置 */ include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $userName =$_POST['userName']; $password =$_POST['password']; $system =$_POST['system']; $userInfo = $dbQuery->querySingleRow('select password,roleId,unitCode from user_info where name="'.$userName.'"',true); if(count($userInfo)==0){ //用户名不存在 echo "1"; $dbQuery->closeDb(); return; }else{ //用户名存在 ``` 第十五处：/data/transferCamera.php ``` <?php include('../common/connDb.php'); $ids=@$_POST['ids']; $srcAudioType=$_POST['srcAudioType']; $srcVideoType=$_POST['srcVideoType']; $srcStandard=$_POST['srcStandard']; $srcStreamType=$_POST['srcStreamType']; $srcTransForm=$_POST['srcTransForm']; $srcImageSize=$_POST['srcImageSize']; $dstAudioType=$_POST['dstAudioType']; $dstVideoType=$_POST['dstVideoType']; $dstStreamType=$_POST['dstStreamType']; $dstTransForm=$_POST['dstTransForm']; $dstBitrateType=$_POST['dstBitrateType']; $dstResolution=$_POST['dstResolution']; $dstVideoBitrate=$_POST['dstVideoBitrate']; $dstFramerate=$_POST['dstFramerate']; $dstIntervalBPframe=$_POST['dstIntervalBPframe']; $dstIntervalIframe=$_POST['dstIntervalIframe']; $dstPicQuality=$_POST['dstPicQuality']; $transId=$_POST['transId']; $dbQuery = new DataBaseQuery(); $idArray = explode(",",$ids); $cameraIds =""; for($i=0;$i<count($idArray);$i++){ $cameraIds .=$idArray[$i].","; } $cameraIds = substr($cameraIds,0,strlen($cameraIds)-1); $query=$dbQuery->execute('update camera_info set is_transform=1,src_audio_encode='.$srcAudioType.',src_video_encode='.$srcVideoType.',src_standard='.$srcStandard.',src_transform='.$srcTransForm.',dst_audio_encode='.$dstAudioType.',dst_video_encode='.$dstVideoType.',dst_stream_type='.$dstStreamType.',dst_transform='.$dstTransForm.',dst_bitrate_type='.$dstBitrateType.',dst_resolution='.$dstResolution.',dst_video_bitrate='.$dstVideoBitrate.',dst_framerate='.$dstFramerate.',dst_interval_BPframe='.$dstIntervalBPframe.',dst_interval_Iframe='.$dstIntervalIframe.',dst_pic_quality='.$dstPicQuality.',transform_server_id='.$transId.' where id in('.$cameraIds.')'); if($query){ echo "0"; }else{ echo "1"; } $dbQuery->closeDb(); ?> ``` 第十六处：/data/modifyPassword.php ``` <?php include('../common/connDb.php'); $name=$_POST['name']; $modPassword=$_POST['modPassword']; $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute("update user_info set password='".$modPassword."',updataTime='".$time."' where name='".$name."'"); if ($query) { echo 0; }else{ echo 1; } $dbQuery->closeDb(); ?> ``` 第十七处：/data/fetchDeviceByGroupId.php ``` <?php include('../common/connDb.php'); include('../common/unitCode.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $sort=$_POST['sort']; $order=$_POST['order']; $start=($page -1)*$rows; $groupId=@$_POST['groupId']; $queryStatus=@$_POST['queryStatus']; $name=@$_POST['name']; $whereStr=""; if($queryStatus=="1"){ $whereStr=$whereStr." and (d.is_shared is null or d.is_shared =1)"; } if($name !=""){ if($name=="." || $name=="%" || $name=="_"){ $name ="[".$name."]"; } $whereStr =$whereStr." and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')"; } $re = $dbQuery->query('select d.id,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.status,d.is_shared shared from device_info d where d.allow_share=0 and d.group_id='.$groupId.$unitWhere.$whereStr.' order by d.'.$sort.' '.$order.' limit '.$start.','.$rows); $count = $dbQuery->querySingle('select count(*) from device_info d where d.allow_share=0 and d.group_id='.$groupId.$unitWhere.$whereStr); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $jsonStr = $jsonStr.json_encode($row).","; } if($jsonStr !=""){ $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1); } $str ='{"total":'.$count.',"rows":['.$jsonStr.']}'; $dbQuery->closeDb(); echo ($str); ?> ``` 第十八处：/data/deleteDeviceInfo.php ``` <?php include('../common/connDb.php'); $deviceIds = @$_POST['deviceIds']; $dbQuery = new DataBaseQuery(); $dbQuery->execute("delete from camera_info where device_id in(".$deviceIds.")"); $dbQuery->execute("delete from device_info where id in(".$deviceIds.")"); echo "0"; $dbQuery->closeDb(); ?> ``` 第十九处：/data/modifyDeviceInfo.php ``` <?php include('../common/connDb.php'); $deviceId = @$_POST['deviceId']; $register = @$_POST['register']; $typecode = @$_POST['typecode']; $addr = @$_POST['addr']; $port = @$_POST['port']; $username = @$_POST['username']; $password = @$_POST['password']; $password_old = @$_POST['password_old']; $groupId = @$_POST['groupId']; $oldAddr = @$_POST['oldAddr']; $oldPort = @$_POST['oldPort']; $allowShare = @$_POST['allowShare']; $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); if($register=="4"){ //如果是主动注册 $query = $dbQuery->execute('update device_info set type_code='.$typecode.',group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId); if ($query) { echo $deviceId; }else{ echo 0; } }else{ //if($oldAddr != $addr || $oldPort != $port){//如果新的IP或端口不同于老的，则为新的设备，需要删除之前设备中的监控点 // $dbQuery->execute('delete from camera_info where device_id='.$deviceId); //} if($password != $password_old){ $query = $dbQuery->execute('update device_info set type_code='.$typecode.',network_addr="'.$addr.'",network_port='.$port.',username="'.$username.'",password="'.$password.'",group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId); } else{ $query = $dbQuery->execute('update device_info set type_code='.$typecode.',network_addr="'.$addr.'",network_port='.$port.',username="'.$username.'",group_id='.$groupId.',allow_share='.$allowShare.',update_time="'.$time.'" where id='.$deviceId); } if ($query) { echo $deviceId; }else{ echo 0; } } $dbQuery->closeDb(); ?> ``` 第二十处：/data/decodeServerData.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $start=($page -1)*$rows; $re = $dbQuery->query('select * from transform_server_info limit '.$start.','.$rows); $count = $dbQuery->querySingle('select count(*) from transform_server_info'); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $jsonStr = $jsonStr.json_encode($row).","; } if($jsonStr !=""){ $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1); } $str ='{"total":'.$count.',"rows":['.$jsonStr.']}'; $dbQuery->closeDb(); echo ($str); ?> ``` 第二十一处：/data/userInfoData.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $start=($page -1)*$rows; $re = $dbQuery->query('select * from user_info limit '.$start.','.$rows); $count = $dbQuery->querySingle('select count(*) from user_info'); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $row['unitCode']=fetchUnitName($row['unitCode']); $jsonStr = $jsonStr.json_encode($row).","; } 第二十二处：/data/checkDevice.php <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $type=$_POST['type']; if($type=="singleIp"){ //如果是单IP设备添加 $singleIp_addr=$_POST['singleIp_addr']; $singleIp_port=$_POST['singleIp_port']; checkSingleIp($dbQuery,$singleIp_addr,$singleIp_port); }else if($type=="ipDomain"){ //如果是IP段设备添加 $ipDomain_startIp=$_POST['ipDomain_startIp']; $ipDomain_endIp=$_POST['ipDomain_endIp']; $ipDomain_port=$_POST['ipDomain_port']; checkIpDomain($dbQuery,$ipDomain_startIp,$ipDomain_endIp,$ipDomain_port); }else if($type=="singleCode"){//如果是单编号设备添加 $singleCode_indexcode=$_POST['singleCode_indexcode']; checkSingleCode($dbQuery,$singleCode_indexcode); }else{//如果是编号段设备添加 $codeDomain_preIndexCode=$_POST['codeDomain_preIndexCode']; $codeDomain_startCode=$_POST['codeDomain_startCode']; $codeDomain_endCode=$_POST['codeDomain_endCode']; checkCodeDomain($dbQuery,$codeDomain_preIndexCode,$codeDomain_startCode,$codeDomain_endCode); } function checkSingleIp($dbQuery,$singleIp_addr,$singleIp_port){ $count = $dbQuery->querySingle('select count(*) from device_info where network_addr="'.$singleIp_addr.'" and network_port='.$singleIp_port); echo $count; $dbQuery->closeDb(); } ``` 第二十三处：/data/deviceListData.php ``` <?php include('../common/connDb.php'); include('../common/unitCode.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $sort=$_POST['sort']; $order=$_POST['order']; $start=($page -1)*$rows; $name=@$_POST['name']; $organize=@$_POST['organize']; $group=@$_POST['group']; $whereStr=""; if($name != ""){ if($name=="." || $name=="%" || $name=="_"){ $name ="[".$name."]"; } $whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%')"; } if($organize != ""){ if($organize =="0"){ //如果是主控制中心则查询全部 }else{ if(strlen($organize)==8){//如果是派出所级别 $whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1"; }else{ $qxCode = substr($organize,4,2); $shiCode = substr($organize,2,2); $shengCode = substr($organize,0,2); if($shiCode=="00" && $qxCode=="00"){ //如果是省 $whereStr =" and d.indexcode like '".$shengCode."%' and d.ctrl_unit_id<>1"; }else if($shiCode !="00" && $qxCode=="00"){ //如果是市 $whereStr =" and d.indexcode like '".$shengCode.$shiCode."%' and d.ctrl_unit_id<>1"; }else{ $whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1"; } } } } if($group != ""){ if($group=="-1"){ }else{ $whereStr =" and d.group_id =".$group; } } $re = $dbQuery->query('select d.id,d.indexcode,d.dev_guid devGuid,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.analog_chan_count,d.digital_chan_count,d.alarm_in_count,d.alarm_out_count,(select name from device_group_info where id=d.group_id) groupName,d.status,d.type_code typeCode from device_info d where 1=1 '.$unitWhere.$whereStr.' order by '.$sort.' '.$order.' limit '.$start.','.$rows); //echo 'select d.id,d.indexcode,d.dev_guid devGuid,d.name,(select name from device_type_info where type_code = d.type_code) deviceType,d.reg_type,**.**.**.**work_addr,**.**.**.**work_port,d.analog_chan_count,d.digital_chan_count,d.alarm_in_count,d.alarm_out_count,(select name from device_group_info where id=d.group_id) groupName,d.status,d.type_code typeCode from device_info d where 1=1 '.$unitWhere.$whereStr.' order by '.$sort.' '.$order.' limit '.$start.','.$rows; $count = $dbQuery->querySingle('select count(*) from device_info d where 1=1'.$unitWhere.$whereStr); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $jsonStr = $jsonStr.json_encode($row).","; } if($jsonStr !=""){ $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1); } $str ='{"total":'.$count.',"rows":['.$jsonStr.']}'; $dbQuery->closeDb(); echo ($str); ?> ``` 第二十四处：/data/saveUserInfo.php ``` <?php include('../common/connDb.php'); $operate=$_POST['operate']; if($operate=="delete"){ //如果是删除操作 $userIds = $_POST['userIds']; deleteUserInfo($userIds); }else{ //如果是增加或者修改操作 $isEmpty=empty($_POST['userId']); $name=$_POST['name']; $password = $_POST['password']; $password_old = @$_POST['password_old']; $realName = $_POST['realName']; $phone = $_POST['phone']; $eMail = $_POST['eMail']; $roleId = $_POST['roleId']; $unitCode = $_POST['unitCode']; if($isEmpty){ saveUserInfo($name,$password,$realName,$phone,$eMail,$roleId,$unitCode); }else{ updateUserInfo($_POST['userId'],$name,$password,$realName,$phone,$eMail,$roleId,$unitCode); } } function deleteUserInfo($userIds){ $dbQuery = new DataBaseQuery(); $query = $dbQuery->execute("delete from user_info where userId in(".$userIds.")"); if ($query) { echo "0"; }else{ echo "1"; } $dbQuery->closeDb(); } function saveUserInfo($name,$password,$realName,$phone,$eMail,$roleId,$unitCode){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); if($password != $password_old){ $query = $dbQuery->execute('insert into user_info values (NULL,"'.$name.'","'.$password.'","'.$unitCode.'","'.$realName.'","'.$phone.'","'.$eMail.'",'.$roleId.',"'.$time.'","1")'); } else{ $query = $dbQuery->execute('insert into user_info values (NULL,"'.$name.'","","'.$unitCode.'","'.$realName.'","'.$phone.'","'.$eMail.'",'.$roleId.',"'.$time.'","1")'); } if ($query) { echo $dbQuery->lastInsertRowID(); }else{ echo 0; } $dbQuery->closeDb(); } function updateUserInfo($userId,$name,$password,$realName,$phone,$eMail,$roleId,$unitCode){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); if($password != $password_old){ $query = $dbQuery->execute('update user_info set name="'.$name.'",password="'.$password.'",unitCode="'.$unitCode.'",realName="'.$realName.'",phone="'.$phone.'",eMail="'.$eMail.'",roleId='.$roleId.',updataTime="'.$time.'" where userId='.$userId); } else{ $query = $dbQuery->execute('update user_info set name="'.$name.'",unitCode="'.$unitCode.'",realName="'.$realName.'",phone="'.$phone.'",eMail="'.$eMail.'",roleId='.$roleId.',updataTime="'.$time.'" where userId='.$userId); } if ($query) { echo $userId; }else{ echo 0; } $dbQuery->closeDb(); } ?> ``` 第二十五处：/data/fetchCameraInfo.php ``` <?php include('../common/connDb.php'); include('../common/unitCode.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $sort=$_POST['sort']; $order=$_POST['order']; $start=($page -1)*$rows; $name=@$_POST['name']; $organize=@$_POST['organize']; $group=@$_POST['group']; $configFlag=@$_POST['configFlag']; $whereStr=""; if($name != ""){ if($name=="." || $name=="%" || $name=="_"){ $name ="[".$name."]"; } $whereStr =" and (d.name like '%".$name."%' or **.**.**.**work_addr like '%".$name."%' or c.name like '%".$name."%')"; } if($organize != ""){ if($organize =="0"){ //如果是主控制中心则查询全部 }else{ if(strlen($organize)==8){//如果是派出所级别 $whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1"; }else{ $qxCode = substr($organize,4,2); $shiCode = substr($organize,2,2); $shengCode = substr($organize,0,2); if($shiCode=="00" && $qxCode=="00"){ //如果是省 $whereStr =" and d.indexcode like '".$shengCode."%' and d.ctrl_unit_id<>1"; }else if($shiCode !="00" && $qxCode=="00"){ //如果是市 $whereStr =" and d.indexcode like '".$shengCode.$shiCode."%' and d.ctrl_unit_id<>1"; }else{ $whereStr =" and d.indexcode like '".$organize."%' and d.ctrl_unit_id<>1"; } } } } if($group != ""){ if($group=="-1"){ }else{ $whereStr =" and d.group_id =".$group; } } if($configFlag == "1"){ $whereStr =" and (c.is_transform is null or c.is_transform=0)"; }else if($configFlag == "2"){ $whereStr =" and (c.is_stream_transmit is null or c.is_stream_transmit=0)"; } $re = $dbQuery->query('select c.id,c.name,c.indexcode,d.name deviceName,**.**.**.**work_addr networkAddr,**.**.**.**work_port networkPort,c.is_transform transform,c.is_stream_transmit streamTransmit,d.status,d.id deviceId,c.local_num num,d.reg_type regType,d.indexcode devIndexCode,d.type_code typeCode,d.username,d.password,d.id deviceId from camera_info c,device_info d where c.device_indexcode=d.indexcode'.$unitWhere.$whereStr.' order by d.id '.$order.' limit '.$start.','.$rows); $count = $dbQuery->querySingle('select count(*) from camera_info c,device_info d where c.device_indexcode=d.indexcode'.$unitWhere.$whereStr); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $jsonStr = $jsonStr.json_encode($row).","; } if($jsonStr !=""){ $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1); } $str ='{"total":'.$count.',"rows":['.$jsonStr.']}'; $dbQuery->closeDb(); echo ($str); ?> ``` 第二十六处：/data/fetchDeviceType.php ``` <?php /* 根据typeCode找出设备类型 */ include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $typeCode=$_POST['typeCode']; $typeCodeArray = $dbQuery->querySingleRow('select type_code typeCode,name,manufacturer,register_type registerType,access_type accessType,equipment_type equipmentType,plugin_id pluginId,int_rev port,str_rev cName from device_type_info where type_code='.$typeCode,true); $dbQuery->closeDb(); echo(json_encode($typeCodeArray)); ?> ``` 第二十七处：/data/saveGroup.php ``` <?php include('../common/connDb.php'); $operate=$_POST['operate']; $groupIds = @$_POST['groupIds']; $groupId= @$_POST['groupId']; $name= @$_POST['name']; if($operate=="delete"){ //如果是删除操作 deleteGroup($groupIds); }else if($operate=="add"){ //如果是增加操作 saveGroup($name); }else{ //如果是修改操作 updateGroup($groupId,$name); } function deleteGroup($groupIds){ $dbQuery = new DataBaseQuery(); $query1 = $dbQuery->execute("update device_info set group_id=0 where group_id in(".$groupIds.")"); $query2 = $dbQuery->execute("delete from device_group_info where id in(".$groupIds.")"); if ($query1 && $query2) { echo "0"; }else{ echo "1"; } $dbQuery->closeDb(); } function saveGroup($name){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute('insert into device_group_info values(NULL,"'.$name.'","'.$time.'",0,"")'); if ($query) { echo $dbQuery->lastInsertRowID(); }else{ echo 0; } $dbQuery->closeDb(); } function updateGroup($groupId,$name){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute('update device_group_info set name="'.$name.'",update_time="'.$time.'" where id='.$groupId); if ($query) { echo $groupId; }else{ echo 0; } $dbQuery->closeDb(); } ?> ``` 第二十八处：/data/saveRoleInfo.php ``` <?php include('../common/connDb.php'); $operate=$_POST['operate']; if($operate=="delete"){ //如果是删除操作 $roleIds = $_POST['roleIds']; deleteRoleInfo($roleIds); }else{ //如果是增加或者修改操作 $isEmpty=empty($_POST['roleId']); $name=$_POST['name']; $description = $_POST['description']; $menuIds = $_POST['menuIds']; if($isEmpty){ saveRoleInfo($name,$description,$menuIds); }else{ updateRoleInfo($_POST['roleId'],$name,$description,$menuIds); } } function deleteRoleInfo($roleIds){ $dbQuery = new DataBaseQuery(); $query1 = $dbQuery->execute("delete from user_info where roleId in(".$roleIds.")");//先删除关联该角色的用户 $query2 = $dbQuery->execute("delete from role_info where roleId in(".$roleIds.")");//再删除角色 if ($query1 && $query2) { echo "0"; }else{ echo "1"; } $dbQuery->closeDb(); } function saveRoleInfo($name,$description,$menuIds){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute('insert into role_info values (NULL,"'.$name.'","'.$description.'","'.$menuIds.'","'.$time.'","")'); if ($query) { echo $dbQuery->lastInsertRowID(); }else{ echo 0; } $dbQuery->closeDb(); } function updateRoleInfo($roleId,$name,$description,$menuIds){ $dbQuery = new DataBaseQuery(); date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $query = $dbQuery->execute('update role_info set name="'.$name.'",description="'.$description.'",menuIds="'.$menuIds.'",updataTime="'.$time.'" where roleId='.$roleId); if ($query) { echo $roleId; }else{ echo 0; } $dbQuery->closeDb(); } ?> ``` 第二十九处：/data/roleInfoData.php ``` <?php include('../common/connDb.php'); $dbQuery = new DataBaseQuery(); $page=$_POST['page']; $rows=$_POST['rows']; $start=($page -1)*$rows; $re = $dbQuery->query('select * from role_info limit '.$start.','.$rows); $count = $dbQuery->querySingle('select count(*) from role_info'); $jsonStr =""; while ($row = $dbQuery->fetchArray($re)){ $jsonStr = $jsonStr.json_encode($row).","; } if($jsonStr !=""){ $jsonStr = substr($jsonStr,0,strlen($jsonStr)-1); } $str ='{"total":'.$count.',"rows":['.$jsonStr.']}'; $dbQuery->closeDb(); echo ($str); ?> ``` 第三十处：/data/shareDeviceInfo.php ``` <?php include('../common/connDb.php'); $operate = $_POST['operate']; $deviceIds = @$_POST['deviceIds']; $unitId = @$_POST['unitId']; $groupId = @$_POST['groupId']; $dbQuery = new DataBaseQuery(); if($operate=="share"){ //如果是指定勾选共享 shareDeviceInfo($dbQuery,$deviceIds,$unitId); }else{ //如果是全部共享 shareAllDeviceInfo($dbQuery,$groupId,$unitId); } $dbQuery->closeDb(); function shareDeviceInfo($dbQuery,$deviceIds,$unitId){ $query = $dbQuery->execute('update device_info set ctrl_unit_id='.$unitId.' where id in('.$deviceIds.')'); if ($query) { echo 0; }else{ echo 1; } } function shareAllDeviceInfo($dbQuery,$groupId,$unitId){ $query = $dbQuery->execute('update device_info set ctrl_unit_id='.$unitId.' where group_id ='.$groupId); if ($query) { echo 0; }else{ echo 1; } } ?> ``` 第三十一处：/data/modifyCameraName.php ``` <?php include('../common/connDb.php'); $deviceId=$_POST['deviceId']; $channelNum=$_POST['channelNum']; $cameraName=$_POST['cameraName']; $dbQuery = new DataBaseQuery(); $dbQuery->execute('update camera_info set name="'.$cameraName.'" where device_id='.$deviceId.' and local_num ='.$channelNum); $dbQuery->closeDb(); echo "0"; ?> ``` 第三十二处：/data/saveDeviceInfo.php ``` <?php include('../common/connDb.php'); $obj=$_POST['obj']; $analog_chan_count = $_POST['analog_chan_count']; $digital_chan_count = $_POST['digital_chan_count']; $alarm_in_count = $_POST['alarm_in_count']; $alarm_out_count = $_POST['alarm_out_count']; $audio_num = $_POST['audio_num']; $dbQuery = new DataBaseQuery(); $xml = simplexml_load_file('../../../pagconf.xml'); $pagIndexCode = $xml->pag->indexCode; if($obj=="singleIp"){ //如果是单IP添加 $singleIp_addr = $_POST['singleIp_addr']; $singleIp_port = $_POST['singleIp_port']; $singleIp_username = $_POST['singleIp_username']; $singleIp_password = $_POST['singleIp_password']; $singleIp_typecode = $_POST['singleIp_typecode']; $singleIp_groupId = $_POST['singleIp_groupId']; $singleIp_controlUnit = $_POST['singleIp_controlUnit']; $singleIp_indexcode = getIndexCode($dbQuery,$singleIp_controlUnit); $name = $_POST['name']; if($name==""){ $name = $singleIp_addr; } $serialnum = $_POST['serialnum']; $singleIp_allowShare = $_POST['singleIp_allowShare']; $reg_type = 0; //注册类型-0 被动 $deviceId = saveDeviceInfo($dbQuery,$singleIp_addr,$singleIp_port,$singleIp_username,$singleIp_password,$singleIp_typecode,$singleIp_indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$singleIp_groupId,$singleIp_allowShare,$singleIp_controlUnit); echo $singleIp_indexcode; }else if($obj=="ipDomain"){ //如果是IP段添加 $ipDomain_startIp = $_POST['ipDomain_startIp']; $ipDomain_endIp = $_POST['ipDomain_endIp']; $ipDomain_typecode = $_POST['ipDomain_typecode']; $ipDomain_port = $_POST['ipDomain_port']; $ipDomain_username = $_POST['ipDomain_username']; $ipDomain_password = $_POST['ipDomain_password']; $ipDomain_groupId = $_POST['ipDomain_groupId']; $ipDomain_controlUnit = $_POST['ipDomain_controlUnit']; $ipDomain_allowShare = $_POST['ipDomain_allowShare']; $reg_type = 0; //注册类型-0 被动 $deviceIndexCodes =""; $ipArray = ipMiddle($ipDomain_startIp,$ipDomain_endIp); for($i=0;$i<count($ipArray);$i++){ $newIndexCode = getIndexCode($dbQuery,$ipDomain_controlUnit); $deviceId = saveDeviceInfo($dbQuery,$ipArray[$i],$ipDomain_port,$ipDomain_username,$ipDomain_password,$ipDomain_typecode,$newIndexCode,$ipArray[$i],"",$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$ipDomain_groupId,$ipDomain_allowShare,$ipDomain_controlUnit); if($i==0){ $deviceIndexCodes = $newIndexCode; }else{ $deviceIndexCodes = $deviceIndexCodes.",".$newIndexCode; } } echo $deviceIndexCodes; }else if($obj=="singleCode"){ //如果是单编号添加 $singleCode_typecode = $_POST['singleCode_typecode']; $singleCode_indexcode = $_POST['singleCode_indexcode']; $singleCode_groupId = $_POST['singleCode_groupId']; $singleCode_controlUnit = $_POST['singleCode_controlUnit']; $name = $_POST['name']; if($name==""){ $name = "DEVICE_".$singleCode_indexcode; } $serialnum = $_POST['serialnum']; $singleCode_allowShare = $_POST['singleCode_allowShare']; $reg_type = 4; //注册类型-0 主动 $deviceId = saveDeviceInfo($dbQuery,"**.**.**.**",8000,"admin","12345",$singleCode_typecode,$singleCode_indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$singleCode_groupId,$singleCode_allowShare,$singleCode_controlUnit); echo $singleCode_indexcode; }else{ //如果是编号段添加 $codeDomain_typecode = $_POST['codeDomain_typecode']; $codeDomain_preIndexCode = $_POST['codeDomain_preIndexCode']; $codeDomain_startCode = $_POST['codeDomain_startCode']; $codeDomain_endCode = $_POST['codeDomain_endCode']; $codeDomain_groupId = $_POST['codeDomain_groupId']; $codeDomain_allowShare = $_POST['codeDomain_allowShare']; $codeDomain_controlUnit = $_POST['codeDomain_controlUnit']; $reg_type = 4; //注册类型-0 主动 $deviceIndexCodes =""; $codeDomain_CodeLength = strlen($codeDomain_endCode); $indexCodeArray = generateSegmentIndexCode($codeDomain_preIndexCode,intval($codeDomain_startCode),intval($codeDomain_endCode), $codeDomain_CodeLength); for($i=0;$i<count($indexCodeArray);$i++){ $name = "DEVICE_".$indexCodeArray[$i]; $deviceId = saveDeviceInfo($dbQuery,"**.**.**.**",8000,"admin","12345",$codeDomain_typecode,$indexCodeArray[$i],$name,"",$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$codeDomain_groupId,$codeDomain_allowShare,$codeDomain_controlUnit); if($i==0){ $deviceIndexCodes = $indexCodeArray[$i]; }else{ $deviceIndexCodes = $deviceIndexCodes.",".$indexCodeArray[$i]; } } echo $deviceIndexCodes; } $dbQuery->closeDb(); function saveDeviceInfo($dbQuery,$addr,$port,$username,$password,$typecode,$indexcode,$name,$serialnum,$analog_chan_count,$digital_chan_count,$alarm_in_count,$alarm_out_count,$audio_num,$reg_type,$pagIndexCode,$groupId,$allowShare,$singleIp_controlUnit){ $seq = $dbQuery->querySingle('select seq from sqlite_sequence where name="device_info"'); $str=""; if($seq==null || $seq==""){ $str = "1"; }else{ $str = strval($seq+1); } while(strlen($str)<12){ $str="0".$str; } $dev_guid=$pagIndexCode.$str; date_default_timezone_set('PRC'); $time = date('Y-m-d H:i:s',time()); $ctrl_unit_id = ""; if($singleIp_controlUnit=="0"){ $ctrl_unit_id = "1"; }else{ $ctrl_unit_id = "0"; } $query = $dbQuery->execute('insert into device_info(id,dev_guid,indexcode,name,type_code,reg_type,network_addr,network_port,username,password,group_id,serial_num,alarm_in_count,alarm_out_count,analog_chan_count,digital_chan_count,audio_num,update_time,allow_share,ctrl_unit_id) values (NULL,"'.$dev_guid.'","'.$indexcode.'","'.$name.'",'.$typecode.','.$reg_type.',"'.$addr.'",'.$port.',"'.$username.'","'.$password.'",'.$groupId.',"'.$serialnum.'",'.$alarm_in_count.','.$alarm_out_count.','.$analog_chan_count.','.$digital_chan_count.','.$audio_num.',"'.$time.'",'.$allowShare.','.$ctrl_unit_id.')'); if ($query) { return $dbQuery->lastInsertRowID(); }else{ return ""; } } function ipMiddle($ipDomain_startIp,$ipDomain_endIp){ $ipDomain_startIp = trim($ipDomain_startIp); $ipDomain_endIp = trim($ipDomain_endIp); $startIpArray = explode(".",$ipDomain_startIp); $endIpArray = explode(".",$ipDomain_endIp); $start0 = intval(trim($startIpArray[0])); $start1 = intval(trim($startIpArray[1])); $start2 = intval(trim($startIpArray[2])); $start3 = intval(trim($startIpArray[3])); $end0 = intval(trim($endIpArray[0])); $end1 = intval(trim($endIpArray[1])); $end2 = intval(trim($endIpArray[2])); $end3 = intval(trim($endIpArray[3])); $result = array(); // 如果起始IP地址和结束IP地址不等 while(!($start0 == $end0 && $start1 == $end1 && $start2 == $end2 && $start3 == $end3)){ $candidate = $start0.".".$start1.".".$start2.".".$start3; // 把起始地址放入数组中 array_push($result,$candidate); // 起始地址加1 $start3 = $start3 + 1; if($start3 == 256){ $start3 = 0; $start2 = $start2 + 1; if($start2 == 256){ $start2 = 0; $start1 = $start1 + 1; if($start1 == 256){ $start1 = 0; $start0 = $start0 + 1; } } } } // 如果退出循环，起始IP地址和结束IP地址相等 array_push($result,$ipDomain_endIp); return $result; } function getIndexCode($dbQuery,$controlUnit){ $preIndex=""; $xml = simplexml_load_file('../common/codeConfig.xml'); $areaCode = strval($xml->areaCode); $netMark = strval($xml->netMark); $version = simplexml_load_file('../../../version.xml'); $platformCode = strval($version->Code); $codeProtocol = strval($version->CodeProtocol); //DB33 GB28181 if($controlUnit=="0"){ date_default_timezone_set('PRC'); $controlUnit = date('ymd',time()); } if($codeProtocol == 'DB33'){//18bit if(strlen($controlUnit)==8){ $preIndex = $controlUnit."00".$platformCode; }else{ $preIndex = $controlUnit."0000".$platformCode; } $indexCode=""; $existCount = 0; do{ $indexCode = $preIndex.getrndnum(4)."00"; $existCount = $dbQuery->querySingle('select count(*) from device_info where indexcode="'.$indexCode.'"'); }while($existCount>0); return $indexCode; }else{ if(strlen($controlUnit)==8){ $preIndex = $controlUnit."00".$areaCode.$netMark.$platformCode; }else{ $preIndex = $controlUnit."0000".$areaCode.$netMark.$platformCode; } $indexCode=""; $existCount = 0; do{ $indexCode = $preIndex.getrndnum(4); $existCount = $dbQuery->querySingle('select count(*) from device_info where indexcode="'.$indexCode.'"'); }while($existCount>0); return $indexCode; } } function getrndnum($length=6) { $hash = ''; $chars = '0123456789'; $max = strlen($chars) - 1; mt_srand((double)microtime() * 1000000); for($i = 0; $i < $length; $i++){ $hash .= $chars[mt_rand(0, $max)]; } return $hash; } function generateSegmentIndexCode($preIndexCode,$startIndexCode,$endIndexCode,$codeDomain_CodeLength){ $indexCodeArray = array(); if ($startIndexCode <= $endIndexCode) { $version = simplexml_load_file('../../../version.xml'); $codeProtocol = strval($version->CodeProtocol); //DB33 GB28181 $length = $codeDomain_CodeLength;//strlen(strval($endIndexCode)); for($i = $startIndexCode;$i<= $endIndexCode;$i++){ $code = strval($i); $code = str_repeat("0", $length-strlen($code)).$code; /*if($codeProtocol == 'DB33'){ if(strlen($code)<6){ $code = str_repeat("0", 6-strlen($code)).$code; } }else{ if(strlen($code)<4){ $code = str_repeat("0", 4-strlen($code)).$code; } }*/ $code = $preIndexCode.$code; array_push($indexCodeArray,$code); } } return $indexCodeArray; } ``` ###0x03修复方案过滤。

have 0 exchange

PoC (pocsuite 插件) (pocsuite 插件)

Contributor kikay totally have 2KB

Login to exchange

have 1 Exchange

Reference Linking

http://www.wooyun.org/bugs/wooyun-2010-0180213

Solutions

Temp Solutions

Unavailable Temp Solutions

Official Solution

Unavailable Official solution

Defense Solutions

Unavailable Defense Solutions

海康威视视频接入网关系统 /userInfo/roleInfo.php等34处 SQL注入漏洞

Basic Fields

Source

Detail

PoC (pocsuite 插件) (pocsuite 插件)

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

All Comments (2)

海康威视视频接入网关系统 /userInfo/roleInfo.php等34处 SQL注入漏洞

Basic Fields

Source

Detail

PoC (pocsuite 插件) (pocsuite 插件)

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

All Comments (2)

Hello,

Hello,