TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

admin
admin
admin
140441
文章
117
评论
2017年3月28日13:40:01评论494 views字数 243阅读0分48秒阅读模式
摘要

2016-03-23: 细节已通知厂商并且等待厂商处理中
2016-03-23: 厂商已经确认,细节仅向厂商公开
2016-03-26: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2016-05-17: 细节向核心白帽子及相关领域专家公开
2016-05-27: 细节向普通白帽子公开
2016-06-06: 细节向实习白帽子公开
2016-06-21: 细节向公众公开

漏洞概要 关注数(71) 关注此漏洞

缺陷编号: WooYun-2016-188026

漏洞标题: TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除) TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

相关厂商: 广东时代互联科技有限公司

漏洞作者: 路人甲

提交时间: 2016-03-23 11:05

公开时间: 2016-06-21 12:00

漏洞类型: 远程代码执行

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

23人收藏

漏洞详情

披露状态:

2016-03-23: 细节已通知厂商并且等待厂商处理中
2016-03-23: 厂商已经确认,细节仅向厂商公开
2016-03-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-17: 细节向核心白帽子及相关领域专家公开
2016-05-27: 细节向普通白帽子公开
2016-06-06: 细节向实习白帽子公开
2016-06-21: 细节向公众公开

简要描述:

ps:已按照审核要求补充案例进行说明
TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/N处SQL注入漏洞/命令执行/任意文件删除)无需登录,直接shell
/bugs/wooyun-2014-063422
通过此处获取了源代码(以前泄露)

详细说明:

http://**.**.**.**/bugs/wooyun-2014-063422

通过此处获取了源代码(以前泄露)

进入webmail/main文件夹下

所有代码均加载了

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * 
  * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: Sanry William <sanry@**.**.**.**>
  *
  * $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
  * modify by keenx 2005.3.9
  */
 header("Content-Type: text/html; charset=utf-8");
 //$DEBUG = 1;
 //if($DEBUG) $timebegin = gettimeofday();
 
 include_once "../include/login_inc.php";
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";

其中login_inc.php为核心权限验证文件

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

通过上面可知,$G_USERNAME 变量就是控制整个邮件登录过程的唯一因素,而$G_USERNAME的来源为session方式赋值,所以目前来看,无法绕过。

但是通过对所有代码进行审计

发现如下位置

webmail/main/mailcurlapi.php

webmail/main/sendstatusapi.php

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

我们可以看到直接对session值进行了操作,以post方式进行赋值,在后续

code 区域 
include_once "../include/login_inc.php";//登陆等安全检测

又进行了权限验证。

这是什么逻辑? 这就导致直接绕过邮箱验证,直接可登陆邮箱,造成任意邮件读取。

所以后台所有页面操作,均可以采用如下方式绕过赋值

一、任意邮件读取

通过POST提交方式即可构造G_USERNAME G_DOMAIN G_HOME G_NICKNAME G_ID即可绕过登陆任意人邮箱

二SQL注入漏洞(举10例分析)

1、webmail/tools/getpopmail.php

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * 
  * Copyright (c) 1999-2001 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: Sanry William <sanry@**.**.**.**>
  *
  * $Id: getpopmail.php,v 1.6 2003/01/16 03:23:50 sanry Exp $
  * modify by keenx 2005.3.9
  */
 header("Content-Type: text/html; charset=utf-8");
 //$DEBUG = 1;
 //if($DEBUG) $timebegin = gettimeofday();
 
 include_once "../include/login_inc.php";
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 //get
 $get_Cmd = trim($_GET['Cmd']);
 $popid=trim($_GET['popid']);
 $EmailCore = new EmailCore($G_ID);
 
 if($get_Cmd=='Get')
 {
  $Total = $EmailCore->getPOPTotal();
  if($popid=='all')
   $POPList = $EmailCore->getPOPList(1);
  else $POPList=$EmailCore->getPOPlist(1,1," and popid=$popid");
  if(!$POPList){
   echo $LANG_POP_NOT_MAIL.'!<a href="../setting/setpopmail.php" style="color:#0000FF">'+$LANG_POP_CILCK_ADD+'</a>';
  }

popid为注入点,

2、webmail/tools/cardList.php

code 区域 
<?php
 header("Content-Type: text/html; charset=utf-8");
 $DEBUG = 1;
 include_once "../include/login_inc.php";
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 
 // 每页显示的行数 10
 $CFG_ADDR_NUMPERPAGE = 10;
  
 /////查询列表
 $key = mysql_real_escape_string($_REQUEST['key']);
 if ($key) $sql_plus = " AND (name LIKE '%$key%' or cname LIKE '%$key%' or email LIKE '%$key%' or ".
  "addr LIKE '%$key%' or job LIKE '%$key%' or tel LIKE '%$key%' or mobile LIKE '%$key%' or note LIKE '%$key%') ";
 else
  $sqlwhere = "";
  
 //////排序处理
 if($_REQUEST[sort_by]) $orderby = "order by $_REQUEST[sort_by] asc";
 if(!$orderby) $orderby = "order by cardid desc";
 
 $EmailCore = new EmailCore($G_ID);
 /////总列表

$_REQUEST[sort_by] 注入,此处为order by 注入

3、webmail/tools/cardCmd.php

code 区域 
<?php
 header("Content-Type: text/html; charset=utf-8");
 include_once "../include/login_inc.php";
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 
 $get_Cmd = $_REQUEST[cmd];
 $CardID = $_REQUEST[cardid];
 
 $EmailCore = new EmailCore($G_ID);
 if(!preg_match("/[0-9]/",$_REQUEST[agid]))$_REQUEST[agid]='';
 if($get_Cmd == "add")
 {
  $CardInfo = array();
  $CardInfo['name'] = $_REQUEST[name];
  $CardInfo['cname'] = $_REQUEST[cname];
  $CardInfo['addr'] = $_REQUEST[addr];
  $CardInfo['job'] = $_REQUEST[job];
  $CardInfo['tel'] = $_REQUEST[tel];
  $CardInfo['PhoneNum'] = $_REQUEST[PhoneNum];
  $CardInfo['email'] = $_REQUEST[email];
  $CardInfo['ag_id'] = $_REQUEST[agid];
  $CardInfo['note'] = $_REQUEST[note];
  $res = $EmailCore->insertAddress($CardInfo);
 }

跟踪insertAddress方法

code 区域 
function insertAddress($addressInfo){
   foreach($addressInfo as $key=>$val) {
    $key = mysql_real_escape_string($key);
    $val = mysql_real_escape_string($val);
    if($key=="ag_id"){
     if($val!="") $sql_plus .= ", $key=$val";
     else $sql_plus .= ", $key=null";
    }
    else $sql_plus .= ", $key='$val'";
   }
   $sql="insert into address set ftm_id=".$this->TMID.$sql_plus;
   $this->mysql->query($sql);
   return true;
  }

在这里的$this->TMID又是前面我们伪造session值的

code 区域 
new EmailCore($G_ID);

$G_ID即为我们可控的值,又是注入

三、任意文件删除

webmail/main/doAction.php

code 区域 
case "del":
   $name=(isset($_POST['name']) and $_POST['name'])?$_POST['name']:"";
   $EmailCore->deleteAttach($name,$sendBasePath);

跟踪方法deleteAttach

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

0

四、命令执行

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

1

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

2

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

3

五、任意文件读取

mail/webmail/main/mime.php

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

4

演示如下:

默认访问http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

即为跳转,所以我么通过如下方式先赋值session

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

再次访问

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1 and 1=2 union select 1,2,3,4,user(),6,7,8

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

案例

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

通过写个爬虫把所有邮箱爬下来

mx620.**.**.**.**

**.**.**.**

mx603.**.**.**.**

**.**.**.**

mx606.**.**.**.**

mx622.**.**.**.**

mx605.**.**.**.**

mx623.**.**.**.**

**.**.**.**

mx621.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx600.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx601.**.**.**.**

**.**.**.**

**.**.**.**

webmail.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx620.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx623hk.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**/

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

漏洞证明:

http://**.**.**.**/bugs/wooyun-2014-063422

通过此处获取了源代码(以前泄露)

进入webmail/main文件夹下

所有代码均加载了

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

5

其中login_inc.php为核心权限验证文件

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

6

通过上面可知,$G_USERNAME 变量就是控制整个邮件登录过程的唯一因素,而$G_USERNAME的来源为session方式赋值,所以目前来看,无法绕过。

但是通过对所有代码进行审计

发现如下位置

webmail/main/mailcurlapi.php

webmail/main/sendstatusapi.php

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

7

我们可以看到直接对session值进行了操作,以post方式进行赋值,在后续

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

8

又进行了权限验证。

这是什么逻辑? 这就导致直接绕过邮箱验证,直接可登陆邮箱,造成任意邮件读取。

所以后台所有页面操作,均可以采用如下方式绕过赋值

一、任意邮件读取

通过POST提交方式即可构造G_USERNAME G_DOMAIN G_HOME G_NICKNAME G_ID即可绕过登陆任意人邮箱

二SQL注入漏洞(举10例分析)

1、webmail/tools/getpopmail.php

code 区域 
<?php
 /*-
  * PROMailVIP webmail 
  * Copyright (c) 1999-2004 by PROMailVIP network system Inc.
  * All rights reserved.
  * Author: sanry <sanry@**.**.**.**>
  * $Id: login_inc.php,v 1.8 2004/07/02 03:09:52 sanry Exp $
  * 所有文件已经移到子文件夹下,所以使用Location: ../login.php 2005-9-2 keenx
  */
 if(!defined("INCLUDE_LOGIN_OK")) {
  defined("INCLUDE_LOGIN_OK");
  session_start();
  $G_USERNAME = $_SESSION['G_USERNAME'];
  //echo $G_USERNAME;
  $G_DOMAIN = $_SESSION['G_DOMAIN'];
  $G_HOME = $_SESSION['G_HOME'];
  //$G_TIME = $_SESSION['G_TIME'];
  //$G_QUOTA = $_SESSION['G_QUOTA'];
  $G_NICKNAME = $_SESSION['G_NICKNAME'];
  $G_ID = $_SESSION['G_ID'];
  $G_LANG = $_SESSION['G_LANG'];
  $G_TEMP = $_SESSION['G_TEMP'];
  if ( !$G_USERNAME ){
   echo "<script language=/"javascript/">window.top.location.href='../login.php';</script>";
    //  header("Location: ../login.php");
   exit();
   /*
  if ( !$G_USERNAME || !$G_DOMAIN || !$G_HOME || !$G_TIME|| !$G_QUOTA  ){
       header("Location: login.php");
   exit();
  */
  }
 } // End of INCLUDE_LOGIN_OK
 ?>

9

popid为注入点,

2、webmail/tools/cardList.php

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

0

$_REQUEST[sort_by] 注入,此处为order by 注入

3、webmail/tools/cardCmd.php

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

1

跟踪insertAddress方法

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

2

在这里的$this->TMID又是前面我们伪造session值的

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

3

$G_ID即为我们可控的值,又是注入

三、任意文件删除

webmail/main/doAction.php

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

4

跟踪方法deleteAttach

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

5

四、命令执行

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

6

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

7

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

8

五、任意文件读取

mail/webmail/main/mime.php

code 区域 
<?php
 header("Content-Type:  text/html;charset=utf-8");
 include_once "../config/config_inc.php";
 include_once "../config/dbremote.inc.php";
 include_once "../language/utf8_inc.php";
 include_once "../../core/emailcore.class.inc.php";
 include_once "../../core/emailutil.inc.php";
 include_once "../../core/send.class.inc.php";
 set_time_limit(0);
 session_start();
 $G_USERNAME = $_SESSION['G_USERNAME'] = $_POST['G_USERNAME'] ? $_POST['G_USERNAME'] : 'monitor';
 $G_DOMAIN = $_SESSION['G_DOMAIN']   = $_POST['G_DOMAIN'] ? $_POST['G_DOMAIN'] : '**.**.**.**';
 $_SESSION['G_HOME']     = $_POST['G_HOME'] ? $_POST['G_HOME'] : '/tmdomains/m/**.**.**.**/monitor';
 $_SESSION['G_NICKNAME'] = $_POST['G_NICKNAME'] ? $_POST['G_NICKNAME'] : 'monitor';
 $G_ID = $_SESSION['G_ID']       = $_POST['G_ID'] ? $_POST['G_ID'] : '4458';
 $_SESSION['G_LANG']     = $_POST['G_LANG'] ? $_POST['G_LANG'] : 0;
 $_SESSION['G_TEMP']     = NULL;
 include_once "../include/login_inc.php";//登陆等安全检测
 $value   = $_POST['sendto'];
 $subject = $_POST['subject'];
 $content = $_POST['content']; 
 if(!$value){echo '没有邮箱';exit;}

9

演示如下:

默认访问http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

即为跳转,所以我么通过如下方式先赋值session

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

再次访问

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

http://**.**.**.**/webmail/tools/getpopmail.php?Cmd=Get&popid=1 and 1=2 union select 1,2,3,4,user(),6,7,8

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

案例

TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除)

通过写个爬虫把所有邮箱爬下来

mx620.**.**.**.**

**.**.**.**

mx603.**.**.**.**

**.**.**.**

mx606.**.**.**.**

mx622.**.**.**.**

mx605.**.**.**.**

mx623.**.**.**.**

**.**.**.**

mx621.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx600.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx601.**.**.**.**

**.**.**.**

**.**.**.**

webmail.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx620.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

mx623hk.**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**/

**.**.**.**

**.**.**.**

**.**.**.**

**.**.**.**

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-03-23 11:53

厂商回复:

谢谢

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(少于3人评价):

登陆后才能进行评分

50%

50%

0%

0%

0%

评价

  1. 2016-03-23 11:07 | Aasron ( 普通白帽子 | Rank:905 漏洞数:163 | raw_input("你知道我要输入什么?"))

    2

    哎,我的洞啊

  2. 2016-03-23 11:16 | 玉林嘎 TodayMail邮件系统涉及缺陷可导致多个漏洞(任意邮件读取/SQL注入漏洞/命令执行/任意文件删除) ( 普通白帽子 | Rank:941 漏洞数:108 )

    1

    我擦.............

  3. 2016-03-23 11:19 | 牛肉包子 ( 普通白帽子 | Rank:307 漏洞数:70 | baozisec)

    1

    你是把验证文件删了吧

  4. 2016-03-23 11:26 | komas ( 普通白帽子 | Rank:107 漏洞数:25 )

    1

    关注

  5. 2016-03-29 08:53 | 大漠長河 ( 实习白帽子 | Rank:66 漏洞数:10 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区枫叶正...)

    1

    下载个看看 三个美刀威武

  6. 2016-06-21 13:26 | 好吃佬 ( 普通白帽子 | Rank:196 漏洞数:33 | 混迹hacker,没有饭吃)

    0

    5rank,谢谢

  7. 2016-06-21 19:50 | 来打我呀 ( 路人 | Rank:2 漏洞数:1 | 欢脱跳跃的小鲜肉~)

    0

    5rank。。。

  8. 2016-06-22 07:23 | 0c0c0f ( 实习白帽子 | Rank:50 漏洞数:16 | My H34rt c4n 3xploit 4ny h0les!)

    0

    动态补丁机制?为毛一个demo都找不到了...

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin