神刀安全网

漏洞标题: TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

漏洞详情

披露状态:

2016-03-23: 细节已通知厂商并且等待厂商处理中
2016-03-23: 厂商已经确认,细节仅向厂商公开
2016-03-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-17: 细节向核心白帽子及相关领域专家公开
2016-05-27: 细节向普通白帽子公开
2016-06-06: 细节向实习白帽子公开
2016-06-21: 细节向公众公开

简要描述:

ps:已按照审核要求补充案例进行说明
TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/N处SQL注入漏洞/命令执行/任意文件删除)无需登录,直接shell
http://www.wooyun.org/bugs/wooyun-2014-063422
通过此处获取了源代码(以前泄露)

详细说明:

http://**.**.**.**/bugs/wooyun-2014-063422

通过此处获取了源代码(以前泄露)

进入webmail/main文件夹下

所有代码均加载了

code 区域
<?php
/*-
* PROMailVIP webmail
*
* Copyright (c) 1999-2001 by PROMailVIP network system Inc.
* All rights reserved.
* Author: Sanry William <sanry@**.**.**.**>
*
* $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
* modify by keenx 2005.3.9
*/
header("Content-Type: text/html; charset=utf-8");
//$DEBUG = 1;
//if($DEBUG) $timebegin = gettimeofday();

include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";

其中login_inc.php为核心权限验证文件

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

通过上面可知,$G_USERNAME 变量就是控制整个邮件登录过程的唯一因素,而$G_USERNAME的来源为session方式赋值,所以目前来看,无法绕过。

但是通过对所有代码进行审计

发现如下位置

webmail/main/mailcurlapi.php

webmail/main/sendstatusapi.php

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

我们可以看到直接对session值进行了操作,以post方式进行赋值,在后续

code 区域
include_once "../include/login_inc.php";//登陆等安全检测

又进行了权限验证。

这是什么逻辑? 这就导致直接绕过邮箱验证,直接可登陆邮箱,造成任意邮件读取。

所以后台所有页面操作,均可以采用如下方式绕过赋值

一、任意邮件读取

通过POST提交方式即可构造G_USERNAME G_DOMAIN G_HOME G_NICKNAME G_ID即可绕过登陆任意人邮箱

二SQL注入漏洞(举10例分析)

1、webmail/tools/getpopmail.php

code 区域
<?php
/*-
* PROMailVIP webmail
*
* Copyright (c) 1999-2001 by PROMailVIP network system Inc.
* All rights reserved.
* Author: Sanry William <sanry@**.**.**.**>
*
* $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
* modify by keenx 2005.3.9
*/
header("Content-Type: text/html; charset=utf-8");
//$DEBUG = 1;
//if($DEBUG) $timebegin = gettimeofday();

include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
//get
$get_Cmd = trim($_GET['Cmd']);
$popid=trim($_GET['popid']);
$EmailCore = new EmailCore($G_ID);

if($get_Cmd=='Get')
{
$Total = $EmailCore->getPOPTotal();
if($popid=='all')
$POPList = $EmailCore->getPOPList(1);
else $POPList=$EmailCore->getPOPlist(1,1," and popid=$popid");
if(!$POPList){
echo $LANG_POP_NOT_MAIL.'!<a href="../setting/setpopmail.php" style="color:#0000FF">'+$LANG_POP_CILCK_ADD+'</a>';
}

popid为注入点,

2、webmail/tools/cardList.php

code 区域
<?php
header("Content-Type: text/html; charset=utf-8");
$DEBUG = 1;
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";

// 每页显示的行数 10
$CFG_ADDR_NUMPERPAGE = 10;

/////查询列表
$key = mysql_real_escape_string($_REQUEST['key']);
if ($key) $sql_plus = " AND (name LIKE '%$key%' or cname LIKE '%$key%' or email LIKE '%$key%' or ".
"addr LIKE '%$key%' or job LIKE '%$key%' or tel LIKE '%$key%' or mobile LIKE '%$key%' or note LIKE '%$key%') ";
else
$sqlwhere = "";

//////排序处理
if($_REQUEST[sort_by]) $orderby = "order by $_REQUEST[sort_by] asc";
if(!$orderby) $orderby = "order by cardid desc";

$EmailCore = new EmailCore($G_ID);
/////总列表

$_REQUEST[sort_by] 注入,此处为order by 注入

3、webmail/tools/cardCmd.php

code 区域
<?php
header("Content-Type: text/html; charset=utf-8");
include_once "../include/login_inc.php";
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";

$get_Cmd = $_REQUEST[cmd];
$CardID = $_REQUEST[cardid];

$EmailCore = new EmailCore($G_ID);
if(!preg_match("/[0-9]/",$_REQUEST[agid]))$_REQUEST[agid]='';
if($get_Cmd == "add")
{
$CardInfo = array();
$CardInfo['name'] = $_REQUEST[name];
$CardInfo['cname'] = $_REQUEST[cname];
$CardInfo['addr'] = $_REQUEST[addr];
$CardInfo['job'] = $_REQUEST[job];
$CardInfo['tel'] = $_REQUEST[tel];
$CardInfo['PhoneNum'] = $_REQUEST[PhoneNum];
$CardInfo['email'] = $_REQUEST[email];
$CardInfo['ag_id'] = $_REQUEST[agid];
$CardInfo['note'] = $_REQUEST[note];
$res = $EmailCore->insertAddress($CardInfo);
}

跟踪insertAddress方法

code 区域
function insertAddress($addressInfo){
foreach($addressInfo as $key=>$val) {
$key = mysql_real_escape_string($key);
$val = mysql_real_escape_string($val);
if($key=="ag_id"){
if($val!="") $sql_plus .= ", $key=$val";
else $sql_plus .= ", $key=null";
}
else $sql_plus .= ", $key='$val'";
}
$sql="insert into address set ftm_id=".$this->TMID.$sql_plus;
$this->mysql->query($sql);
return true;
}

在这里的$this->TMID又是前面我们伪造session值的

code 区域
new EmailCore($G_ID);

$G_ID即为我们可控的值,又是注入

三、任意文件删除

webmail/main/doAction.php

code 区域
case "del":
$name=(isset($_POST['name']) and $_POST['name'])?$_POST['name']:"";
$EmailCore->deleteAttach($name,$sendBasePath);

跟踪方法deleteAttach

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

0

四、命令执行

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

1

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

2

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

3

五、任意文件读取

mail/webmail/main/mime.php

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

4

演示如下:

默认访问http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

即为跳转,所以我么通过如下方式先赋值session

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

再次访问

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1 and 1=2 union select 1,2,3,4,user(),6,7,8

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

案例

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

通过写个爬虫把所有邮箱爬下来

mx620.**.**.**.**

**.**.**.**

mx603.**.**.**.**

**.**.**.**

mx606.**.**.**.**

mx622.**.**.**.**

mx605.**.**.**.**

mx623.**.**.**.**

**.**.**.**

mx621.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx600.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx601.**.**.**.**

**.**.**.**

**.**.**.**

webmail.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx620.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx623hk.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**/

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

漏洞证明:

http://**.**.**.**/bugs/wooyun-2014-063422

通过此处获取了源代码(以前泄露)

进入webmail/main文件夹下

所有代码均加载了

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

5

其中login_inc.php为核心权限验证文件

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

6

通过上面可知,$G_USERNAME 变量就是控制整个邮件登录过程的唯一因素,而$G_USERNAME的来源为session方式赋值,所以目前来看,无法绕过。

但是通过对所有代码进行审计

发现如下位置

webmail/main/mailcurlapi.php

webmail/main/sendstatusapi.php

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

7

我们可以看到直接对session值进行了操作,以post方式进行赋值,在后续

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

8

又进行了权限验证。

这是什么逻辑? 这就导致直接绕过邮箱验证,直接可登陆邮箱,造成任意邮件读取。

所以后台所有页面操作,均可以采用如下方式绕过赋值

一、任意邮件读取

通过POST提交方式即可构造G_USERNAME G_DOMAIN G_HOME G_NICKNAME G_ID即可绕过登陆任意人邮箱

二SQL注入漏洞(举10例分析)

1、webmail/tools/getpopmail.php

code 区域
<?php
/*-
* PROMailVIP webmail
* Copyright (c) 1999-2004 by PROMailVIP network system Inc.
* All rights reserved.
* Author: sanry <sanry@**.**.**.**>
* $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
* 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
*/
if(!defined("INCLUDE_LOGIN_OK")) {
defined("INCLUDE_LOGIN_OK");
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'];
//echo $G_USERNAME;
$G_DOMAIN = $_SESSION['G_DOMAIN'];
$G_HOME = $_SESSION['G_HOME'];
//$G_TIME = $_SESSION['G_TIME'];
//$G_QUOTA = $_SESSION['G_QUOTA'];
$G_NICKNAME = $_SESSION['G_NICKNAME'];
$G_ID = $_SESSION['G_ID'];
$G_LANG = $_SESSION['G_LANG'];
$G_TEMP = $_SESSION['G_TEMP'];
if ( !$G_USERNAME ){
echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
// header("Location: ../login.php");
exit();
/*
if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA ){
header("Location: login.php");
exit();
*/
}
} // End of INCLUDE_LOGIN_OK
?>

9

popid为注入点,

2、webmail/tools/cardList.php

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

0

$_REQUEST[sort_by] 注入,此处为order by 注入

3、webmail/tools/cardCmd.php

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

1

跟踪insertAddress方法

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

2

在这里的$this->TMID又是前面我们伪造session值的

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

3

$G_ID即为我们可控的值,又是注入

三、任意文件删除

webmail/main/doAction.php

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

4

跟踪方法deleteAttach

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

5

四、命令执行

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

6

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

7

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

8

五、任意文件读取

mail/webmail/main/mime.php

code 区域
<?php
header("Content-Type: text/html;charset=utf-8");
include_once "../config/config_inc.php";
include_once "../config/dbremote.inc.php";
include_once "../language/utf8_inc.php";
include_once "../../core/emailcore.class.inc.php";
include_once "../../core/emailutil.inc.php";
include_once "../../core/send.class.inc.php";
set_time_limit(0);
session_start();
$G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
$G_DOMAIN = $_SESSION['G_DOMAIN'] = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
$_SESSION['G_HOME'] = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
$_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
$G_ID = $_SESSION['G_ID'] = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
$_SESSION['G_LANG'] = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
$_SESSION['G_TEMP'] = NULL;
include_once "../include/login_inc.php";//登陆等安全检测
$value = $_POST['sendto'];
$subject = $_POST['subject'];
$content = $_POST['content'];
if(!$value){echo '没有邮箱';exit;}

9

演示如下:

默认访问http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

即为跳转,所以我么通过如下方式先赋值session

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

再次访问

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1 and 1=2 union select 1,2,3,4,user(),6,7,8

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

案例

漏洞标题:  TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

通过写个爬虫把所有邮箱爬下来

mx620.**.**.**.**

**.**.**.**

mx603.**.**.**.**

**.**.**.**

mx606.**.**.**.**

mx622.**.**.**.**

mx605.**.**.**.**

mx623.**.**.**.**

**.**.**.**

mx621.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx600.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx601.**.**.**.**

**.**.**.**

**.**.**.**

webmail.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx620.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx623hk.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**/

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

修复方案:

版权声明:转载请注明来源 路人甲@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址